Loading ...

Play interactive tourEdit tour

Windows Analysis Report Order Items.exe

Overview

General Information

Sample Name:Order Items.exe
Analysis ID:458852
MD5:32448ad048712424b7a5458913ef81ae
SHA1:7ea927a711ad1222feec156ceed9551bf95b8291
SHA256:441cfed8f57c89ce355e5ba64417bf5b6dc409ac122936da28be46227cea0b8e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Order Items.exe (PID: 2772 cmdline: 'C:\Users\user\Desktop\Order Items.exe' MD5: 32448AD048712424B7A5458913EF81AE)
    • schtasks.exe (PID: 6052 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 4152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
    • MSBuild.exe (PID: 4368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
    • MSBuild.exe (PID: 4576 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
    • MSBuild.exe (PID: 2916 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
    • MSBuild.exe (PID: 4360 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x4f1a98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x4f1e32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x4fdb45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4fd631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x4fdc47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x4fddbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x4f284a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x4fc8ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x4f35c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x502c37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x503cda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x4ffb69:$sqlite3step: 68 34 1C 7B E1
      • 0x4ffc7c:$sqlite3step: 68 34 1C 7B E1
      • 0x4ffb98:$sqlite3text: 68 38 2A 90 C5
      • 0x4ffcbd:$sqlite3text: 68 38 2A 90 C5
      • 0x4ffbab:$sqlite3blob: 68 53 D8 7F 8C
      • 0x4ffcd3:$sqlite3blob: 68 53 D8 7F 8C
      Process Memory Space: Order Items.exe PID: 2772JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Order Items.exe' , ParentImage: C:\Users\user\Desktop\Order Items.exe, ParentProcessId: 2772, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, ProcessId: 4152

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\mtBGJEC.exeVirustotal: Detection: 39%Perma Link
        Source: C:\Users\user\AppData\Roaming\mtBGJEC.exeReversingLabs: Detection: 44%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Order Items.exeVirustotal: Detection: 39%Perma Link
        Source: Order Items.exeReversingLabs: Detection: 44%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\mtBGJEC.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Order Items.exeJoe Sandbox ML: detected
        Source: Order Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.narrowpathwc.com/n8ba/
        Source: unknownTCP traffic detected without corresponding DNS query: 20.82.209.183
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 51.103.5.186
        Source: unknownTCP traffic detected without corresponding DNS query: 51.103.5.186
        Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
        Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.141
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 51.103.5.186
        Source: unknownTCP traffic detected without corresponding DNS query: 51.103.5.186
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: Order Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49676
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
        Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Order Items.exe
        Source: C:\Users\user\Desktop\Order Items.exeCode function: 0_2_00007FFF301550760_2_00007FFF30155076
        Source: Order Items.exe, 00000000.00000002.250797027.0000000000A9C000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.258881968.000000001B300000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.250490915.0000000000516000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNonEventAttribu.exe6 vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.258978676.000000001B370000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoreElement.dllB vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.251053555.00000000027C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.259102875.000000001B410000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Order Items.exe
        Source: Order Items.exe, 00000000.00000002.259102875.000000001B410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order Items.exe
        Source: Order Items.exeBinary or memory string: OriginalFilenameNonEventAttribu.exe6 vs Order Items.exe
        Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Order Items.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: mtBGJEC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@14/4@0/0
        Source: C:\Users\user\Desktop\Order Items.exeFile created: C:\Users\user\AppData\Roaming\mtBGJEC.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeMutant created: \Sessions\1\BaseNamedObjects\wzGlwWLiyewwxNUGilgIfTbqP
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_01
        Source: C:\Users\user\Desktop\Order Items.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1086.tmpJump to behavior
        Source: Order Items.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Order Items.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Order Items.exeVirustotal: Detection: 39%
        Source: Order Items.exeReversingLabs: Detection: 44%
        Source: C:\Users\user\Desktop\Order Items.exeFile read: C:\Users\user\Desktop\Order Items.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Order Items.exe 'C:\Users\user\Desktop\Order Items.exe'
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Order Items.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Order Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\Order Items.exeCode function: 0_2_0046991C push 72060001h; retf 0_2_00469922
        Source: C:\Users\user\Desktop\Order Items.exeCode function: 0_2_00007FFF30157713 push ebx; retf 0_2_00007FFF3015771A
        Source: C:\Users\user\Desktop\Order Items.exeCode function: 0_2_00007FFF30157F17 push ebx; ret 0_2_00007FFF30157F1A
        Source: initial sampleStatic PE information: section name: .text entropy: 7.43608385702
        Source: initial sampleStatic PE information: section name: .text entropy: 7.43608385702
        Source: C:\Users\user\Desktop\Order Items.exeFile created: C:\Users\user\AppData\Roaming\mtBGJEC.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order Items.exe PID: 2772, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\Order Items.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Order Items.exe TID: 6076Thread sleep time: -42276s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exe TID: 5720Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Order Items.exeThread delayed: delay time: 42276Jump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\Order Items.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeQueries volume information: C:\Users\user\Desktop\Order Items.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Order Items.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection11Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 458852 Sample: Order Items.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 9 other signatures 2->34 7 Order Items.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\mtBGJEC.exe, PE32 7->20 dropped 22 C:\Users\user\...\mtBGJEC.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp1086.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\Order Items.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 MSBuild.exe 7->12         started        14 MSBuild.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Order Items.exe39%VirustotalBrowse
        Order Items.exe44%ReversingLabsByteCode-MSIL.Trojan.Pwsx
        Order Items.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\mtBGJEC.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\mtBGJEC.exe39%VirustotalBrowse
        C:\Users\user\AppData\Roaming\mtBGJEC.exe44%ReversingLabsByteCode-MSIL.Trojan.Pwsx

