Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Variant.MSILHeracles.17940.23513.15553

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.MSILHeracles.17940.23513.15553 (renamed file extension from 15553 to exe)
Analysis ID:433227
MD5:95201005885c91db292adaae627a5d57
SHA1:d172e70ecb7f3206bcd34d7d5b51be54d9bdc350
SHA256:73f2e9b534cff49f248d0d3469902ac7c3150da888786e5cde16a935ce4ce0c2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • NXLun.exe (PID: 4712 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 4128 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "operations@priserveinfra.comoppipl121019mail.priserveinfra.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Process Start Without DLLShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, ParentProcessId: 6136, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5636
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, ParentProcessId: 6136, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5636

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "operations@priserveinfra.comoppipl121019mail.priserveinfra.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeVirustotal: Detection: 32%Perma Link
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeReversingLabs: Detection: 30%
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeJoe Sandbox ML: detected
                      Source: 2.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000007.00000000.260473625.0000000000422000.00000002.00020000.sdmp, NXLun.exe, 00000009.00000002.279694341.0000000000542000.00000002.00020000.sdmp, NXLun.exe.2.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                      Source: Binary string: EncodingInfo.pdb source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_032325B8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_032325A7
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_03233CE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_03233CD0
                      Source: global trafficTCP traffic: 192.168.2.3:49739 -> 50.31.160.189:587
                      Source: Joe Sandbox ViewIP Address: 50.31.160.189 50.31.160.189
                      Source: Joe Sandbox ViewASN Name: SERVERCENTRALUS SERVERCENTRALUS
                      Source: global trafficTCP traffic: 192.168.2.3:49739 -> 50.31.160.189:587
                      Source: unknownDNS traffic detected: queries for: mail.priserveinfra.com
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://CvqG2KRIY7VhTa.o
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.464427936.000000000345D000.00000004.00000001.sdmpString found in binary or memory: http://CvqG2KRIY7VhTa.org
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://hcwBaC.com
                      Source: RegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://mail.priserveinfra.com
                      Source: RegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://priserveinfra.com
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/01
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202880593.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202436218.000000000170B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6A3FE371u002d3CF2u002d4647u002dADA6u002dD886DECE5F9Au007d/u0037EBA0FC9u002d2A76u002d4C74u002d87A9u002d38EEF74E4265.csLarge array initialization: .cctor: array initializer size 11961
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6A3FE371u002d3CF2u002d4647u002dADA6u002dD886DECE5F9Au007d/u0037EBA0FC9u002d2A76u002d4C74u002d87A9u002d38EEF74E4265.csLarge array initialization: .cctor: array initializer size 11961
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_01A09A880_2_01A09A88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_01A0C7280_2_01A0C728
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_01A0B1600_2_01A0B160
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_032332780_2_03233278
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_032300400_2_03230040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_032302650_2_03230265
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_032302920_2_03230292
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_032300060_2_03230006
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC5880_2_062AC588
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AD3F00_2_062AD3F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AB3C00_2_062AB3C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A80D00_2_062A80D0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062ABB900_2_062ABB90
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AF6700_2_062AF670
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AF4680_2_062AF468
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC5780_2_062AC578
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AE2C00_2_062AE2C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AB3B90_2_062AB3B9
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC0280_2_062AC028
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A00060_2_062A0006
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC0180_2_062AC018
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A00400_2_062A0040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A80C00_2_062A80C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062ABED10_2_062ABED1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A7B200_2_062A7B20
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A7B120_2_062A7B12
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062ABB820_2_062ABB82
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AA8090_2_062AA809
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AA8180_2_062AA818
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AF8980_2_062AF898
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018947A02_2_018947A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01893CCC2_2_01893CCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018946B02_2_018946B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018946F02_2_018946F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018954902_2_01895490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C5A4902_2_05C5A490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C503742_2_05C50374
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C57D982_2_05C57D98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C5CF802_2_05C5CF80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C56E382_2_05C56E38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B555C2_2_065B555C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA2282_2_065BA228
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.206333132.00000000064B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHjggBhArqxUSGQuHOxtoel.exe4 vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000000.195677731.0000000000F1A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEncodingInfo.exe< vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202436218.000000000170B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeBinary or memory string: OriginalFilenameEncodingInfo.exe< vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4732:120:WilError_01
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeMutant created: \Sessions\1\BaseNamedObjects\HcJtpFXSUxRDGLHOpERU
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_01
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeVirustotal: Detection: 32%
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeReversingLabs: Detection: 30%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000007.00000000.260473625.0000000000422000.00000002.00020000.sdmp, NXLun.exe, 00000009.00000002.279694341.0000000000542000.00000002.00020000.sdmp, NXLun.exe.2.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                      Source: Binary string: EncodingInfo.pdb source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03233EFA push esp; ret 0_2_03233F41
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A5622 push es; retf 0_2_062A5650
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A54ED push es; ret 0_2_062A54F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A58BE push es; retf 0_2_062A5934
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C54666 push 8AE8CF8Bh; iretd 2_2_05C5466B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C52B21 push 83085F8Bh; ret 2_2_05C52B26
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C52A21 push 83085F8Bh; ret 2_2_05C52A26
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B66C8 push cs; iretd 2_2_065B66CA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA7E8 push esi; iretd 2_2_065BA7EA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B8490 push eax; iretd 2_2_065B8491
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B6480 push cs; iretd 2_2_065B6482
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA21B push ebx; iretd 2_2_065BA222
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA008 push edx; iretd 2_2_065BA00A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA141 push edx; iretd 2_2_065BA142
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA173 push edx; iretd 2_2_065BA17A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9FB0 push edx; iretd 2_2_065B9FB2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9C83 push eax; iretd 2_2_065B9C86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9C81 push eax; iretd 2_2_065B9C82
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9C87 push eax; iretd 2_2_065B9C8A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BAAB8 push esi; iretd 2_2_065BAABA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BAB7F push edi; iretd 2_2_065BAB82
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BAB63 push esi; iretd 2_2_065BAB6A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA89B push esi; iretd 2_2_065BA8A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA899 push esi; iretd 2_2_065BA89A
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85141834625
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'QcX9xV', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'QcX9xV', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2505Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7267Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe TID: 5648Thread sleep time: -100748s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe TID: 2432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeThread delayed: delay time: 100748Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: RegSvcs.exe, 00000002.00000002.467168064.0000000006360000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllws\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WS`
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5636, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5636, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5636, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe32%VirustotalBrowse
                      SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      priserveinfra.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://r3.i.lencr.org/010%VirustotalBrowse
                      http://r3.i.lencr.org/010%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://CvqG2KRIY7VhTa.o0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://CvqG2KRIY7VhTa.org0%Avira URL Cloudsafe
                      http://hcwBaC.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://mail.priserveinfra.com0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://priserveinfra.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      priserveinfra.com
                      50.31.160.189
                      truetrueunknown
                      mail.priserveinfra.com
                      unknown
                      unknowntrue
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://r3.i.lencr.org/01RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        http://DynDns.comDynDNSRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://cps.letsencrypt.org0RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://r3.o.lencr.org0RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://CvqG2KRIY7VhTa.oRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        low
                        http://CvqG2KRIY7VhTa.orgRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.464427936.000000000345D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://hcwBaC.comRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202880593.0000000003391000.00000004.00000001.sdmpfalse
                          high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpfalse
                            high
                            http://mail.priserveinfra.comRegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://api.ipify.org%$RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            http://cps.root-x1.letsencrypt.org0RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://priserveinfra.comRegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            50.31.160.189
                            priserveinfra.comUnited States
                            23352SERVERCENTRALUStrue

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:433227
                            Start date:11.06.2021
                            Start time:13:54:21
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 52s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:SecuriteInfo.com.Variant.MSILHeracles.17940.23513.15553 (renamed file extension from 15553 to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:28
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 0.8% (good quality ratio 0.5%)
                            • Quality average: 48.6%
                            • Quality standard deviation: 46%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 121
                            • Number of non-executed functions: 16
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 104.43.193.48, 20.82.210.154, 104.76.200.56, 20.54.26.129, 20.50.102.62, 92.122.213.247, 92.122.213.194
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            13:55:07API Interceptor1x Sleep call for process: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe modified
                            13:55:16API Interceptor766x Sleep call for process: RegSvcs.exe modified
                            13:55:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                            13:55:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            50.31.160.189SecuriteInfo.com.Exploit.Siggen2.12917.8592.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            SecuriteInfo.com.Exploit.Siggen2.12943.15385.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            Doc-20200731-7729500.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            doc_440.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            MES 2020_07_31 9325071.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            arc GNV011047.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            ARC_4895987.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            Rep-OVW91546.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            REP_OKX598.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            FILE-2020_07_31-LY51195.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            REP-2020_07_31-HL73628.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            Dat_20200731_ILT3900.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            SERVERCENTRALUS619wGDCTZA.exeGet hashmaliciousBrowse
                            • 216.246.112.102
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            PO #4500484210.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Quotation 2000051165.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            RYJzamn1HwAEPyy.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Revised_Order PDF.exeGet hashmaliciousBrowse
                            • 198.38.93.60
                            tB15iC3ImLK3MFX.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            tYIAJnu9nz5cOsZ.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            upnxIVxCnyXyWyW.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            1092991(JB#082).exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            1092991(JB#082).exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            uDEF0FNW0uvax8f.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            payment.exeGet hashmaliciousBrowse
                            • 204.93.196.181

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\Users\user\AppData\Roaming\NXLun\NXLun.exeHT210525 IV Quotation.exeGet hashmaliciousBrowse
                              Bank_payment information.exeGet hashmaliciousBrowse
                                HT210525 IV Quotation.exeGet hashmaliciousBrowse
                                  Proforma Invoice No. 14214.exeGet hashmaliciousBrowse
                                    KCTC International Ltd.exeGet hashmaliciousBrowse
                                      NEW PO#70-02110-00739.exeGet hashmaliciousBrowse
                                        New quote.exeGet hashmaliciousBrowse
                                          Bank payment information.exeGet hashmaliciousBrowse
                                            MESCO TQZ24 QUOTE.exeGet hashmaliciousBrowse
                                              SWIFT Msg of USD 78,000.exeGet hashmaliciousBrowse
                                                OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                                                  ORDER #2348478.exeGet hashmaliciousBrowse
                                                    1029BA046DF67EE328AD9D21BFD1E6D31C5CEDC4D4EAD.exeGet hashmaliciousBrowse
                                                      Quotation 2000051165.exeGet hashmaliciousBrowse
                                                        IMG-20191224-WA0050.jpg.exeGet hashmaliciousBrowse
                                                          Note0093746573.exeGet hashmaliciousBrowse
                                                            RYJzamn1HwAEPyy.exeGet hashmaliciousBrowse
                                                              11.exeGet hashmaliciousBrowse
                                                                OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                                                                  NEW Quotation.exeGet hashmaliciousBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                    Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):142
                                                                    Entropy (8bit):5.090621108356562
                                                                    Encrypted:false
                                                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.log
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1314
                                                                    Entropy (8bit):5.350128552078965
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                    C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):45152
                                                                    Entropy (8bit):6.149629800481177
                                                                    Encrypted:false
                                                                    SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                    MD5:2867A3817C9245F7CF518524DFD18F28
                                                                    SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                    SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                    SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: HT210525 IV Quotation.exe, Detection: malicious, Browse
                                                                    • Filename: Bank_payment information.exe, Detection: malicious, Browse
                                                                    • Filename: HT210525 IV Quotation.exe, Detection: malicious, Browse
                                                                    • Filename: Proforma Invoice No. 14214.exe, Detection: malicious, Browse
                                                                    • Filename: KCTC International Ltd.exe, Detection: malicious, Browse
                                                                    • Filename: NEW PO#70-02110-00739.exe, Detection: malicious, Browse
                                                                    • Filename: New quote.exe, Detection: malicious, Browse
                                                                    • Filename: Bank payment information.exe, Detection: malicious, Browse
                                                                    • Filename: MESCO TQZ24 QUOTE.exe, Detection: malicious, Browse
                                                                    • Filename: SWIFT Msg of USD 78,000.exe, Detection: malicious, Browse
                                                                    • Filename: OM PHOENIX TRADERS.exe, Detection: malicious, Browse
                                                                    • Filename: ORDER #2348478.exe, Detection: malicious, Browse
                                                                    • Filename: 1029BA046DF67EE328AD9D21BFD1E6D31C5CEDC4D4EAD.exe, Detection: malicious, Browse
                                                                    • Filename: Quotation 2000051165.exe, Detection: malicious, Browse
                                                                    • Filename: IMG-20191224-WA0050.jpg.exe, Detection: malicious, Browse
                                                                    • Filename: Note0093746573.exe, Detection: malicious, Browse
                                                                    • Filename: RYJzamn1HwAEPyy.exe, Detection: malicious, Browse
                                                                    • Filename: 11.exe, Detection: malicious, Browse
                                                                    • Filename: OM PHOENIX TRADERS.exe, Detection: malicious, Browse
                                                                    • Filename: NEW Quotation.exe, Detection: malicious, Browse
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                    C:\Windows\System32\drivers\etc\hosts
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):11
                                                                    Entropy (8bit):2.663532754804255
                                                                    Encrypted:false
                                                                    SSDEEP:3:iLE:iLE
                                                                    MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                    SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                    SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                    SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                    Malicious:true
                                                                    Preview: ..127.0.0.1
                                                                    \Device\ConDrv
                                                                    Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1141
                                                                    Entropy (8bit):4.44831826838854
                                                                    Encrypted:false
                                                                    SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                    MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                    SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                    SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                    SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                    Malicious:false
                                                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.493580728299334
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                    File name:SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                                                                    File size:930816
                                                                    MD5:95201005885c91db292adaae627a5d57
                                                                    SHA1:d172e70ecb7f3206bcd34d7d5b51be54d9bdc350
                                                                    SHA256:73f2e9b534cff49f248d0d3469902ac7c3150da888786e5cde16a935ce4ce0c2
                                                                    SHA512:b571adb6cd73909e7d93311401dd8c96168cae2fba009e063786b7bc87a56e0d1d361ac0b76f2531458c315e354b981b8725fd67f9b33ed5b98fa7cb6a368ca7
                                                                    SSDEEP:12288:4IiPCg6zYjxAYcfPxu87cSumg7G+pPM0rgpmDKuedZM4e/ZUdtb:4NPC1zSeHXh7cH66PmwDxedNeBUdt
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................>.... ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:8c8caa8e9692aa00