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        www.narrowpathwc.com/n8ba/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        www.narrowpathwc.com/n8ba/true
        • Avira URL Cloud: safe
        low

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmpfalse
          high

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:458852
          Start date:03.08.2021
          Start time:19:49:26
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 3s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:Order Items.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:32
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@14/4@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 2.3% (good quality ratio 1%)
          • Quality average: 32.6%
          • Quality standard deviation: 32.9%
          HCA Information:
          • Successful, ratio: 77%
          • Number of executed functions: 48
          • Number of non-executed functions: 2
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.211.6.115, 13.88.21.125, 104.43.139.144, 23.211.4.86, 20.82.210.154, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 51.103.5.159, 80.67.82.235, 80.67.82.211
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          19:50:20API Interceptor1x Sleep call for process: Order Items.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order Items.exe.log
          Process:C:\Users\user\Desktop\Order Items.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1742
          Entropy (8bit):5.381353871108486
          Encrypted:false
          SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
          MD5:978918F6120A43D1FA5899938A5A542F
          SHA1:6567A2E687B40BFD3A46246F51F4C89D93D89455
          SHA-256:F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
          SHA-512:1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6
          C:\Users\user\AppData\Local\Temp\tmp1086.tmp
          Process:C:\Users\user\Desktop\Order Items.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1656
          Entropy (8bit):5.173416876922872
          Encrypted:false
          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbhH7MlNQ8/rydbz9I3YODOLNdq3a
          MD5:FCDAB3E472B354388C2A45AA6B0337D2
          SHA1:A27491684A672DFD53C3FBAE767E71B7A86DD3DE
          SHA-256:C00EA4503B5C908DDDF0BEDE1D3369D04117B4DF7D70D9AEF0176643AB5D5832
          SHA-512:AD17CA8F5C531C14186B45493616C2A2B90FB6C7079321244AA9FD019B1D1B8369FD872C2E911B37BD0A6FB2E202E65D24B334F206377D71ACC8672FCCA0C46F
          Malicious:true
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
          C:\Users\user\AppData\Roaming\mtBGJEC.exe
          Process:C:\Users\user\Desktop\Order Items.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):738304
          Entropy (8bit):7.429495166902179
          Encrypted:false
          SSDEEP:12288:ZeyKSgW4uoEGLBBBBBBBBBBBXBBBBBBBBBBBCvo5xjioLYdoRhB8uyg0kMM9V7sg:EZWZwlCUglg0k99hTe0/h3AtEN5
          MD5:32448AD048712424B7A5458913EF81AE
          SHA1:7EA927A711AD1222FEEC156CEED9551BF95B8291
          SHA-256:441CFED8F57C89CE355E5BA64417BF5B6DC409AC122936DA28BE46227CEA0B8E
          SHA-512:77BFB62463CB193BF1EF364BE2F9D7F954396D2AA9ED6A8B50C03B658A5F7D6989A3FAD11BCE916F204B564B359A3FB299E59BAAC4C32491226A03A82FAE156A
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Virustotal, Detection: 39%, Browse
          • Antivirus: ReversingLabs, Detection: 44%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a.........."...P..0...........N... ...`....@.. ....................................@..................................N..O....`............................................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............B..............@..B.................N......H.......$................V...............................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......
          C:\Users\user\AppData\Roaming\mtBGJEC.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\Order Items.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Preview: [ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.429495166902179
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          • Win32 Executable (generic) a (10002005/4) 49.75%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Windows Screen Saver (13104/52) 0.07%
          • Generic Win/DOS Executable (2004/3) 0.01%
          File name:Order Items.exe
          File size:738304
          MD5:32448ad048712424b7a5458913ef81ae
          SHA1:7ea927a711ad1222feec156ceed9551bf95b8291
          SHA256:441cfed8f57c89ce355e5ba64417bf5b6dc409ac122936da28be46227cea0b8e
          SHA512:77bfb62463cb193bf1ef364be2f9d7f954396d2aa9ed6a8b50c03b658a5f7d6989a3fad11bce916f204b564b359a3fb299e59baac4c32491226a03a82fae156a
          SSDEEP:12288:ZeyKSgW4uoEGLBBBBBBBBBBBXBBBBBBBBBBBCvo5xjioLYdoRhB8uyg0kMM9V7sg:EZWZwlCUglg0k99hTe0/h3AtEN5
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.........."...P..0...........N... ...`....@.. ....................................@................................

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x4b4ef6
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x6108A2E3 [Tue Aug 3 01:58:59 2021 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v4.0.30319
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb4ea40x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000xfe4.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xb2efc0xb3000False0.785640439508data7.43608385702IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0xb60000xfe40x1000False0.455322265625data5.68154668653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_VERSION0xb60900x380data
          RT_MANIFEST0xb64200xbbeXML 1.0 document, UTF-8 Unicode (with BOM) text

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0000 0x04b0
          LegalCopyrightCopyright 2016
          Assembly Version1.0.0.0
          InternalNameNonEventAttribu.exe
          FileVersion1.0.0.0
          CompanyNameflextronics
          LegalTrademarksflex
          Commentsflex spare part room
          ProductNameSpare Part
          ProductVersion1.0.0.0
          FileDescriptionSpare Part
          OriginalFilenameNonEventAttribu.exe

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 3, 2021 19:50:13.830025911 CEST49696443192.168.2.720.82.209.183
          Aug 3, 2021 19:50:16.082329035 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082426071 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082483053 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082521915 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082571983 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082593918 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082607985 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.082632065 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.093976974 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094007015 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094170094 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094238997 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094511986 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094536066 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094614029 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094661951 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094681025 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094805002 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.094832897 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094954967 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.094976902 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.095066071 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.095171928 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:50:16.148088932 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:50:16.148457050 CEST49676443192.168.2.7204.79.197.200
          Aug 3, 2021 19:51:07.761085987 CEST804967893.184.220.29192.168.2.7
          Aug 3, 2021 19:51:07.761324883 CEST4967880192.168.2.793.184.220.29
          Aug 3, 2021 19:51:08.624969959 CEST804968193.184.220.29192.168.2.7
          Aug 3, 2021 19:51:08.625256062 CEST4968180192.168.2.793.184.220.29
          Aug 3, 2021 19:51:10.320543051 CEST49692443192.168.2.751.103.5.186
          Aug 3, 2021 19:51:10.346434116 CEST4434969251.103.5.186192.168.2.7
          Aug 3, 2021 19:51:10.491842031 CEST49692443192.168.2.751.103.5.186
          Aug 3, 2021 19:51:11.193309069 CEST49693443192.168.2.7131.253.33.200
          Aug 3, 2021 19:51:11.193921089 CEST49694443192.168.2.7131.253.33.200
          Aug 3, 2021 19:51:56.346443892 CEST4968180192.168.2.793.184.220.29
          Aug 3, 2021 19:51:56.346566916 CEST49680443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.346723080 CEST49690443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.363871098 CEST804968193.184.220.29192.168.2.7
          Aug 3, 2021 19:51:56.363969088 CEST4968180192.168.2.793.184.220.29
          Aug 3, 2021 19:51:56.391222954 CEST4434968040.126.31.141192.168.2.7
          Aug 3, 2021 19:51:56.391253948 CEST4434969040.126.31.141192.168.2.7
          Aug 3, 2021 19:51:56.391360998 CEST49680443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.392337084 CEST49690443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.830703020 CEST49691443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.830902100 CEST49685443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.871507883 CEST4434969140.126.31.141192.168.2.7
          Aug 3, 2021 19:51:56.871624947 CEST49691443192.168.2.740.126.31.141
          Aug 3, 2021 19:51:56.875788927 CEST4434968540.126.31.141192.168.2.7
          Aug 3, 2021 19:51:56.875920057 CEST49685443192.168.2.740.126.31.141
          Aug 3, 2021 19:52:09.201100111 CEST804967893.184.220.29192.168.2.7
          Aug 3, 2021 19:52:09.201225996 CEST4967880192.168.2.793.184.220.29
          Aug 3, 2021 19:52:10.338639975 CEST49692443192.168.2.751.103.5.186
          Aug 3, 2021 19:52:10.364638090 CEST4434969251.103.5.186192.168.2.7
          Aug 3, 2021 19:52:10.409487963 CEST49692443192.168.2.751.103.5.186
          Aug 3, 2021 19:52:21.330032110 CEST44349676204.79.197.200192.168.2.7
          Aug 3, 2021 19:52:21.422055006 CEST804967893.184.220.29192.168.2.7
          Aug 3, 2021 19:52:21.422276974 CEST4967880192.168.2.793.184.220.29