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4ba63e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x60C2AE0F [Fri Jun 11 00:27:59 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba5f00x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x2a388.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xba5aa0x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xb86440xb8800False0.892889090024data7.85141834625IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .sdata0xbc0000x1e80x200False0.861328125data6.62043448152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xbe0000x2a3880x2a400False0.124312361317data4.17146470655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xea0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0xbe2b00x2326PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                    RT_ICON0xc05d80x10828dBase III DBT, version number 0, next free block index 40
                                                                    RT_ICON0xd0e000x94a8data
                                                                    RT_ICON0xda2a80x5488data
                                                                    RT_ICON0xdf7300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                    RT_ICON0xe39580x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0xe5f000x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0xe6fa80x988data
                                                                    RT_ICON0xe79300x468GLS_BINARY_LSB_FIRST
                                                                    RT_GROUP_ICON0xe7d980x84data
                                                                    RT_VERSION0xe7e1c0x380data
                                                                    RT_MANIFEST0xe819c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightPaul Harris 2016
                                                                    Assembly Version251.2.0.0
                                                                    InternalNameEncodingInfo.exe
                                                                    FileVersion251.2.0.0
                                                                    CompanyNamePaul Harris
                                                                    LegalTrademarks
                                                                    Comments1992 Alpine A 610
                                                                    ProductNameReloadManager
                                                                    ProductVersion251.2.0.0
                                                                    FileDescriptionReloadManager
                                                                    OriginalFilenameEncodingInfo.exe

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 11, 2021 13:56:41.069885969 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.213582993 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.213800907 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.598962069 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.599651098 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.743532896 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.744143963 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.909204960 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.957829952 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.145090103 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202445030 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202506065 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202536106 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202701092 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.214478016 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.358225107 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.359455109 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.410959005 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.426899910 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.573067904 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.576642036 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.723206997 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.724687099 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.884005070 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.885524035 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.029640913 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.030524969 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.183080912 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.183788061 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.329449892 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.335206985 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.335562944 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.335767031 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.335947037 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.482861042 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.482903004 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.482927084 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.483850002 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.536024094 CEST49739587192.168.2.350.31.160.189

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 11, 2021 13:55:02.996490955 CEST6015253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:03.049737930 CEST53601528.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:04.526015997 CEST5754453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:04.576266050 CEST53575448.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:05.331646919 CEST5598453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:05.384490013 CEST53559848.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:06.462455988 CEST6418553192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:06.512868881 CEST53641858.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:07.763880968 CEST6511053192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:07.816826105 CEST53651108.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:08.595263004 CEST5836153192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:08.646934032 CEST53583618.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:10.516655922 CEST6349253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:10.580557108 CEST53634928.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:11.311841011 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:11.364803076 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:12.112380981 CEST6010053192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:12.165740967 CEST53601008.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:13.020163059 CEST5319553192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:13.072607994 CEST53531958.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:13.947890997 CEST5014153192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:13.998404980 CEST53501418.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:14.739490986 CEST5302353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:14.789906979 CEST53530238.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:15.661520004 CEST4956353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:15.712136984 CEST53495638.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:16.598730087 CEST5135253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:16.649163008 CEST53513528.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:17.494551897 CEST5934953192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:17.545011044 CEST53593498.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:18.587670088 CEST5708453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:18.648411036 CEST53570848.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:19.456626892 CEST5882353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:19.515012980 CEST53588238.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:20.462637901 CEST5756853192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:20.513097048 CEST53575688.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:34.157301903 CEST5054053192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:34.233827114 CEST53505408.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:38.511918068 CEST5436653192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:38.589154959 CEST53543668.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:56.298839092 CEST5303453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:56.368366003 CEST53530348.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:11.782270908 CEST5776253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:11.852824926 CEST53577628.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:16.601514101 CEST5543553192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:16.661097050 CEST53554358.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:40.678406954 CEST5071353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:40.850236893 CEST53507138.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:40.860426903 CEST5613253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:41.040086985 CEST53561328.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:47.128261089 CEST5898753192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:47.205463886 CEST53589878.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:48.744347095 CEST5657953192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:48.803177118 CEST53565798.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jun 11, 2021 13:56:40.678406954 CEST192.168.2.38.8.8.80xce81Standard query (0)mail.priserveinfra.comA (IP address)IN (0x0001)
                                                                    Jun 11, 2021 13:56:40.860426903 CEST192.168.2.38.8.8.80x8b1eStandard query (0)mail.priserveinfra.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jun 11, 2021 13:56:40.850236893 CEST8.8.8.8192.168.2.30xce81No error (0)mail.priserveinfra.compriserveinfra.comCNAME (Canonical name)IN (0x0001)
                                                                    Jun 11, 2021 13:56:40.850236893 CEST8.8.8.8192.168.2.30xce81No error (0)priserveinfra.com50.31.160.189A (IP address)IN (0x0001)
                                                                    Jun 11, 2021 13:56:41.040086985 CEST8.8.8.8192.168.2.30x8b1eNo error (0)mail.priserveinfra.compriserveinfra.comCNAME (Canonical name)IN (0x0001)
                                                                    Jun 11, 2021 13:56:41.040086985 CEST8.8.8.8192.168.2.30x8b1eNo error (0)priserveinfra.com50.31.160.189A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Jun 11, 2021 13:56:41.598962069 CEST5874973950.31.160.189192.168.2.3220-metro702.hostmetro.com ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 06:56:41 -0500
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Jun 11, 2021 13:56:41.599651098 CEST49739587192.168.2.350.31.160.189EHLO 936905
                                                                    Jun 11, 2021 13:56:41.743532896 CEST5874973950.31.160.189192.168.2.3250-metro702.hostmetro.com Hello 936905 [84.17.52.18]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPE_CONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    Jun 11, 2021 13:56:41.744143963 CEST49739587192.168.2.350.31.160.189STARTTLS
                                                                    Jun 11, 2021 13:56:41.909204960 CEST5874973950.31.160.189192.168.2.3220 TLS go ahead

                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:13:55:06
                                                                    Start date:11/06/2021
                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe'
                                                                    Imagebase:0xe40000
                                                                    File size:930816 bytes
                                                                    MD5 hash:95201005885C91DB292ADAAE627A5D57
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:13:55:08
                                                                    Start date:11/06/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Imagebase:0xf10000
                                                                    File size:45152 bytes
                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    General

                                                                    Start time:13:55:36
                                                                    Start date:11/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                    Imagebase:0x420000
                                                                    File size:45152 bytes
                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Antivirus matches:
                                                                    • Detection: 0%, Metadefender, Browse
                                                                    • Detection: 0%, ReversingLabs
                                                                    Reputation:high

                                                                    General

                                                                    Start time:13:55:36
                                                                    Start date:11/06/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6b2800000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:13:55:44
                                                                    Start date:11/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                    Imagebase:0x540000
                                                                    File size:45152 bytes
                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    General

                                                                    Start time:13:55:44
                                                                    Start date:11/06/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6b2800000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 9^Z
                                                                      • API String ID: 0-522345591
                                                                      • Opcode ID: 856fc9ae1ef0adbc42fccc1d2dd52ec76fbbd37526345a59f728bbec46cd13fa
                                                                      • Instruction ID: 2d84564f9ae99a6954e0b05ef41f990771c6ce5c16b7a9bf1413b626a31915ba
                                                                      • Opcode Fuzzy Hash: 856fc9ae1ef0adbc42fccc1d2dd52ec76fbbd37526345a59f728bbec46cd13fa
                                                                      • Instruction Fuzzy Hash: 60D15774D2420ADFCB48CFA5C4858AEFBB2FF88301B14C959D816AB614D774EA42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Mgr
                                                                      • API String ID: 0-2718747803
                                                                      • Opcode ID: c4946923084c91c1b75c70d6e1412b0d197296252e7b5b4f8e01ffe57ff89382
                                                                      • Instruction ID: 0cbee6898b9ec4a59dfbadf51730f787a0e4b88abe93caa76af94f291171c49a
                                                                      • Opcode Fuzzy Hash: c4946923084c91c1b75c70d6e1412b0d197296252e7b5b4f8e01ffe57ff89382
                                                                      • Instruction Fuzzy Hash: F891E474E10209CFDB48CFEAC9845DEFBB2AF89301F14942AD819BB264D7749941CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Mgr
                                                                      • API String ID: 0-2718747803
                                                                      • Opcode ID: 2b90eab31ec3f675a2a7f84d6304759422bda021588e05db125098e7ef302ac0
                                                                      • Instruction ID: cc7c36307f82dfada5cdad8ef358bb9adf35516cc30245deecfaff628e16e6d0
                                                                      • Opcode Fuzzy Hash: 2b90eab31ec3f675a2a7f84d6304759422bda021588e05db125098e7ef302ac0
                                                                      • Instruction Fuzzy Hash: D491F274E102098FDB48CFEAC9846DEFBB2AF88301F24942AD819BB264D7749941CF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ?k3
                                                                      • API String ID: 0-3175244103
                                                                      • Opcode ID: b777775014807d2578834bcc87f5fd8d0a80fc45277d6301810205ddb84d096a
                                                                      • Instruction ID: 0eca9a304b3fab5c2b2ab6551c9270b59c1c634c6b0a88616a7dcfa147ff5610
                                                                      • Opcode Fuzzy Hash: b777775014807d2578834bcc87f5fd8d0a80fc45277d6301810205ddb84d096a
                                                                      • Instruction Fuzzy Hash: 199169B1E146698FDB24CF66CC44799BBB2BF8A300F14C5EAC409AB254E7356A85CF11
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7bc5ef921e6ba77fc4a16ebd560259f394161a156a184e39a048b206a438eaf
                                                                      • Instruction ID: 103a9ef85b942c4801b88decc1e588b8ce5cab9a38c53a9d868d51cbb422da26
                                                                      • Opcode Fuzzy Hash: d7bc5ef921e6ba77fc4a16ebd560259f394161a156a184e39a048b206a438eaf
                                                                      • Instruction Fuzzy Hash: 7D526C71A00619CFCB16CF58D880AAEB7B2FF45314F5584A9E909AB292D771FD85CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d546d84df53c5d72949e3c6d77a91939fd20c0f4c74402294868da3882262e6f
                                                                      • Instruction ID: 0be78ae69d32804a70a391226fa2c52ba29b2ff16fb692eca8491d6aeea72671
                                                                      • Opcode Fuzzy Hash: d546d84df53c5d72949e3c6d77a91939fd20c0f4c74402294868da3882262e6f
                                                                      • Instruction Fuzzy Hash: 9B32EDB4B112058FDB15DB79D560BAEB7F6AF8A300F1444A9E206DB3A1CB34EE41CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5711e14f635dcb01bc39e2320fe3bdacf2fc1f9d0f1c390238315f5c4f0b8092
                                                                      • Instruction ID: 2cf7369ad0989cdf6b9e1e457ff2bffc7478c99f75fc098e15f70678dc37dca5
                                                                      • Opcode Fuzzy Hash: 5711e14f635dcb01bc39e2320fe3bdacf2fc1f9d0f1c390238315f5c4f0b8092
                                                                      • Instruction Fuzzy Hash: 80A12574E20718CFDB54DFA9C8447EEBBB2BF89314F14C469D908A7240EBB459858F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e140a7c4049aa7b5bb7f50e9b3d3dea892979a8a2efd7d48b04b4f30eb9285c0
                                                                      • Instruction ID: 0a129d92e85c29ff59d77f43f1630376f1284dfcbd68b4059fb85f828555f81e
                                                                      • Opcode Fuzzy Hash: e140a7c4049aa7b5bb7f50e9b3d3dea892979a8a2efd7d48b04b4f30eb9285c0
                                                                      • Instruction Fuzzy Hash: E9913774E10318CFDB64DFA9C8447EEBBB2BF89310F14C4A9C948A7241EBB459858F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f93e5877277c886295d98da31d15d7fe5d520faa3090ca994bd312dec6920e70
                                                                      • Instruction ID: 6b5d2a6bfb4bfc77c23357cd718d587295df389cad7f58b8bd1712b9a00d1e9a
                                                                      • Opcode Fuzzy Hash: f93e5877277c886295d98da31d15d7fe5d520faa3090ca994bd312dec6920e70
                                                                      • Instruction Fuzzy Hash: 4A7128B1E14629CBDB24DF66CC447DDB7B6ABC9300F10C5EAD50AA7254EB706A858F10
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2df20f8e4c0f1e38bbc2d1b6767baace69c6b4c43af2d7cd4400c0b27f03337
                                                                      • Instruction ID: be2c6f5bf092e3825ce2476aad1d02ca4c42976cdf49c1a8b9ead4a2331c620c
                                                                      • Opcode Fuzzy Hash: f2df20f8e4c0f1e38bbc2d1b6767baace69c6b4c43af2d7cd4400c0b27f03337
                                                                      • Instruction Fuzzy Hash: 4E6117B4E1522ACFDB64DF55C880BDDBBB6BB89300F1085EAD50AA7244D7706AC5CF14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ef4721591688db90a3d524821ee5598fc1b97a222d9d056a943bcfc254ce7172
                                                                      • Instruction ID: 2908d0cd786ebd31d2e55adbc567b415930718d91015c66b42ae226ceba2b94d
                                                                      • Opcode Fuzzy Hash: ef4721591688db90a3d524821ee5598fc1b97a222d9d056a943bcfc254ce7172
                                                                      • Instruction Fuzzy Hash: EA516970E146198FDB48CFA9C844AAEFBF3FF88301F14D56AD815AB294D7748941CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bb19f086828e67fa367239f79b4b3b4e01adec2dc922ed9b6964b653e7cd0f63
                                                                      • Instruction ID: 18f0175b2496c5f78ecfebc945c813c4c1aa411ea3613ada57e9785f1305de91
                                                                      • Opcode Fuzzy Hash: bb19f086828e67fa367239f79b4b3b4e01adec2dc922ed9b6964b653e7cd0f63
                                                                      • Instruction Fuzzy Hash: 4E514970E256198FDB48CFA6C840AAEFBF2FF88301F14D46AD819B7254D7749941CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 953b1c7c5309be88e33d8b6056b038caa9e104704af5b74928e0a1ffc6c09432
                                                                      • Instruction ID: 73a03ca63cf50471063357d168cad9405fbe20f1ed755faacc42d3b4733d6382
                                                                      • Opcode Fuzzy Hash: 953b1c7c5309be88e33d8b6056b038caa9e104704af5b74928e0a1ffc6c09432
                                                                      • Instruction Fuzzy Hash: 655126B4E1422ACFDB24DF65C844BDDB7B6BB89300F1085E6D50AA7644E770AAC5CF14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e140bc88643a3f7b993a0d66fd0447c48745fe025e51b1286fc37efc1f3d8b8e
                                                                      • Instruction ID: 850c4a147756ae849906c3e30c4a16199cc383efe88a5ffa510ea3a4035c97ac
                                                                      • Opcode Fuzzy Hash: e140bc88643a3f7b993a0d66fd0447c48745fe025e51b1286fc37efc1f3d8b8e
                                                                      • Instruction Fuzzy Hash: 24510AB4E142099FCB44CFA9C5849AEFBF2FF89301F1495AAD914A7314D7749A41CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 23353fb3dabb8748323b2c62a65f66a25f5f0f6aae52b0e659eec65f3d45ea7f
                                                                      • Instruction ID: 555a31aaa6e6b93bc7f89d6be7296515b3104dba828be1dfdd6c2f42e68d4dbf
                                                                      • Opcode Fuzzy Hash: 23353fb3dabb8748323b2c62a65f66a25f5f0f6aae52b0e659eec65f3d45ea7f
                                                                      • Instruction Fuzzy Hash: 2A412970E116198FDB58CFA6D9846DEFBF2AF88311F10C0A9D909AA254DB745A85CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 89bc7532a0fa02823d7fbfd088af7a188a233249d0838f6e315b62e1e92c7a1e
                                                                      • Instruction ID: 42d12d9660c0d84c818a34361e7af1e18fbc31a19d1635a16a2e1a0b0d6cc558
                                                                      • Opcode Fuzzy Hash: 89bc7532a0fa02823d7fbfd088af7a188a233249d0838f6e315b62e1e92c7a1e
                                                                      • Instruction Fuzzy Hash: 4D4138B0E116598FDB58CFA6D9842DEFFF2AF89300F14C0AAD805AA254DB745A85CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 76fc74c7cebafeca1f52b30e7b699174f313a82e906a6bc94d1bd1bcdf0a865d
                                                                      • Instruction ID: fc2138e94da68efd9a1ffbc215f0e9228033d9bc165efb9f8594e95e14874e2a
                                                                      • Opcode Fuzzy Hash: 76fc74c7cebafeca1f52b30e7b699174f313a82e906a6bc94d1bd1bcdf0a865d
                                                                      • Instruction Fuzzy Hash: 713138B4DA6318CFDB04DFA4D5587EDBAB4AF0A301F24586AE415B3280C7745985CF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 00881804408e17b48d38c90bce78257c81e4715e2c82ac2d5a76fe071ab0f1af
                                                                      • Instruction ID: 32cae531cb7368f7a9afa0161da475574c9e91a7c8ade05f90fdc5c3073d307c
                                                                      • Opcode Fuzzy Hash: 00881804408e17b48d38c90bce78257c81e4715e2c82ac2d5a76fe071ab0f1af
                                                                      • Instruction Fuzzy Hash: 643149B0DA6318DFDB04DFA5E458BEDBAF4AF0A300F14586AE405B3290C7745985CF25
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01A0C286
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 9f3cde0cbde31b2b6b4fa788c800c2c5fd5ea77c2f51b3227a7f8ae5c1f43bba
                                                                      • Instruction ID: d7f61d4081ed21a365096bf6232aab4701ea35b903c706cfa1bb7ede2db7348d
                                                                      • Opcode Fuzzy Hash: 9f3cde0cbde31b2b6b4fa788c800c2c5fd5ea77c2f51b3227a7f8ae5c1f43bba
                                                                      • Instruction Fuzzy Hash: 72815670A00B058FD725DF6AD54479ABBF1BF88314F008A6ED48AD7A94D734E849CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01A0E20A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 8bc52bf48f4d51ac7cca3794d1439bac75c7cdb5313ccc5e68115d86c7f9c9ce
                                                                      • Instruction ID: 7f03936825037fb38d65d630afee3022fe6500ba819b328230c643aef341050b
                                                                      • Opcode Fuzzy Hash: 8bc52bf48f4d51ac7cca3794d1439bac75c7cdb5313ccc5e68115d86c7f9c9ce
                                                                      • Instruction Fuzzy Hash: B651D2B1D003099FDF15CF9AD884ADEBFB5BF88310F24852AE815AB250D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01A0E20A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 0b00e9ca0e8b665b7a33a2007982dbd652310ca27ea8d2c29f3b21005d5f9813
                                                                      • Instruction ID: 92fe3ada103ede86ae00a4edfa6444c0eede40eaa9db99a3dd2a910cdcfe7931
                                                                      • Opcode Fuzzy Hash: 0b00e9ca0e8b665b7a33a2007982dbd652310ca27ea8d2c29f3b21005d5f9813
                                                                      • Instruction Fuzzy Hash: 0C51D0B1D003099FDF15CF9AD884ADEBBB5BF48310F24852AE819AB250D7749845CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 032340D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 6f88cf33f229e795f12c8c5d0e65c1e9f9c77fedac5b73a1716be3dcaee07fec
                                                                      • Instruction ID: beaec2da2cb85e394faaab1fe6d95a75107256e2653b91e2f7ccf705cc4b42ce
                                                                      • Opcode Fuzzy Hash: 6f88cf33f229e795f12c8c5d0e65c1e9f9c77fedac5b73a1716be3dcaee07fec
                                                                      • Instruction Fuzzy Hash: 39215AB5A042098FCB10DF9AC544BEEFBF0EF49314F188459D515A7340C775A985CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A072DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 13da60c504c84d00bd2a75c799cf2d49bc6ff4dec695bb244d7463a798ed68fb
                                                                      • Instruction ID: f534106c197fe2a45795b423ff080f6c4931d0f04563877ed30ca303226d75e0
                                                                      • Opcode Fuzzy Hash: 13da60c504c84d00bd2a75c799cf2d49bc6ff4dec695bb244d7463a798ed68fb
                                                                      • Instruction Fuzzy Hash: C52114B5D002099FDB00CFAAD984AEEBBF4FB48320F14801AE915B7350D374A954CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A072DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: d08ec814f092efc96c8ab4b810d7b14ad342fc5bd140570a57af02ecd19cbf6b
                                                                      • Instruction ID: 44a9dbd347b3d74da01722aeaa3107226a4f9ef169b4187768afe38dfd7dfeac
                                                                      • Opcode Fuzzy Hash: d08ec814f092efc96c8ab4b810d7b14ad342fc5bd140570a57af02ecd19cbf6b
                                                                      • Instruction Fuzzy Hash: BE21F3B5D002099FDB10CFAAD984AEEFBF8FB48324F14801AE955A7350D374A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A0C301,00000800,00000000,00000000), ref: 01A0C512
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: c8dd95de4da2ad272f50dce8242f3171fd190aae83639465d2a284603dd94088
                                                                      • Instruction ID: c6518751fd7cf56908b0de46cadde2fb1c0a5612c50bebdf63cb6692b0dbeb8e
                                                                      • Opcode Fuzzy Hash: c8dd95de4da2ad272f50dce8242f3171fd190aae83639465d2a284603dd94088
                                                                      • Instruction Fuzzy Hash: C81114B6D002098FDB10CF9AD448AEEFBF4EB88364F15856AE915A7240C375A945CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A0C301,00000800,00000000,00000000), ref: 01A0C512
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 35d74ee6eeef9b18b23f55d5042dfaa644ac6d04499eead12113cd337a9af438
                                                                      • Instruction ID: 2437e64c22d00fc646bf60a17c7ae94305ff23f9c43a1ca79294c1d21c8c4ef9
                                                                      • Opcode Fuzzy Hash: 35d74ee6eeef9b18b23f55d5042dfaa644ac6d04499eead12113cd337a9af438
                                                                      • Instruction Fuzzy Hash: 571156B6D002098FDB10CFAAD544ADEFBF4EB88324F14811ED815B7200C375A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01A0C286
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: f4a35dde57136a9212b8fca6047866741294a3c714d20be4c64a6ecbc42bf56c
                                                                      • Instruction ID: d3943c2c2c6af44743b3f56dcf68699887b600a99d8d8b82ec792a532a29d243
                                                                      • Opcode Fuzzy Hash: f4a35dde57136a9212b8fca6047866741294a3c714d20be4c64a6ecbc42bf56c
                                                                      • Instruction Fuzzy Hash: 1A110CB2D002098FDB10DF9AD444ADEFBF4AB88324F10856AD829A7640C378A645CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 032340D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 816edfa61ce4330a2c3f2726b540f9a0ab49eb167f3a74fcea338cc56355bc23
                                                                      • Instruction ID: b9835a1ec443f676f0dbcb1dbbba0c5291ca8c7711d8d0a9bc3920ee33f8b4a2
                                                                      • Opcode Fuzzy Hash: 816edfa61ce4330a2c3f2726b540f9a0ab49eb167f3a74fcea338cc56355bc23
                                                                      • Instruction Fuzzy Hash: E21133B19002098FCB10DF9AC484BDEFBF4EB48324F14845AD959A7340D738A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 01A0E39D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 0cc57049e7dbd724fbb3c2a5cb08bf4747ed8afaadf6b1269f3a74bbe9df60fd
                                                                      • Instruction ID: e1804f558c4e24f679549dfa96fb6dbd3022565925b1b0cfed83862784913b19
                                                                      • Opcode Fuzzy Hash: 0cc57049e7dbd724fbb3c2a5cb08bf4747ed8afaadf6b1269f3a74bbe9df60fd
                                                                      • Instruction Fuzzy Hash: 5C11F2B59002099FDB60CF9AD588BDEBFF8EB48324F10841AE955A7340C374A944CFA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 032320ED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 1fa147763fe7d3ec47a08f7fb8a1e1d6169b2f15374e499dbda1d2ab31340549