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 3, 2021 19:50:11.686906099 CEST53537758.8.8.8192.168.2.7
          Aug 3, 2021 19:50:12.340626001 CEST5183753192.168.2.78.8.8.8
          Aug 3, 2021 19:50:12.365695000 CEST53518378.8.8.8192.168.2.7
          Aug 3, 2021 19:50:13.031974077 CEST5541153192.168.2.78.8.8.8
          Aug 3, 2021 19:50:13.060441017 CEST53554118.8.8.8192.168.2.7
          Aug 3, 2021 19:50:13.393296003 CEST6366853192.168.2.78.8.8.8
          Aug 3, 2021 19:50:13.428473949 CEST53636688.8.8.8192.168.2.7
          Aug 3, 2021 19:50:13.678637028 CEST5464053192.168.2.78.8.8.8
          Aug 3, 2021 19:50:13.711314917 CEST53546408.8.8.8192.168.2.7
          Aug 3, 2021 19:50:14.371987104 CEST5873953192.168.2.78.8.8.8
          Aug 3, 2021 19:50:14.399852991 CEST53587398.8.8.8192.168.2.7
          Aug 3, 2021 19:50:15.609736919 CEST6033853192.168.2.78.8.8.8
          Aug 3, 2021 19:50:15.637237072 CEST53603388.8.8.8192.168.2.7
          Aug 3, 2021 19:50:16.302752972 CEST5871753192.168.2.78.8.8.8
          Aug 3, 2021 19:50:16.327430010 CEST53587178.8.8.8192.168.2.7
          Aug 3, 2021 19:50:17.020781040 CEST5976253192.168.2.78.8.8.8
          Aug 3, 2021 19:50:17.045562983 CEST53597628.8.8.8192.168.2.7
          Aug 3, 2021 19:50:18.107736111 CEST5432953192.168.2.78.8.8.8
          Aug 3, 2021 19:50:18.164793015 CEST53543298.8.8.8192.168.2.7
          Aug 3, 2021 19:50:19.518201113 CEST5805253192.168.2.78.8.8.8
          Aug 3, 2021 19:50:19.550951958 CEST53580528.8.8.8192.168.2.7
          Aug 3, 2021 19:50:20.841932058 CEST5400853192.168.2.78.8.8.8
          Aug 3, 2021 19:50:20.867762089 CEST53540088.8.8.8192.168.2.7
          Aug 3, 2021 19:50:22.496881008 CEST5945153192.168.2.78.8.8.8
          Aug 3, 2021 19:50:22.521559000 CEST53594518.8.8.8192.168.2.7
          Aug 3, 2021 19:50:23.257870913 CEST5291453192.168.2.78.8.8.8
          Aug 3, 2021 19:50:23.290453911 CEST53529148.8.8.8192.168.2.7
          Aug 3, 2021 19:50:24.124058008 CEST6456953192.168.2.78.8.8.8
          Aug 3, 2021 19:50:24.151578903 CEST53645698.8.8.8192.168.2.7
          Aug 3, 2021 19:50:25.499526978 CEST5281653192.168.2.78.8.8.8
          Aug 3, 2021 19:50:25.526998043 CEST53528168.8.8.8192.168.2.7
          Aug 3, 2021 19:50:26.487519979 CEST5078153192.168.2.78.8.8.8
          Aug 3, 2021 19:50:26.512520075 CEST53507818.8.8.8192.168.2.7
          Aug 3, 2021 19:50:27.455890894 CEST5423053192.168.2.78.8.8.8
          Aug 3, 2021 19:50:27.488763094 CEST53542308.8.8.8192.168.2.7
          Aug 3, 2021 19:50:28.342453957 CEST5491153192.168.2.78.8.8.8
          Aug 3, 2021 19:50:28.367074966 CEST53549118.8.8.8192.168.2.7
          Aug 3, 2021 19:50:29.368526936 CEST4995853192.168.2.78.8.8.8
          Aug 3, 2021 19:50:29.396502018 CEST53499588.8.8.8192.168.2.7
          Aug 3, 2021 19:50:30.400240898 CEST5086053192.168.2.78.8.8.8
          Aug 3, 2021 19:50:30.428235054 CEST53508608.8.8.8192.168.2.7
          Aug 3, 2021 19:50:31.204749107 CEST5045253192.168.2.78.8.8.8
          Aug 3, 2021 19:50:31.240478992 CEST53504528.8.8.8192.168.2.7
          Aug 3, 2021 19:50:32.544739962 CEST5973053192.168.2.78.8.8.8
          Aug 3, 2021 19:50:32.581068039 CEST53597308.8.8.8192.168.2.7
          Aug 3, 2021 19:50:47.753154993 CEST5931053192.168.2.78.8.8.8
          Aug 3, 2021 19:50:47.796314001 CEST53593108.8.8.8192.168.2.7
          Aug 3, 2021 19:51:06.496838093 CEST5191953192.168.2.78.8.8.8
          Aug 3, 2021 19:51:06.530807018 CEST53519198.8.8.8192.168.2.7
          Aug 3, 2021 19:51:06.749042034 CEST6429653192.168.2.78.8.8.8
          Aug 3, 2021 19:51:06.801161051 CEST53642968.8.8.8192.168.2.7
          Aug 3, 2021 19:51:07.290900946 CEST5668053192.168.2.78.8.8.8
          Aug 3, 2021 19:51:07.323693991 CEST53566808.8.8.8192.168.2.7
          Aug 3, 2021 19:51:07.662934065 CEST5882053192.168.2.78.8.8.8
          Aug 3, 2021 19:51:07.698710918 CEST53588208.8.8.8192.168.2.7
          Aug 3, 2021 19:51:07.987816095 CEST6098353192.168.2.78.8.8.8
          Aug 3, 2021 19:51:08.047611952 CEST53609838.8.8.8192.168.2.7
          Aug 3, 2021 19:51:08.241461992 CEST4924753192.168.2.78.8.8.8
          Aug 3, 2021 19:51:08.304331064 CEST53492478.8.8.8192.168.2.7
          Aug 3, 2021 19:51:08.711611032 CEST5228653192.168.2.78.8.8.8
          Aug 3, 2021 19:51:08.744201899 CEST53522868.8.8.8192.168.2.7
          Aug 3, 2021 19:51:09.209388018 CEST5606453192.168.2.78.8.8.8
          Aug 3, 2021 19:51:09.244834900 CEST53560648.8.8.8192.168.2.7
          Aug 3, 2021 19:51:09.892163038 CEST6374453192.168.2.78.8.8.8
          Aug 3, 2021 19:51:09.927743912 CEST53637448.8.8.8192.168.2.7
          Aug 3, 2021 19:51:10.453985929 CEST6145753192.168.2.78.8.8.8
          Aug 3, 2021 19:51:10.489726067 CEST53614578.8.8.8192.168.2.7
          Aug 3, 2021 19:51:11.456007957 CEST5836753192.168.2.78.8.8.8
          Aug 3, 2021 19:51:11.491409063 CEST53583678.8.8.8192.168.2.7
          Aug 3, 2021 19:51:12.898469925 CEST6059953192.168.2.78.8.8.8
          Aug 3, 2021 19:51:12.923312902 CEST53605998.8.8.8192.168.2.7
          Aug 3, 2021 19:51:13.402565956 CEST5957153192.168.2.78.8.8.8
          Aug 3, 2021 19:51:13.438344002 CEST53595718.8.8.8192.168.2.7
          Aug 3, 2021 19:51:15.418463945 CEST5268953192.168.2.78.8.8.8
          Aug 3, 2021 19:51:15.452251911 CEST53526898.8.8.8192.168.2.7
          Aug 3, 2021 19:51:19.206979990 CEST5029053192.168.2.78.8.8.8
          Aug 3, 2021 19:51:19.239559889 CEST53502908.8.8.8192.168.2.7
          Aug 3, 2021 19:51:56.020056963 CEST6042753192.168.2.78.8.8.8
          Aug 3, 2021 19:51:56.063664913 CEST53604278.8.8.8192.168.2.7