                                                                      • Instruction ID: e99e918ab6da5741ea69c8c1da661e44eacc7abbe37e616bbbcce9e8e883a7d6
                                                                      • Opcode Fuzzy Hash: 1fa147763fe7d3ec47a08f7fb8a1e1d6169b2f15374e499dbda1d2ab31340549
                                                                      • Instruction Fuzzy Hash: 2611C2B59002499FDB10CF9AD988BDEBBF8EB48324F14841AE555A7600D374AA84CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 01A0E39D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 3fd41314a924251fd97b5290f391068a26c9caea4862c07a3b2340629612884d
                                                                      • Instruction ID: 6923f7461d036ea4a5bec98561f0a2fad6664686af2f6c85a47e9d9410e0866f
                                                                      • Opcode Fuzzy Hash: 3fd41314a924251fd97b5290f391068a26c9caea4862c07a3b2340629612884d
                                                                      • Instruction Fuzzy Hash: 9E11E2B59002099FDB10CF9AD584BDEFFF8EB48324F10841AE955A7340C374A944CFA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 032320ED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: cf6d4dfa059eb5fb2c8c85244d9a6d53352cb34fdd64cfc781813517905d21c0
                                                                      • Instruction ID: bca9ac28bc0e48f762ce5701d13b7c083494523bc6582826ac9382c64f539fa4
                                                                      • Opcode Fuzzy Hash: cf6d4dfa059eb5fb2c8c85244d9a6d53352cb34fdd64cfc781813517905d21c0
                                                                      • Instruction Fuzzy Hash: D011D0B59003499FDB10CF9AD988BDEFBF8EB48324F14841AE555A7200D375A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: yPB
                                                                      • API String ID: 0-1377185601
                                                                      • Opcode ID: 871378952dafd38775fe5bd292fba457e86cec03bf95ee8606064a8940e98e0a
                                                                      • Instruction ID: 03812d6f4bd44aeb5e0b0bf14565f28914d5ef0334bf813bc06f2ae517d8ce57
                                                                      • Opcode Fuzzy Hash: 871378952dafd38775fe5bd292fba457e86cec03bf95ee8606064a8940e98e0a
                                                                      • Instruction Fuzzy Hash: CA31F8B4E2920ADFDB84CFA9C5405AEFBF2EF99300F10C9A98905A7614E7749B01DF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a21b3057fd85168ee5cba53b941d61b295bf5b016e373a47b957e21321a302e
                                                                      • Instruction ID: c30bfb35567c6b7f53e171326c46f5abef72000b18e771c485dadc0828c7b19d
                                                                      • Opcode Fuzzy Hash: 0a21b3057fd85168ee5cba53b941d61b295bf5b016e373a47b957e21321a302e
                                                                      • Instruction Fuzzy Hash: 6261D230E202168FCF65DBB5C4542AEBBB6AF85394B20096DC806A7380DFB69C41CBD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e28e5e1e8443a5bd548f720b1e924da9bcb77299c48570d64e0b291842153e4e
                                                                      • Instruction ID: 82654446651294bd33e33495942a97160707433bacbd2510e5b0082945391338
                                                                      • Opcode Fuzzy Hash: e28e5e1e8443a5bd548f720b1e924da9bcb77299c48570d64e0b291842153e4e
                                                                      • Instruction Fuzzy Hash: 2B51CF75B103068FCB01DBB9C8545AEBBF6EFC5314718896AE829CB390EB70DC058791
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed1c905d6fea6d84562085b1c75dfc653c4561e174affea87461d6bdaa1507b2
                                                                      • Instruction ID: e6905bc55c96fcddfea27afa0a0057106c0d3bac6acb8fc47a5c821cf1213ddf
                                                                      • Opcode Fuzzy Hash: ed1c905d6fea6d84562085b1c75dfc653c4561e174affea87461d6bdaa1507b2
                                                                      • Instruction Fuzzy Hash: 3451E074E20309CFEB44DFE9C8496AEBBB2BF89300F148429D815A7344DBB59945CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c09e612a6303725313e648fd7191ed493dfd291a75d44427d9c79dfb40e7ad48
                                                                      • Instruction ID: 7918c6f4b54045ddd9a8b563d54eff0f9c1addb4e64c458abb69b68d4fef2cb5
                                                                      • Opcode Fuzzy Hash: c09e612a6303725313e648fd7191ed493dfd291a75d44427d9c79dfb40e7ad48
                                                                      • Instruction Fuzzy Hash: 4B311AB4E142099FCB84CFA9C585A9EBBF2FF88301F54C5A6D814A7354D3749A41CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a9d8aebf45b7b77fcba187941b4f42a6b891175e81fb53137ee0a89a14364c7d
                                                                      • Instruction ID: 83fbacb5be06369ff65c8605289468a08bdad2f923f9b009b58e956af16f3373
                                                                      • Opcode Fuzzy Hash: a9d8aebf45b7b77fcba187941b4f42a6b891175e81fb53137ee0a89a14364c7d
                                                                      • Instruction Fuzzy Hash: 0B31D7B4E142099FCB84CFAAC5859AEBBF2FF88301F509566D918A7314D7B49A41CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202331754.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dfc0715ebba6989b879c4c3754d2130848572acd6382c02b6ce1af73828116f7
                                                                      • Instruction ID: bc0f0e641fd10abe3a47c24254b5f9ba50bb46a53d5ae3f79db8eee8e8bd8bbd
                                                                      • Opcode Fuzzy Hash: dfc0715ebba6989b879c4c3754d2130848572acd6382c02b6ce1af73828116f7
                                                                      • Instruction Fuzzy Hash: D8212871904244DFDF05CF94D9E0B17BF65FB88328F24856AE9054B3A6C336D856C7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202331754.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2cc4b968c63ff1c22fc20434dc9845ec6defadcc7c9bbb02270f2c2fc113eefe
                                                                      • Instruction ID: 793037a54768e3fa82ad32308ba569a22bd12ef77613d603617f1cdfe6a04808
                                                                      • Opcode Fuzzy Hash: 2cc4b968c63ff1c22fc20434dc9845ec6defadcc7c9bbb02270f2c2fc113eefe
                                                                      • Instruction Fuzzy Hash: 1721E2B1904244EFDF01DF94D9D0B67BB65FB88324F24857AE9090B296C336E846C6A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202342889.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f8a036feeb8453be52f72b94462e764539e0cf61d06bccf5ff22b44974a85947
                                                                      • Instruction ID: a73ae87f99a459507cf4bbde934edf7d714daa86ff57ca8996a49b57278004aa
                                                                      • Opcode Fuzzy Hash: f8a036feeb8453be52f72b94462e764539e0cf61d06bccf5ff22b44974a85947
                                                                      • Instruction Fuzzy Hash: 192103B1904240DFCB15CF94D8C8B16BFA5FB84359F28C96AE90A4B356C337D847CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202342889.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0784e91f84abf8d08ec6878cdd7ee9f843e389f0e3dc28b40842b95614be3496
                                                                      • Instruction ID: 56f46973c7ac8cf3c37a572e94b78d5a1b72df69aa4c4615e5a9c33c7fbcea32
                                                                      • Opcode Fuzzy Hash: 0784e91f84abf8d08ec6878cdd7ee9f843e389f0e3dc28b40842b95614be3496
                                                                      • Instruction Fuzzy Hash: 60213775904240EFDB01CF94C9C8B16BBA5FB84324F20C96EE8494B362C736D846CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fe51915f24537bad2cf04b0d5b4be9c3843419984b9ffd5b3793ef5fe78d50a4
                                                                      • Instruction ID: 573f553a9e9889f969b72537d79669cbaf263a8c9fb32e870ff6605f62bc5129
                                                                      • Opcode Fuzzy Hash: fe51915f24537bad2cf04b0d5b4be9c3843419984b9ffd5b3793ef5fe78d50a4
                                                                      • Instruction Fuzzy Hash: 773100B4D11318DFDB60CFA9C984BDEBBF0AB48314F24856AE804BB240D7B55989CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 83bdb55133b1b52997a589184793599d6145ebf06b827d7560bd8028c15c5ab0
                                                                      • Instruction ID: 92a50ced78f49a76446caa97613d77ec627c41f80797efe3cd83c666e1ff0db4
                                                                      • Opcode Fuzzy Hash: 83bdb55133b1b52997a589184793599d6145ebf06b827d7560bd8028c15c5ab0
                                                                      • Instruction Fuzzy Hash: B731DFB4D11318DFDB60CF99C988BDEBBF4AB08314F248469E845BB240C7B59989CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51de9946829e9d30c7f0eef7a18addfb852ac52bbf36054e3ddde1f32e5e68a9
                                                                      • Instruction ID: 904ba922bfda435dd898b7a46e825b0d491043240c358c612e8532954f417cf0
                                                                      • Opcode Fuzzy Hash: 51de9946829e9d30c7f0eef7a18addfb852ac52bbf36054e3ddde1f32e5e68a9
                                                                      • Instruction Fuzzy Hash: 0A21D8B4E11209DFCB48CF99C5449AEBBF2BB89300F14C5A9E918E7214D770AA41CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202342889.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2fbb4e3a4db31ab00a6e32d11f8f47f40f4d8cdf1cf460a058f4713234dc0dd
                                                                      • Instruction ID: b9f7fea0a8f1c4ab0bfdc50b6d3dd2bbf3b62770b8de10c7c7c6a5a4eb043683
                                                                      • Opcode Fuzzy Hash: f2fbb4e3a4db31ab00a6e32d11f8f47f40f4d8cdf1cf460a058f4713234dc0dd
                                                                      • Instruction Fuzzy Hash: CB2180755093808FCB02CF24D994716BFB1EB46218F28C5DBD8498B667C33A984ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7b1a961a7ba6bb0aa550c9253a034b4df5418f546eccd083a50daf3f66966dd5
                                                                      • Instruction ID: c48cb13bf3be3a68fe0ba655a628912b158796503f37449257708f293308eede
                                                                      • Opcode Fuzzy Hash: 7b1a961a7ba6bb0aa550c9253a034b4df5418f546eccd083a50daf3f66966dd5
                                                                      • Instruction Fuzzy Hash: 7411CEB5A107168F8B51DFB98C404BFBBF6EFC4250728892EE829D7240EF7099018791
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1dacd499c72428343d218c521dcafdeb90a36e5d6ab5b53224df86adc8dc4173
                                                                      • Instruction ID: 608518aa884627a0ec22b608ec46e9977e9e794ce1d20b3e82db3da748c566d9
                                                                      • Opcode Fuzzy Hash: 1dacd499c72428343d218c521dcafdeb90a36e5d6ab5b53224df86adc8dc4173
                                                                      • Instruction Fuzzy Hash: 55114271B102158B8B54EBF898115FE76F7EF84315B144079C905E7780EB319D0ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202331754.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                      • Instruction ID: 619aad8be4858c43c75545ec5bb57e72a097832bda9b13fd4f0ee5cb9f45e9d4
                                                                      • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                      • Instruction Fuzzy Hash: B111D376804280DFCF12CF54D5D4B16BF71FB84324F2486AAD9050B76AC33AD45ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202331754.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                      • Instruction ID: 6b1a32b9ee8493dc1dc6700ac35f0f8149a6b3a2eaddfbdf967836e1f247c39b
                                                                      • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                      • Instruction Fuzzy Hash: 2F119076804280DFCF12CF54D5D4B56BF61FB84324F24C6AAD9490A756C336D45ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f680fed6600beb0fc0c42e2f0008bdc6fe591671ebd35fbf45deef7c26ec227
                                                                      • Instruction ID: f18208a564b1215ab54aadc86812c61d0dd3744f4645ac63bb421003bf08d9e5
                                                                      • Opcode Fuzzy Hash: 5f680fed6600beb0fc0c42e2f0008bdc6fe591671ebd35fbf45deef7c26ec227
                                                                      • Instruction Fuzzy Hash: 0411A1B6E053608FC702DF79D80089AFFF5EF5921070685BBD909CB261D6709906CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202342889.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                      • Instruction ID: 4cb59725da8c22d3d40638c57e29115d6d1ca6c94c48051972f095c84a6badca
                                                                      • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                      • Instruction Fuzzy Hash: 62117C75904280DFDB12CF54D5C4B16BBA1FB84224F24C6AAD8494B766C33AD44ACB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 88d48e1838c25ddbe22f6ce62af9f4b0e8e49aa6a2aa0179a1c2f639d5dc4a44
                                                                      • Instruction ID: ff8e5b7370bcb3e5cf91440331f744cf079c360a4314e3d99c1a3ad3f68ce3c9
                                                                      • Opcode Fuzzy Hash: 88d48e1838c25ddbe22f6ce62af9f4b0e8e49aa6a2aa0179a1c2f639d5dc4a44
                                                                      • Instruction Fuzzy Hash: 6811F2B5D007098FCB50DF9AC488B9EFBF4EB48364F14841AE955A7300D774A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202331754.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12834375ad60a158b86e885aa95d4869fa9251bd49b3a60be3cb069db0206e09
                                                                      • Instruction ID: 5fd6b6802f79c7a071721bba4333810d23e0399ffce0885afebf9fd871eec82c
                                                                      • Opcode Fuzzy Hash: 12834375ad60a158b86e885aa95d4869fa9251bd49b3a60be3cb069db0206e09
                                                                      • Instruction Fuzzy Hash: 5B01F7718083849AEB104A59CC80B67FB98EF41674F09849BEE095E297D3799844C6B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d875d4c6465912b7e703fc7834c8a13e7f470a567fd28968f323f2e0aaddac96
                                                                      • Instruction ID: 2ec5b8c8dd7a681395aeea4fedd4806157f9d063fa4a872d8bc35d9fe584ef57
                                                                      • Opcode Fuzzy Hash: d875d4c6465912b7e703fc7834c8a13e7f470a567fd28968f323f2e0aaddac96
                                                                      • Instruction Fuzzy Hash: 58112EB5D002098FCB60CFAAC584BDEBBF4AB48324F14841AD959A7700C374AA44CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0af12605db2fdd2d81d68632e54d5fc2f4f1ecce8c5b2c69b845a820225b77ec
                                                                      • Instruction ID: 76812e7c8efa2a63e648293812fd0de2279689c8e53b384b00d53aab91343585
                                                                      • Opcode Fuzzy Hash: 0af12605db2fdd2d81d68632e54d5fc2f4f1ecce8c5b2c69b845a820225b77ec
                                                                      • Instruction Fuzzy Hash: 06010875C1031ADFEB50CF69C4047AEBBF1FB44311F248629E814AA290D7B44A40CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 47b0b335f7b1bac03a39e723c70c2bcf16eac9862afa4e8ad336ff9b16ac220d
                                                                      • Instruction ID: 2aaed621f8bc4de0c57b73513963eacf1b03c7c86851df4cd9d8aa9e52eec6fc
                                                                      • Opcode Fuzzy Hash: 47b0b335f7b1bac03a39e723c70c2bcf16eac9862afa4e8ad336ff9b16ac220d
                                                                      • Instruction Fuzzy Hash: E0F0BEB2B042255FD300CBAEDC85D6BBBE9EFCE220348857AE548CB311DA309C11C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202331754.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 204d330b87805988d5dc54148289d56504efa0e91d2ed22cbf60e8e51bf19616
                                                                      • Instruction ID: f1594062205ff86808c5544744a17ecdf258d34956781393f6e63891dc243ead
                                                                      • Opcode Fuzzy Hash: 204d330b87805988d5dc54148289d56504efa0e91d2ed22cbf60e8e51bf19616
                                                                      • Instruction Fuzzy Hash: 68F0C271808384AEEB118A19CC84B63FF98EB41774F18C45AED090F392C3799844CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e920485cdea9ea4438cfb8aed52ae75a8b088f0f36819a27bdbd9bcbe4cd3b2a
                                                                      • Instruction ID: f7bdcbcdf72cf947c6b58c8feaeefe9efb47f313f7a2366db88ed4de5aa372f3
                                                                      • Opcode Fuzzy Hash: e920485cdea9ea4438cfb8aed52ae75a8b088f0f36819a27bdbd9bcbe4cd3b2a
                                                                      • Instruction Fuzzy Hash: F1F0C23592D394DFC792CBA9C8986657FF8EF07310B0841DAD881CF2A3D2A59942C742
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4746b4d335a09739ecdc55c96d39df351286628de5693faca5e9c934998f31bd
                                                                      • Instruction ID: f70bc590b2c31d3f073d705af86bdbed31a58ae20c62f2ddafc207936283288e
                                                                      • Opcode Fuzzy Hash: 4746b4d335a09739ecdc55c96d39df351286628de5693faca5e9c934998f31bd
                                                                      • Instruction Fuzzy Hash: 6A01EC75C1031ADFDB54DF65C4047AEBEF1BF44350F108525E814AA190D7B44A40CFD4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f76929e8e01d66d164350d12128391706f907e6e06e58765c1930ea282bded56
                                                                      • Instruction ID: a32377cd8d4141ea08d3834b74a72236ef398b802b49d6670f38138085d42c39
                                                                      • Opcode Fuzzy Hash: f76929e8e01d66d164350d12128391706f907e6e06e58765c1930ea282bded56
                                                                      • Instruction Fuzzy Hash: AFF046724193848FC352CBB8D4461A93FB0EB03211B0801DBEC81DB2A3D6799102C302
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8217f74a32240d61273d165968a128702eac3f34ec7411c64206125bef5eb959
                                                                      • Instruction ID: e54f13737ed882b47ff44a6bb0cbe7ea5e19c915960f291a3cf0c0c4b62623fd
                                                                      • Opcode Fuzzy Hash: 8217f74a32240d61273d165968a128702eac3f34ec7411c64206125bef5eb959
                                                                      • Instruction Fuzzy Hash: 7F01B678E00208AFCB44DFA9C599A9DBFF5EF48310F05C5A5E9089B361DB30E981DB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c1b67823d1b30c40b6bc00b9ee29b9ffed22492f6abfbc0950bb60957c3dfe6e
                                                                      • Instruction ID: 3cf8d3ca0534cb7199c06748364dd74f7e891aa9a3591dca7fc29fe63badd052
                                                                      • Opcode Fuzzy Hash: c1b67823d1b30c40b6bc00b9ee29b9ffed22492f6abfbc0950bb60957c3dfe6e
                                                                      • Instruction Fuzzy Hash: 24E039B2B001286F5304DBAED888C6BBBEEEBCD664351813AF608C7310DA309C0186A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 493eea344e6bbd80db1707a64b1a49df68f25991da37bdcccc39265739cf6822
                                                                      • Instruction ID: d2f6d2c1ce750bf6fca6d15210570a2ce6eb57e582f2b3deb7007ac7d6640d0c
                                                                      • Opcode Fuzzy Hash: 493eea344e6bbd80db1707a64b1a49df68f25991da37bdcccc39265739cf6822
                                                                      • Instruction Fuzzy Hash: C301C874A11219CFEB54DF64CC94F99B7B2BF49204F108699D40DAB250DB309D44CF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 204dd670fae3644c9babb24f7bcf54bec4349c7696503d948fbf1a463f5d0789
                                                                      • Instruction ID: fec643ea4c32a2209235cf21e7ea348eedc2d36114691f35925884b3364f71c9
                                                                      • Opcode Fuzzy Hash: 204dd670fae3644c9babb24f7bcf54bec4349c7696503d948fbf1a463f5d0789
                                                                      • Instruction Fuzzy Hash: 00F09A75E012269FCB81EFB8A8009AEBFF1FF89300B0840BAC404E7251E3318518CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5c904dd026ba861ba7ff10be6ad3166fdf29cb1deac98b2b8736e972f5bf8276
                                                                      • Instruction ID: ae35e59ad3eb53cd451531cfa319be1861efc259003b5d1d67234682333ea77c
                                                                      • Opcode Fuzzy Hash: 5c904dd026ba861ba7ff10be6ad3166fdf29cb1deac98b2b8736e972f5bf8276
                                                                      • Instruction Fuzzy Hash: 62F0E531C15348EFCB51CFA8C8416EEBBB0EF11325F1081ABC804AA394D7354542DB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73a30e1d8b0847c40caa1293c9ca2ee3aa5d81ff7bb802bd256991e9a1c0a076
                                                                      • Instruction ID: 6238b856e26405916f1dc11ead663004343630fffbb8d6692e819bd1f00a30f2
                                                                      • Opcode Fuzzy Hash: 73a30e1d8b0847c40caa1293c9ca2ee3aa5d81ff7bb802bd256991e9a1c0a076
                                                                      • Instruction Fuzzy Hash: 11E02B708093858FC791EBB8C4416983FF0AF07314F0406DAC984DB282D7741511C781
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4471808953f116ac0e87f59371e34ed1d40c444221330711a5e8caff7160a534
                                                                      • Instruction ID: 8bf7bb75eed463c641b0845ce189aac411dcfc0dce3737a43a7225b6e7983904
                                                                      • Opcode Fuzzy Hash: 4471808953f116ac0e87f59371e34ed1d40c444221330711a5e8caff7160a534
                                                                      • Instruction Fuzzy Hash: F7E0223451A3888FC792CBB8D4466ED3FF4AB07211F0406EAED44A7292CB741401C742
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e16c5f85727a6de4a44be1427c8646778da721c5d899f557596a9334fc7d0517
                                                                      • Instruction ID: 40add5ce203ab911a70efd71464143a46a140d94d2d7e273647cce52bf0471f1
                                                                      • Opcode Fuzzy Hash: e16c5f85727a6de4a44be1427c8646778da721c5d899f557596a9334fc7d0517
                                                                      • Instruction Fuzzy Hash: 77E0E574D1630CEFCB54DFA8D8446ADBBB9AB48305F1080A9D809A6348D7755A54DF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1641509f6c52715fa323f0118b28bdfe4121c7aa6bee09da76c802ec101af62
                                                                      • Instruction ID: 4daf8595fc6a02e951389d0c8848746869ae71b65a34efcea71711d516f864e4
                                                                      • Opcode Fuzzy Hash: e1641509f6c52715fa323f0118b28bdfe4121c7aa6bee09da76c802ec101af62
                                                                      • Instruction Fuzzy Hash: 08E0EC38D2620CEFC754EFB8D54A6ADBBB8AB04306F1055A9ED09A3340EB705A44CB45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d6fa63d2977b3de9bcaabd8b6401ea14ce9ab1e7d916ab8b875ce6f546e656ce
                                                                      • Instruction ID: 3a06b33ae8959bfe7f0863e87c0492c18b4a3d73ce573ff67c086ee9ce900c69
                                                                      • Opcode Fuzzy Hash: d6fa63d2977b3de9bcaabd8b6401ea14ce9ab1e7d916ab8b875ce6f546e656ce
                                                                      • Instruction Fuzzy Hash: 71E0ECB4D2620CAFC784EBA895456EDBBB8AB08305F1055A9C90893344EB749A45C685
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 357914fbdf201b61076ee69a2b7c0084c798449f32fde4fbf3f10593f022f2ff
                                                                      • Instruction ID: 28c8a122e37d086a9abfa95096bf2aa53d61af0575f0bd6280b5adab98545ee3
                                                                      • Opcode Fuzzy Hash: 357914fbdf201b61076ee69a2b7c0084c798449f32fde4fbf3f10593f022f2ff
                                                                      • Instruction Fuzzy Hash: 45E01C30E042199FDB10DBD4D844B9AB6B2EF85300F10D49AD10AAB250DA304D888F61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 54fa1e0bd4ac9438e205054c13d561666bd649237632c5533c2ce7eada2bed8d
                                                                      • Instruction ID: 840883fead064696e18fabd5c99139baf74db3d70c609d27f41122bdb610a624
                                                                      • Opcode Fuzzy Hash: 54fa1e0bd4ac9438e205054c13d561666bd649237632c5533c2ce7eada2bed8d
                                                                      • Instruction Fuzzy Hash: 8DE08C7082924C8FC361DFB0F90D29E3FF1EB01207F2549AAE849C7150EE325884CB12
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                      • Instruction ID: 8a6b1b4e1514fd876c36d8c961c6d083885eb69c2b53c1468a15f02e209866e0
                                                                      • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                                      • Instruction Fuzzy Hash: 2BD09E76D101399B8B10AFE99C054EFFF78EF05650B418126ED55AB100D3B15A21DBD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 15c8a8869daa5f22c940741aa711deff7e316ac827aa1385aef9b03fdae5c0d9
                                                                      • Instruction ID: 92219a45cd4355e19b40f3898baa209f20d42c03e99ff2dea45000df94a51cbe
                                                                      • Opcode Fuzzy Hash: 15c8a8869daa5f22c940741aa711deff7e316ac827aa1385aef9b03fdae5c0d9
                                                                      • Instruction Fuzzy Hash: E1D0923052520C9FC354AFB5F90E65A7FEAEB05207F908964FC0AC6510EE71A884CA62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: u20$u20
                                                                      • API String ID: 0-1542752309
                                                                      • Opcode ID: 76a42ac06f9fa748765cbcc9cd109fcb5ecb68bd686d2c59179b189204afbf2c
                                                                      • Instruction ID: 39b3fdc045e6a25ad557579a11f9b00d19e090179cedf22c400b65a7a5135c54
                                                                      • Opcode Fuzzy Hash: 76a42ac06f9fa748765cbcc9cd109fcb5ecb68bd686d2c59179b189204afbf2c
                                                                      • Instruction Fuzzy Hash: 8C7148B4E2520ADFDB48CF99D080AAEFBB1FB89310F149426D915B7220D7B4A941CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: u20$u20
                                                                      • API String ID: 0-1542752309
                                                                      • Opcode ID: 29ac0909a81e54588cd8e54c8faeffe24fde1a59cc37de437fe09653577b706b
                                                                      • Instruction ID: cc997523a402b16f77255c5f632fbe2b71bd56db49e7200c6bdc3a9162e6c740
                                                                      • Opcode Fuzzy Hash: 29ac0909a81e54588cd8e54c8faeffe24fde1a59cc37de437fe09653577b706b
                                                                      • Instruction Fuzzy Hash: 46715BB4E2520ADFDB48CF99D480AAEFBB2FB89310F14D426D915A7310D7B4A941CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -
                                                                      • API String ID: 0-2547889144
                                                                      • Opcode ID: c637d29a1f59c8c009a65e25323ac2f070576cfb77cd865dc18c1528503161c6
                                                                      • Instruction ID: 5e331fdf6293c70758076fcfb01d33e6428f05466a60df0e1b1003f0aa05149d
                                                                      • Opcode Fuzzy Hash: c637d29a1f59c8c009a65e25323ac2f070576cfb77cd865dc18c1528503161c6
                                                                      • Instruction Fuzzy Hash: 44411E71E156588BEB5DCF6B9C4079AFAF7AFC9300F14D1BA980CAA258DB7006858F11
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0c6bdcc9b1cc417df8b4f688fdce58827bb30ef2225b0dfbcb6244bdc35f4362
                                                                      • Instruction ID: 46514f1d3243cc42f01c59e0e4566ab6faf02f1e57e017ae141ed0d311f69f81
                                                                      • Opcode Fuzzy Hash: 0c6bdcc9b1cc417df8b4f688fdce58827bb30ef2225b0dfbcb6244bdc35f4362
                                                                      • Instruction Fuzzy Hash: 5B5245B9D017068FD731CF58E8891E97BB1FB45328F908208D561ABAD9E3B4654BCF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 969377112efe08a5d35928d3d11e05d1766fe47096596025fd1565b3cff6e5f0
                                                                      • Instruction ID: a4593b07b715e2f9db24fe6bdb30073d1068c545b1ee9ac2194025568644f54f
                                                                      • Opcode Fuzzy Hash: 969377112efe08a5d35928d3d11e05d1766fe47096596025fd1565b3cff6e5f0
                                                                      • Instruction Fuzzy Hash: 4BD1E631C2074ACACB10EF64C894AEDB771FF99300F619B9AD54967220EF716E89CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202566554.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5a3ddbc247af2afdc2cc30d3107e6aade629e275bf327a86801b99f9cd195917
                                                                      • Instruction ID: d1b1ad015439c947d6525e31e785ef1d22b9f74ff8c6b63af3c3e8008b40a46f
                                                                      • Opcode Fuzzy Hash: 5a3ddbc247af2afdc2cc30d3107e6aade629e275bf327a86801b99f9cd195917
                                                                      • Instruction Fuzzy Hash: 55A1B136E0020ACFCF16DFA9D9445DEBBB2FF89300B15856AE905BB265DB30E945CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 10fab8c2487a4311132e271b31e126b05950b93e2e3e08595062e9101f2b1b69
                                                                      • Instruction ID: d5c98541ddc4cc24d9229ef634d56f2e17875b44cb0fce319d6858ad15b6e1fa
                                                                      • Opcode Fuzzy Hash: 10fab8c2487a4311132e271b31e126b05950b93e2e3e08595062e9101f2b1b69
                                                                      • Instruction Fuzzy Hash: F8D1E530C2074ACACB10EF64C894AEDB771FF95300F619B9AD54967220EF71AE898B51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 528adcaf315419f1d3ce95053bd4e7cd26502135f20fdae5ec03c3b9c30c45d9
                                                                      • Instruction ID: 35fbda25667f8f0bb90cace019c472194eb2868e5df4a910a62dd7ad97a73e0c
                                                                      • Opcode Fuzzy Hash: 528adcaf315419f1d3ce95053bd4e7cd26502135f20fdae5ec03c3b9c30c45d9
                                                                      • Instruction Fuzzy Hash: 7D71C174E20219CFCB44CFA9C5849AEBBF1FF48310F158569E859AB320D770AA42CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 35b3675b090e377475585233ec892f0ff1fc95a6257580f97d627dd39df178ee
                                                                      • Instruction ID: 6a2ec6e09d89b5fd681f00c8c81c6c325bdf8cc17b6de47c52deac911f61c9d6
                                                                      • Opcode Fuzzy Hash: 35b3675b090e377475585233ec892f0ff1fc95a6257580f97d627dd39df178ee
                                                                      • Instruction Fuzzy Hash: 5B51F574E1521A8FDB44CFA9D6845EEFBF2EF88300F249426D815B7324D7749A028F54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4adac21c899ca56477deae832beb79f2fdee0764cb8f07c5036b669a5316601
                                                                      • Instruction ID: 75f073cd53bc534135a38b85666ada9f0725a8cb9e1ac8da74ffbc47ede47b11
                                                                      • Opcode Fuzzy Hash: b4adac21c899ca56477deae832beb79f2fdee0764cb8f07c5036b669a5316601
                                                                      • Instruction Fuzzy Hash: 9A519071E057548FEB5DCF6B8C50699FAF7AFC5200F18C5FAC84CAA265DA7009858F11
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8039109289a1a9b8959b604ada14502129ec7683a60ed67032964c54ccf4f68a
                                                                      • Instruction ID: 6571eac3f32eaa0957ebcb0560a1a20d015ab5699bc6a67684155909f51f954e
                                                                      • Opcode Fuzzy Hash: 8039109289a1a9b8959b604ada14502129ec7683a60ed67032964c54ccf4f68a
                                                                      • Instruction Fuzzy Hash: 14410970E1520ADFDB44CFAAC6415AEFBB2AB88300F24C06AC915F7214E7789A41CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56799ed1d13359cd9689f12e0645eae52463153f7c8bf2a7c84792675c0895f9
                                                                      • Instruction ID: aba7bc4422372a19a5b70f76b7d53ca0b5e827fd6a89c0d70b8d8cd43669417e
                                                                      • Opcode Fuzzy Hash: 56799ed1d13359cd9689f12e0645eae52463153f7c8bf2a7c84792675c0895f9
                                                                      • Instruction Fuzzy Hash: 0041D9B4E1420ADFDB44CFA5C6815AEFBF2BB88300F14C46AD915B7204D7789A41CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: deaac91a00f481bbe4f0812d0dbe5630d2074e36a7b3f59bb3869c298e45aee2
                                                                      • Instruction ID: 9ae26f3c8e9dbc37d4d3367b21504221fb5d89f9081a6aad40292b0e5707ee88
                                                                      • Opcode Fuzzy Hash: deaac91a00f481bbe4f0812d0dbe5630d2074e36a7b3f59bb3869c298e45aee2
                                                                      • Instruction Fuzzy Hash: DB3122B8D2521DDBDB10DFA9D448BFDBBF5AF0A301F18842AE506B3240C7B48A85CB55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.202648174.0000000003230000.00000040.00000001.sdmp, Offset: 03230000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a5368e12dbf137345715bfdd5a8859f283490afa89137db6c1f541dc1187a531
                                                                      • Instruction ID: 5bff883266164793a8f0b68207f2ebad31fa031a4ed12850d273527454b68951
                                                                      • Opcode Fuzzy Hash: a5368e12dbf137345715bfdd5a8859f283490afa89137db6c1f541dc1187a531
                                                                      • Instruction Fuzzy Hash: A33131B8D2521C9BDB10EFA4E458BFDBBF4AF0A300F14442AE502B7281C7B48A85CB54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d46db1a9610401f957f5f0242a061fe9ed836f5bae4b3aa5fa0fc1a0f0c37c6
                                                                      • Instruction ID: fd09028e0318b752585e879807248cff9f3ae18d8a19f7277c49b6c0afd8a57b
                                                                      • Opcode Fuzzy Hash: 1d46db1a9610401f957f5f0242a061fe9ed836f5bae4b3aa5fa0fc1a0f0c37c6
                                                                      • Instruction Fuzzy Hash: 1F11DA71E156189BEB58CFABD8046DEFBF7AFC8200F04C07AC908A6254EB7405468F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.206248061.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 09cb18448218bfd0b8a90d24b8ed84d38e21ba4f0e3eb26c0d0430e1423ad814
                                                                      • Instruction ID: 5331a25b5abdc48b5d9d10ab1ec60cb89a5db24b3a3530c1207606c569403c09
                                                                      • Opcode Fuzzy Hash: 09cb18448218bfd0b8a90d24b8ed84d38e21ba4f0e3eb26c0d0430e1423ad814
                                                                      • Instruction Fuzzy Hash: E911ADB5E116189BEB58CFABC94469EFBF7AFC8200F08C47AC908B6254EB7446458F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Executed Functions