          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:19:50:19
          Start date:03/08/2021
          Path:C:\Users\user\Desktop\Order Items.exe
          Wow64 process (32bit):false
          Commandline:'C:\Users\user\Desktop\Order Items.exe'
          Imagebase:0x460000
          File size:738304 bytes
          MD5 hash:32448AD048712424B7A5458913EF81AE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low

          General

          Start time:19:50:22
          Start date:03/08/2021
          Path:C:\Windows\System32\schtasks.exe
          Wow64 process (32bit):false
          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'
          Imagebase:0x7ff644060000
          File size:226816 bytes
          MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Start time:19:50:23
          Start date:03/08/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff774ee0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:19:50:23
          Start date:03/08/2021
          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Imagebase:0x16033ac0000
          File size:258144 bytes
          MD5 hash:8B9E68304AF4B81C9AB70CB2220EBA74
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Start time:19:50:24
          Start date:03/08/2021
          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Imagebase:0x1c212d40000
          File size:258144 bytes
          MD5 hash:8B9E68304AF4B81C9AB70CB2220EBA74
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Start time:19:50:24
          Start date:03/08/2021
          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Imagebase:0x11a0000
          File size:258144 bytes
          MD5 hash:8B9E68304AF4B81C9AB70CB2220EBA74
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Start time:19:50:24
          Start date:03/08/2021
          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Imagebase:0x287c7b30000
          File size:258144 bytes
          MD5 hash:8B9E68304AF4B81C9AB70CB2220EBA74
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Start time:19:50:25
          Start date:03/08/2021
          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          Imagebase:0x1865f020000
          File size:258144 bytes
          MD5 hash:8B9E68304AF4B81C9AB70CB2220EBA74
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >

            Executed Functions

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b63c1cc55570564dbf7db29ca10ed508ae7b105fa4b1b6cf59791903c3963f8
            • Instruction ID: 37e0cd45cef516e7027cb746c27e2be60c5fdd2668bebceead436f076e1ce77f
            • Opcode Fuzzy Hash: 7b63c1cc55570564dbf7db29ca10ed508ae7b105fa4b1b6cf59791903c3963f8
            • Instruction Fuzzy Hash: 79812E74D0861A8FEB58EB64C8906BDB7F2BF85314F20817AD00D6B3A9CA346841DF51
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dd469a02cafa1d45e4ce7c4d9196eebe00c811ccc284c508d517b44ea99213b2
            • Instruction ID: 5656807c13ce81f43073b96a7e1608ef76da280d871c5a47aae8024e0b0ead5a
            • Opcode Fuzzy Hash: dd469a02cafa1d45e4ce7c4d9196eebe00c811ccc284c508d517b44ea99213b2
            • Instruction Fuzzy Hash: 37E2587490891D8FDBA5EF58C8D5BA9BBF1FB68341F6045AAD01DE3256CB30A981CF40
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID: ]_^
            • API String ID: 0-718625177
            • Opcode ID: f5e961c71073ca0f03e1716f575b80df8ef47aabb8d16f6dedac9a670e75a78f
            • Instruction ID: ac45d5088c58f248a3b47cdc766ff95139f2267149620fcc612cead865a78514
            • Opcode Fuzzy Hash: f5e961c71073ca0f03e1716f575b80df8ef47aabb8d16f6dedac9a670e75a78f
            • Instruction Fuzzy Hash: 6231A75AE0E6D59FF342763858A51E93FE0AF52358F4900F3C4889F1F3E9551C099652
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d092c91bead4cc8895784d920b1ab1f6d39de7cb7f3d2c34ab2ed7f24db5b9ba
            • Instruction ID: 5008870b574225ba45538b13baa5dc434ba1ed618baa0943b452785cb2705851
            • Opcode Fuzzy Hash: d092c91bead4cc8895784d920b1ab1f6d39de7cb7f3d2c34ab2ed7f24db5b9ba
            • Instruction Fuzzy Hash: B4F17134A14A5D8FDB94EF18C898BAA77F1FF69302F4114A9A40DD72A5DA71ED80CF00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bed56d989208537e09b219812af6513b1d44efc7efa37ec2f3ac46d7ec45d11c
            • Instruction ID: a68f7d66f70b192321362c080c5eb5d7f0b04168874caacc4bc5d5a3c9561197
            • Opcode Fuzzy Hash: bed56d989208537e09b219812af6513b1d44efc7efa37ec2f3ac46d7ec45d11c
            • Instruction Fuzzy Hash: A1611774D0825A8FDF5CEF94C4A19BDB7F2BF59315F10407AD00AAB3A9DA386841DB20
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2097596155dcbc836052ae887a3aed8988e726cc8aa69abddfbff0dc8cb110ec
            • Instruction ID: ffe9b8bf91418773355b9be529dda69fab96a8f3f646a9e41d2ef1615af66a9d
            • Opcode Fuzzy Hash: 2097596155dcbc836052ae887a3aed8988e726cc8aa69abddfbff0dc8cb110ec
            • Instruction Fuzzy Hash: 16517031A08A4D8FDF45EF54C8556EEB7F1FF59314F50057AD409EB2A1CA38A945CB80
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: caca8858fe1e5da68da04dcfe624be5eb7830be6aae3ac75141eb606044d301f
            • Instruction ID: 0e22f6e0d0f974c76ef8e6fa972ae323b419f658d5f68dbd503790b7a5598194
            • Opcode Fuzzy Hash: caca8858fe1e5da68da04dcfe624be5eb7830be6aae3ac75141eb606044d301f
            • Instruction Fuzzy Hash: 9441F530E08A5D8FDB98EF98C894AEDBBF1FF58304F10012AE409E7295CB75A845CB40
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d3fe69807919d01e0151e5fef51595faa72ea4f883926c88cace36246fdb99e
            • Instruction ID: 95a305ebe2da78e5b3d8ba24be0e3084e0f8e82e16b3af3022540056922045cf
            • Opcode Fuzzy Hash: 9d3fe69807919d01e0151e5fef51595faa72ea4f883926c88cace36246fdb99e