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 01896BB0
                                                                      • GetCurrentThread.KERNEL32 ref: 01896BED
                                                                      • GetCurrentProcess.KERNEL32 ref: 01896C2A
                                                                      • GetCurrentThreadId.KERNEL32 ref: 01896C83
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 6ea48547cd7abc1be34bebdec5adf82b6e90c37365f589130e819ace6ee6f468
                                                                      • Instruction ID: 77aeb9e67c1788102941a8f01901e74ecc8d0f2d45dd684658e4353447f26cd4
                                                                      • Opcode Fuzzy Hash: 6ea48547cd7abc1be34bebdec5adf82b6e90c37365f589130e819ace6ee6f468
                                                                      • Instruction Fuzzy Hash: 665154B0A006498FDB54CFAAC648B9EBBF1FF88318F248459E119A7350DB746944CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01894216
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 9ad5c1ceed98a8c770c771c6a1ada9c08284d554cc52c255a0002e4a0ddccb15
                                                                      • Instruction ID: 1979bc0316e19b5704b1b9a68131923914b92647e7336729e2d2aab01f9d87e1
                                                                      • Opcode Fuzzy Hash: 9ad5c1ceed98a8c770c771c6a1ada9c08284d554cc52c255a0002e4a0ddccb15
                                                                      • Instruction Fuzzy Hash: 82B16A74A007068FCB54EF79C48466EBBF2FF88314B148929D90ADB751DB34E9068B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018952A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 59fc00fc6b5aa8f5447c12241d9eb48f109de1ecf3f7e1f49a07440393b03266
                                                                      • Instruction ID: 7bffed03a60a0029c113d31bf3b81c43fd9e36052d915fca1cfae4c0425995b9
                                                                      • Opcode Fuzzy Hash: 59fc00fc6b5aa8f5447c12241d9eb48f109de1ecf3f7e1f49a07440393b03266
                                                                      • Instruction Fuzzy Hash: 9051CEB1D003499FDF15CFA9C884ADEBFB5BF48314F28812AE819AB210D775A945CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018952A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 07c0b3311bffc85a16c0c9e61fcae5ed583bc1794e2d806136cc99e53eedc14b
                                                                      • Instruction ID: 427d98b90dd7118d5250628a0f794560d8481d053f31d84e92f79f09f5f89f83
                                                                      • Opcode Fuzzy Hash: 07c0b3311bffc85a16c0c9e61fcae5ed583bc1794e2d806136cc99e53eedc14b
                                                                      • Instruction Fuzzy Hash: B541AFB1D103499FDF15CFD9C984ADEBBB5BF48314F24812AE819AB210D774A945CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 01897CF9
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: baf92154bfd61cf9cf8ce3fec264db2c91e0f5b73561db759715bac73b8eabf0
                                                                      • Instruction ID: 7695c0e0ff2b4875fec6a66b742cbbdf82b9ab4f94f0f5fa7890f2749ce04dc8
                                                                      • Opcode Fuzzy Hash: baf92154bfd61cf9cf8ce3fec264db2c91e0f5b73561db759715bac73b8eabf0
                                                                      • Instruction Fuzzy Hash: 40415CB5A10349CFDB14CF99C488BAABBF5FF88318F188458E519AB311C734A941CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01896DFF
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 17a8e2b2be9339204a20a374d27a0b3f69aa3fcb8d5837be5453be5913b08478
                                                                      • Instruction ID: 945779c8bab3567ae2848973f8f3ba4fef46881dd66d2aaf3513ae9768ffb7ac
                                                                      • Opcode Fuzzy Hash: 17a8e2b2be9339204a20a374d27a0b3f69aa3fcb8d5837be5453be5913b08478
                                                                      • Instruction Fuzzy Hash: 2521C4B59002589FDF10CF9AD984ADEBBF8FB48324F14841AE915A7310D774A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01896DFF
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: ad5995387470082b11e68b7183c2c38270fa04ce462217bf7dc6c6c44f86e4db
                                                                      • Instruction ID: 00bfe42afeddb12a80487f54a71bc7afc43a7216abe72e0b7e63fd3349819de8
                                                                      • Opcode Fuzzy Hash: ad5995387470082b11e68b7183c2c38270fa04ce462217bf7dc6c6c44f86e4db
                                                                      • Instruction Fuzzy Hash: 8621D5B5D002489FDF10CF9AD584ADEBBF4FB48324F14841AE915A7310D774A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 0189BE72
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: e9401e0f773558be4c3c88ef6129997227a8d54d83d9375998cf1f02cd6da309
                                                                      • Instruction ID: 38c6f3af00b88317bd5915d4434f1eb874e050d95cf932eeccaeb2754ff618ac
                                                                      • Opcode Fuzzy Hash: e9401e0f773558be4c3c88ef6129997227a8d54d83d9375998cf1f02cd6da309
                                                                      • Instruction Fuzzy Hash: 71219FB19047458FDB21DFAAD84879EBFF8FB05324F188429D505E7642D7385904CFA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01894216
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 60f330c093324e0a86856f62f19b8d5536ec3edf0d9373eb14b57996993636aa
                                                                      • Instruction ID: 30304d35cccfb9fba93a02eae47f9a3016c5a690777737b31dfaaed284274c0a
                                                                      • Opcode Fuzzy Hash: 60f330c093324e0a86856f62f19b8d5536ec3edf0d9373eb14b57996993636aa
                                                                      • Instruction Fuzzy Hash: 202167B19046488FCB14CF9AD584BDEBBF4EF49328F04846AD559B7210C374A546CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 065B673A
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467449138.00000000065B0000.00000040.00000001.sdmp, Offset: 065B0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: bed01c93f243301b7821ca273dc0f2b4fae5889cfbbe70048599f4ae3f202d35
                                                                      • Instruction ID: 4a2cd6d38f1e6bdb6621c58b82a3ea0c5a5188fd3d8e7fb616b8884800aff349
                                                                      • Opcode Fuzzy Hash: bed01c93f243301b7821ca273dc0f2b4fae5889cfbbe70048599f4ae3f202d35
                                                                      • Instruction Fuzzy Hash: 4811D3B6D002098FDB10CF9AD484ADEBBF4BB88324F14852AD515A7200C3B9A945CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 0189BE72
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: 0fad3fb6e3980aedad41a20f00382834e18c6c81c213486bae7bbb95292f7ca9
                                                                      • Instruction ID: 0a26fa4f2a133a1e35229e7797d17097bbf8c6f9ad88f6affdac5ef362360320
                                                                      • Opcode Fuzzy Hash: 0fad3fb6e3980aedad41a20f00382834e18c6c81c213486bae7bbb95292f7ca9
                                                                      • Instruction Fuzzy Hash: 81116DB19003098FDB60DFAAD54879EBBF8FB48324F148429D505A7641D7385944CFA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 065B673A
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467449138.00000000065B0000.00000040.00000001.sdmp, Offset: 065B0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 5226b7308dd0973e88afc448f085ec5360789c5cb777e2937a73cafde168ffeb
                                                                      • Instruction ID: be77093039315172c8645111f22ffa41287ca1df75431dd0d432bd224fbe4dd0
                                                                      • Opcode Fuzzy Hash: 5226b7308dd0973e88afc448f085ec5360789c5cb777e2937a73cafde168ffeb
                                                                      • Instruction Fuzzy Hash: 0511F3B6D002098FDB10CF9AD484BDEFBF4FB88324F14842AE515A7200C7B5A945CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01894216
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: b589bad78d9fb1c6ab620eb635a4317e25d2cf732afb8dbc83686f447f76e4df
                                                                      • Instruction ID: 6b7ab7fe8b3dbedc559139caac8af71410f1a7eef59f8e0260aba3b6fe47e6b4
                                                                      • Opcode Fuzzy Hash: b589bad78d9fb1c6ab620eb635a4317e25d2cf732afb8dbc83686f447f76e4df
                                                                      • Instruction Fuzzy Hash: 7C11F3B59006498FDB14CF9AD544B9EBBF4EB88324F14846AD929B7200D374A646CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01894216
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462706416.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 8699bb8daa8be95ab00c82100a1b650b018f5ae7d15d8f03bdd454a71f2229d5
                                                                      • Instruction ID: b5d40325fb4b61019166231afe3c06a7d347cfcf47d906e61c08c128f80b7b50
                                                                      • Opcode Fuzzy Hash: 8699bb8daa8be95ab00c82100a1b650b018f5ae7d15d8f03bdd454a71f2229d5
                                                                      • Instruction Fuzzy Hash: 251102B5D006498FDB10CF9AD584BDEFBF4EB88324F15846AD529B7200C374A646CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • OleInitialize.OLE32(00000000), ref: 065BA065
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467449138.00000000065B0000.00000040.00000001.sdmp, Offset: 065B0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID:
                                                                      • API String ID: 2538663250-0
                                                                      • Opcode ID: d3a800c55f4748e3323540d4375ccea15c079b3b4139a6ff3d8fbb3c8245e1bb
                                                                      • Instruction ID: abd9a425bdbe39e602429099390034c1961ffe1d706a837a121b870b2e257426
                                                                      • Opcode Fuzzy Hash: d3a800c55f4748e3323540d4375ccea15c079b3b4139a6ff3d8fbb3c8245e1bb
                                                                      • Instruction Fuzzy Hash: DD1112B1904748CFDB60CF9AD488BDEBBF4EB48328F108819E519A7300D779A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • OleInitialize.OLE32(00000000), ref: 065BA065
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467449138.00000000065B0000.00000040.00000001.sdmp, Offset: 065B0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID:
                                                                      • API String ID: 2538663250-0
                                                                      • Opcode ID: c06ed676bae1276ba947be0b344de09d941b23d8e879d96e6415fa2c875047f7
                                                                      • Instruction ID: 2c81e92e45077df830aa0ce5621be135079592ca8af5d53bddc23d8de49ddeaa
                                                                      • Opcode Fuzzy Hash: c06ed676bae1276ba947be0b344de09d941b23d8e879d96e6415fa2c875047f7
                                                                      • Instruction Fuzzy Hash: 6E11F3B5D006488FDB60DF9AD988BDEBBF4EB48328F148419E519A7700D378A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462507878.00000000017ED000.00000040.00000001.sdmp, Offset: 017ED000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e4cf8ec54101afd413aab35ac88118df63d4a3e91aabedae60c7834f0cc8e32
                                                                      • Instruction ID: e98414d5f76859150efba0c2eafa90ecb4ff2a99f9e1edbcfac3c791eca24cf0
                                                                      • Opcode Fuzzy Hash: 1e4cf8ec54101afd413aab35ac88118df63d4a3e91aabedae60c7834f0cc8e32
                                                                      • Instruction Fuzzy Hash: EF210371504244DFCB21CF94D5C8B16FFE5FB88354F28C9A9E8094B246C337D846CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467125373.0000000005C50000.00000040.00000001.sdmp, Offset: 05C50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 575fc9441450734aea963a61fb2ab2e8b2754fc9acc7f93fcbaa483bb00e4c3b
                                                                      • Instruction ID: 27e13f54e6dea6bddaf042fcd14b3a2cfabb92a65dd36fb1885541cddb509fa4
                                                                      • Opcode Fuzzy Hash: 575fc9441450734aea963a61fb2ab2e8b2754fc9acc7f93fcbaa483bb00e4c3b
                                                                      • Instruction Fuzzy Hash: 3121267094D3C55FC706DFB888245EE7FF1AF47220B0A48ABC480EF163DA694845C7A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.462507878.00000000017ED000.00000040.00000001.sdmp, Offset: 017ED000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                      • Instruction ID: c3babf86b1f07e6cc14d9b7b77347aff1ef983dc1a48c5cc4950dbd3a3a7ad87
                                                                      • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                      • Instruction Fuzzy Hash: 5011BE75504280DFCB12CF54D5C8B16FFA1FB48314F28C6AAD8494B656C33AD44ACB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467125373.0000000005C50000.00000040.00000001.sdmp, Offset: 05C50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 180a597d662de533657645f236627756ad79d0092890eba1fbf5c67df8ceecfb
                                                                      • Instruction ID: 79d187348d5cd0187af31351cab9a3a7a798fb4eeba8557f0a33c6acd8b80d48
                                                                      • Opcode Fuzzy Hash: 180a597d662de533657645f236627756ad79d0092890eba1fbf5c67df8ceecfb
                                                                      • Instruction Fuzzy Hash: 550162B0D042299BCB54DFA988446AFBEF2FB88210F10482AD945E7344DB744A419BD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467125373.0000000005C50000.00000040.00000001.sdmp, Offset: 05C50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ddcf273475ef15bed88d80e76f511583b67dd18cc4de3fe2b7a55111bc2fe68
                                                                      • Instruction ID: 8e19839a5369a30a909baf81b84d172d39ca43920d5f883c79a3e83228ec391c
                                                                      • Opcode Fuzzy Hash: 6ddcf273475ef15bed88d80e76f511583b67dd18cc4de3fe2b7a55111bc2fe68
                                                                      • Instruction Fuzzy Hash: 58F081B0E041198FDB04DFA898046FFBEF2EB88211F20893AD945EB254DB744A459BD0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467125373.0000000005C50000.00000040.00000001.sdmp, Offset: 05C50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 59a3783ea2bb3f5a928206051a95a769a52c3dc58e5f90098d4b468024275130
                                                                      • Instruction ID: 88a83bcffec8bc59705208a640c72cc61c3da994296f56d06dd486b9add4637a
                                                                      • Opcode Fuzzy Hash: 59a3783ea2bb3f5a928206051a95a769a52c3dc58e5f90098d4b468024275130
                                                                      • Instruction Fuzzy Hash: DAE068322043100BC7146BFE8C1044EBB5AAEC22303594BBBE215CB1C2CC308C45C3E5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.467125373.0000000005C50000.00000040.00000001.sdmp, Offset: 05C50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0cf1fa7185829bcbf0a3b3d8359dec2bd23788e90d6a868a082821ee2d83212
                                                                      • Instruction ID: 897e80f49bf7b253fd06be4c02ac301821dcbb2b4f3b2d546afc76d9e73c1988
                                                                      • Opcode Fuzzy Hash: d0cf1fa7185829bcbf0a3b3d8359dec2bd23788e90d6a868a082821ee2d83212
                                                                      • Instruction Fuzzy Hash: D0D05E36711314179B283ABE581446E338FAEC66713594A3AA219DB2C4DD318C0583E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Executed Functions