            • Instruction Fuzzy Hash: D041833091895E8FDB98EF59C855BACB7F1FF58308F5040BAD40EE76A1DA34A981DB00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2376404a3415cc3a1cc5faede895cb8e57d811eba799d34f297b06dd75fd21a2
            • Instruction ID: 6f031f27d04a88d6ae88ffd36e3c1a7175b2f872880f4840ac48499fda465c03
            • Opcode Fuzzy Hash: 2376404a3415cc3a1cc5faede895cb8e57d811eba799d34f297b06dd75fd21a2
            • Instruction Fuzzy Hash: DA31B130A1491E8FDB99EB58C495BE8B7F1FF58318F5001AAD01EE76A5CA35A981CB40
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 18ef4a5ebaf441ec79131010311f18a94a54c0812051b3704993ca486c756cb5
            • Instruction ID: 7677c12645927e55a17aafc31dc1df7e41b6f70d82f5ec1f103a8120988cae11
            • Opcode Fuzzy Hash: 18ef4a5ebaf441ec79131010311f18a94a54c0812051b3704993ca486c756cb5
            • Instruction Fuzzy Hash: 22311774D0928A8FEB08EFA4D8A56FEBBB0BF45318F1400AED419AB791CB345944DB54
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc488ce1e8ca34a948757ad1880451e254bca685855617a02d2142a1b50f6356
            • Instruction ID: b41aa01a48b91324f957c3888a812225e41f93f48fa7c012f8a58fb326405496
            • Opcode Fuzzy Hash: cc488ce1e8ca34a948757ad1880451e254bca685855617a02d2142a1b50f6356
            • Instruction Fuzzy Hash: 5E31C174D0824E8BDF48DF95D4946FEBBB1BF48308F10446EE81AA7790DB346A50EB54
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0291eb2146869f0a429aba80e424b3b7f449612a26449fdef0917bb3b295c3a0
            • Instruction ID: 25d06229065bdb536d364063118f5109bd5fbec07c890cc0435f56c385dc9cf3
            • Opcode Fuzzy Hash: 0291eb2146869f0a429aba80e424b3b7f449612a26449fdef0917bb3b295c3a0
            • Instruction Fuzzy Hash: 7A21A170A087888FDB56DF24C8546DA7BF1FF5A310F0542ABD44CDB2A2CA389D44CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0fb0036438568c9fde840b36ab4a4258c632bfecfa0a470859b0bb3db431aad4
            • Instruction ID: f2cc9d318953bbffa6ca778d872ce02cf2cd06a7de79c6acf652659ad4e99463
            • Opcode Fuzzy Hash: 0fb0036438568c9fde840b36ab4a4258c632bfecfa0a470859b0bb3db431aad4
            • Instruction Fuzzy Hash: 8E216B35A08A0D8FDB54EF68C840AEE77F1FB98314F10457AE419E73A1CA35A951DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e55eabcea962c6b6b4f4e7db67ea6e7b93e8eddc7a90575b0d98031df86d6c4d
            • Instruction ID: eeddc037dbf809b4ec766662996837c173093b42a571ec1c800afd77135edcef
            • Opcode Fuzzy Hash: e55eabcea962c6b6b4f4e7db67ea6e7b93e8eddc7a90575b0d98031df86d6c4d
            • Instruction Fuzzy Hash: BC31D574D0461A8FEB58EFA8D891AADBBB2BF89314F608179D00D77396CA346941CF50
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 772b2f2cac68c6b5c7750876decb37a320020283a39ebdccc3059d3f3d578cf7
            • Instruction ID: 93a7c89c97619b80641a8f0502ffedead42fccb191a8b61579e3a180e5282324
            • Opcode Fuzzy Hash: 772b2f2cac68c6b5c7750876decb37a320020283a39ebdccc3059d3f3d578cf7
            • Instruction Fuzzy Hash: AA213534E0460E8FEB44EF54D444AEEB7F2FB98314F10416AE41AE7394CA79AE51CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 03b8d241be9952d1c3a2f5a0c080db8e2126446d30e427403b38c383d9895ee0
            • Instruction ID: f36dacf48ace23d0eccb4533aec43ed0525281643ab49261d1dceeb60bd2b4ab
            • Opcode Fuzzy Hash: 03b8d241be9952d1c3a2f5a0c080db8e2126446d30e427403b38c383d9895ee0