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ba13f0e3ba279cca09994154fe9b76e6a46fc555ddf28d7a8ff432a9209295c
                                                                      • Instruction ID: 59e1bc365c344571bcf7c0ad1c5fab3777776ae27acfc3e9b5dca5e863ac3061
                                                                      • Opcode Fuzzy Hash: 5ba13f0e3ba279cca09994154fe9b76e6a46fc555ddf28d7a8ff432a9209295c
                                                                      • Instruction Fuzzy Hash: 17226234701211CFC715EF60E890B6A77B2FB88305B64893DD50A8739AEB39ED46CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 579c40ba34bb23d75118f8cdcdb22eb1000676517beb3cd945b8100f952bdc40
                                                                      • Instruction ID: 367d03d440f94b6b67ff317bc45ff9d931d47ee3f76dfb1966c8ee52cbfece46
                                                                      • Opcode Fuzzy Hash: 579c40ba34bb23d75118f8cdcdb22eb1000676517beb3cd945b8100f952bdc40
                                                                      • Instruction Fuzzy Hash: A371C134A002448FDB199BB0C8087AEBBB2EF98304F158529D447677A4DF75AC89CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5bff295f2f9eea4d8254ca410d41cded24ff16bc223a7756346f954f84eb8673
                                                                      • Instruction ID: bcaf7a459ca9c0be98db98290f6815c87bb3aa0ee71da69e8826b96054817b9f
                                                                      • Opcode Fuzzy Hash: 5bff295f2f9eea4d8254ca410d41cded24ff16bc223a7756346f954f84eb8673
                                                                      • Instruction Fuzzy Hash: F521C375B402108FC758AB38C45896D33E2AF8965932209BCE506CF775EB36EC46CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 77449b8c9d3cdd9306cb909229cee65ca84ad2cb189f9aafa31d515b8160712c
                                                                      • Instruction ID: 8f053b36e6fff91c52ef59f1838ebb26c83ba6ed58297b64021ea9fbd1b0215d
                                                                      • Opcode Fuzzy Hash: 77449b8c9d3cdd9306cb909229cee65ca84ad2cb189f9aafa31d515b8160712c
                                                                      • Instruction Fuzzy Hash: 9921F475B401108FC758AB38C05896D33F2AF8965932209BCE106CF7B5EB32DC46CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 83cb319d27273875970d0ae2df26b15a2b5320be5078b5f8603813d01c98706a
                                                                      • Instruction ID: 1be2fdcbe165ada8816470032be0e643b56ef7e14ff87d1c6c8ddcd50cdc8cc0
                                                                      • Opcode Fuzzy Hash: 83cb319d27273875970d0ae2df26b15a2b5320be5078b5f8603813d01c98706a
                                                                      • Instruction Fuzzy Hash: 0901F730B04214AFCB05EBB4D8106AE7BF9DF85205F6080A5D609DB391DF319D06C792
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5298df88c9e5f239d69276041b09cdde5dd24411f33fdeb493fba1c1889333ef
                                                                      • Instruction ID: e645f8994859de5348e71769091273e471962be84bf1eb2a13f9db209fa59cf0
                                                                      • Opcode Fuzzy Hash: 5298df88c9e5f239d69276041b09cdde5dd24411f33fdeb493fba1c1889333ef
                                                                      • Instruction Fuzzy Hash: D8019235E002059FCB40EFB4D844DEEFBB1FF8D300720866AE51997621EB349915CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fc9a6eb12a5642fcf2590e0d8f8197826b10ca6620c9d0d2bc803b40e10e7b64
                                                                      • Instruction ID: dd22c562e50586b0db79bc45169a390fedf3f055aa60449c541a4c9393854796
                                                                      • Opcode Fuzzy Hash: fc9a6eb12a5642fcf2590e0d8f8197826b10ca6620c9d0d2bc803b40e10e7b64
                                                                      • Instruction Fuzzy Hash: 6E019E35E002059FCB40EFB8D844DEEFBB5FF8D200720866AE5189B621EB34A915CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 27ec1f2336aa1ad484c2b260f52d20d76dc42f0d5401d5336e0a589f3aaee811
                                                                      • Instruction ID: 0506237cc20f9f2bb583091b2d2fe363db918c1cf0e169b5407cc1543c720bf8
                                                                      • Opcode Fuzzy Hash: 27ec1f2336aa1ad484c2b260f52d20d76dc42f0d5401d5336e0a589f3aaee811
                                                                      • Instruction Fuzzy Hash: 2BF01C71940215CFDB14DB64C4587AD7BB0AF58218F250898D002A73A1CB759D88CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7819559bda3235f94afa18e77e2e20e73fdcc3f3a0264797b94191adc8d2c998
                                                                      • Instruction ID: 4a1c21210b96ec91d9d6ecf8fbc199176e1b34b85ee1f33b44f6a38c993b3d0c
                                                                      • Opcode Fuzzy Hash: 7819559bda3235f94afa18e77e2e20e73fdcc3f3a0264797b94191adc8d2c998
                                                                      • Instruction Fuzzy Hash: AAE07235E000088BDA58B678E400B6D72F9EBC5914F200928C208CB30AFF356C8403E7
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 65c2742e3497864b24d8ab3e22c8d41e2bfb474755c529f87de047818d0ea2f8
                                                                      • Instruction ID: c28f192896bf2e80d82fdc5f0089ab14349a9049649e74f5aa94650d04c14aa2
                                                                      • Opcode Fuzzy Hash: 65c2742e3497864b24d8ab3e22c8d41e2bfb474755c529f87de047818d0ea2f8
                                                                      • Instruction Fuzzy Hash: BFE02635E040048FDB59B674A440BAD72F19BC5904F200A2CC109DB74AFF350C8447A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 228a06f7254c414e753f673772cbc4bb8db0629404362e2db4943102704f61e5
                                                                      • Instruction ID: 1973dee494ad792b220ef308b496b2237661fd6ec44edf575befe1e784b1baae
                                                                      • Opcode Fuzzy Hash: 228a06f7254c414e753f673772cbc4bb8db0629404362e2db4943102704f61e5
                                                                      • Instruction Fuzzy Hash: 4DE0C2357001108FC710EB74E809F9A3BB4AF44601F204199E509CB2A5D771C804CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bbc9fbc9a3cf694e5316014c6a2775d64dd285d9b46f0bd8405a2e458164239c
                                                                      • Instruction ID: 91c7a557d8c359b65e8a97284bdb537491ed7bccea83df6889aa6414099c5357
                                                                      • Opcode Fuzzy Hash: bbc9fbc9a3cf694e5316014c6a2775d64dd285d9b46f0bd8405a2e458164239c
                                                                      • Instruction Fuzzy Hash: DDD01271D041299F8B40DFBC59051EEBFF0AE08240B1045AAD91AF3200E2704A14CFD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.262850222.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 403f5e7c8d206de1b0a17b21764a94430d0b784c99cf114dea928537c5e0e2f7
                                                                      • Instruction ID: 9c9a2590da9bca82ce9a84420419876ddab04d10d996f40d80fd11ca522b188f
                                                                      • Opcode Fuzzy Hash: 403f5e7c8d206de1b0a17b21764a94430d0b784c99cf114dea928537c5e0e2f7
                                                                      • Instruction Fuzzy Hash: 32D067B1D00229AF8B80EFBD99052EEBBF8EA09251B1045A6D919E3200E6705A14CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Executed Functions