            • Instruction Fuzzy Hash: A6216A30A1460D8FDB44EF58C4429FE77F0FB48304F00017AE849E72A1CA38F8908BA1
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f28c0db50ce7a6938f41341fbdf3b1c7811467ca805a944b3f5bfac93234960
            • Instruction ID: 35e71a7d9b6dc9c4292bc0c672b44f07f9da3def0e44bc2afdf6585533ec55b7
            • Opcode Fuzzy Hash: 1f28c0db50ce7a6938f41341fbdf3b1c7811467ca805a944b3f5bfac93234960
            • Instruction Fuzzy Hash: D8219274E18A1D8FDF94EB68D895BEDB7F1FF68305F5001AAD40DE3292CA35A9418B01
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e1ab061f690eb65b648035957660a1e2b9b9d72f399694bdbb7b5b4168564da
            • Instruction ID: 6cda04b63fc2536c752e721c41fe3ad24cbc71d67d21f067a35cc59bc9b3b9af
            • Opcode Fuzzy Hash: 6e1ab061f690eb65b648035957660a1e2b9b9d72f399694bdbb7b5b4168564da
            • Instruction Fuzzy Hash: 44214A70A04A1D8FDB64EF58D8446EE77F2FB99315F00427AE40DE73A4CA35AA54CB80
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 56628189b7399be1fbe6a9076c9d20e740aa82779a6644e74557ac81ad95037c
            • Instruction ID: ce661c26e44d5915cf3b71e534805a3a82865318a9a06f42aaf72a9b9930ded3
            • Opcode Fuzzy Hash: 56628189b7399be1fbe6a9076c9d20e740aa82779a6644e74557ac81ad95037c
            • Instruction Fuzzy Hash: F1215E7491C68D8FDF81EFA88889AE97FF0FF59301F0004A6D408DB265DA749855CB41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 28a48eef90d74996e8853032eaa95795294a2478ed04be258225ba5b1fa18e39
            • Instruction ID: c943ea0ad347bc8b605f77c292ac99a8f8d2f728680fcabc07780f47554dfb81
            • Opcode Fuzzy Hash: 28a48eef90d74996e8853032eaa95795294a2478ed04be258225ba5b1fa18e39
            • Instruction Fuzzy Hash: 79219F34E0864A8FDB45DF64D4546EEBBF2FF88314F1041BAD405A7395CA799E01CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f878c2201283a393897c54ece59fa3da47518d75c34bd066c344ab30f8899917
            • Instruction ID: b500a5a588021085e6e425037ede785b5836aba324a78bfa8ab7ec43c247978a
            • Opcode Fuzzy Hash: f878c2201283a393897c54ece59fa3da47518d75c34bd066c344ab30f8899917
            • Instruction Fuzzy Hash: 81115930A14A0E8FDB44EF58C4419EEBBF1FB58314F00027AE809E72A5CA34A8909BD1
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: deae57b8a8a23946b78b912c893a8f41a49acd9a0e5674f571dd4b40b175367a
            • Instruction ID: 5652943a5f767d51ae2b9c0dd800f176a5f0012caf05f01f169ceeb489c16e51
            • Opcode Fuzzy Hash: deae57b8a8a23946b78b912c893a8f41a49acd9a0e5674f571dd4b40b175367a
            • Instruction Fuzzy Hash: C2118334A14A2C8FDF98EF98C885BEDB7F1FB68301F50416AD00DE7665CA35A881CB41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 098c725fc103ad314f4208ca7a9f665be0ab384b27a6c736e45c702d75d87b69
            • Instruction ID: b60cb1ea49969c7693dc5299256d5003651196265ffaeefce993f95d79701b7f
            • Opcode Fuzzy Hash: 098c725fc103ad314f4208ca7a9f665be0ab384b27a6c736e45c702d75d87b69
            • Instruction Fuzzy Hash: EB112634A04A0E8FDB48EF64C5546EEB7F2FB98305F10426AD40AA7394CA799E45CBD0
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 33ea8f22e2eed5c55864a0f3d5b70957835650790ab738fc17345bb737841f2f
            • Instruction ID: 26071305b9322f9e9f70a93933181bc549b7c62951c78429085bf8fb2deb64d7
            • Opcode Fuzzy Hash