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05968096dbef41acbfb7561bb7ec00f50c5999b4f5db3ecd8f4baece48ca863b
                                                                      • Instruction ID: 4628cc4ce77435a3fb6aaaf06566c0f24ee783a989b257e6a1914abe5ef12883
                                                                      • Opcode Fuzzy Hash: 05968096dbef41acbfb7561bb7ec00f50c5999b4f5db3ecd8f4baece48ca863b
                                                                      • Instruction Fuzzy Hash: F8224D387017019FCB14EF64E4906AA73B6EBD8305B28897CD546873A9DF35ED46CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 203b07640d52d339685a8aff0035f57b24cbbbe32fd5b7b1fb25b5c752e4c09e
                                                                      • Instruction ID: 66c447e9b9e108156990ac5ff8f8cf2953fc4f2b884a99605d7994dd8854d870
                                                                      • Opcode Fuzzy Hash: 203b07640d52d339685a8aff0035f57b24cbbbe32fd5b7b1fb25b5c752e4c09e
                                                                      • Instruction Fuzzy Hash: 3B81E234A003449FDB169FA4D8146DABBB3EF88314F19C96AD4069B7A1DF74EC85CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9a44c92403175f0de0fd07632b6623d60c9c52633eeae3194056c051dcfb007a
                                                                      • Instruction ID: 8690c37a691fcb07b2046cb0232a397e7e3ebd1fa5f0442e42a0416f51711c51
                                                                      • Opcode Fuzzy Hash: 9a44c92403175f0de0fd07632b6623d60c9c52633eeae3194056c051dcfb007a
                                                                      • Instruction Fuzzy Hash: 9C314775B002508FC759AB78C06896D37F1AF8965832608BCE106CF7B5DB32DC42CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 942e31f8d1bf2a4876081718f3810e53ec78c83f9366a3d71303f6357fe96560
                                                                      • Instruction ID: 737c0d279182ac78ca7342a7bbd4495f3d2449695fa014a1c3daf93437b9d670
                                                                      • Opcode Fuzzy Hash: 942e31f8d1bf2a4876081718f3810e53ec78c83f9366a3d71303f6357fe96560
                                                                      • Instruction Fuzzy Hash: 1121F475B002108FC758AB78C05896D37E2AF8965932209BCE106CF7B5DF32EC42CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4bdaecfcea0852832ae35bac4bcbf26bbc090718de34925ec5d176b4df8c67a8
                                                                      • Instruction ID: 640adf0ea05425af31cb87a5c634e9b56289fd09e02e2ef1dbe1d9d22431d158
                                                                      • Opcode Fuzzy Hash: 4bdaecfcea0852832ae35bac4bcbf26bbc090718de34925ec5d176b4df8c67a8
                                                                      • Instruction Fuzzy Hash: 1C110034A00304AFCB05EFB8E41069D7BBAEF85704F5080B9D609DB395EF319D4A8BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4aac84044f9cac81cb81731e82eb6d250161030886ddc7a1bcf83f291efc88c0
                                                                      • Instruction ID: 8413e8e1df8fe116e6355344c4e02b35432f40e21754ada320d2059511322de5
                                                                      • Opcode Fuzzy Hash: 4aac84044f9cac81cb81731e82eb6d250161030886ddc7a1bcf83f291efc88c0
                                                                      • Instruction Fuzzy Hash: 6E11D675E003099FCB00EFB4D8449DEFBF5FF89300B1186AAE51997621EB349904CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e3c46cb4036246ac02a3b75af775f216accc5ee48cd74548b42d3bc4b1842a9
                                                                      • Instruction ID: 8ce51555ab08055319e1c8e732d9c1279f6e2564fbe7973fa26c904de98d7c0a
                                                                      • Opcode Fuzzy Hash: 8e3c46cb4036246ac02a3b75af775f216accc5ee48cd74548b42d3bc4b1842a9
                                                                      • Instruction Fuzzy Hash: B901B535E002059FCB00EFB4D8408DEF7F5FF8930071086AAE51897721EB34A915CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2bf850899338f0d3ec252319bef0787c9851f00a3b3813adbef9358c1652010d
                                                                      • Instruction ID: def2ab1040b4798e615cd1d663279f612e23b1190667fe58224f39508280c1ae
                                                                      • Opcode Fuzzy Hash: 2bf850899338f0d3ec252319bef0787c9851f00a3b3813adbef9358c1652010d
                                                                      • Instruction Fuzzy Hash: 71E09A74C00319AF8B40AFB9A8061DABBF4FE06310F5141B6DA4AE7200E7309A08CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e9f58223c196c8983eb49f00b0577c2b0dc7dad142156e3f5e3f425da75da8f
                                                                      • Instruction ID: f4ea43e3ab9bdf3b0e7e7b41a954b863c9bc3debd857be7667f560c9da24ba92
                                                                      • Opcode Fuzzy Hash: 8e9f58223c196c8983eb49f00b0577c2b0dc7dad142156e3f5e3f425da75da8f
                                                                      • Instruction Fuzzy Hash: F8F01C719403059FDB14DBA4C0587AE7BB0AF48318F250998D442E77A1CFB4AD84CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.280004373.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95ff3357e813c7bae412e662bd41914893f35d60a9d7eec660ab1aac5adac33f
                                                                      • Instruction ID: f9f4c80bebf2c4f62956ba029e2bdae5f8e5b1a13fc8a8e6c0a031d9ec90b580
                                                                      • Opcode Fuzzy Hash: 95ff3357e813c7bae412e662bd41914893f35d60a9d7eec660ab1aac5adac33f
                                                                      • Instruction Fuzzy Hash: 4DD067B1D00229AF8B50EFF999051DEBBF8EA08250B1045B6DA59E3200E6709A148BE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions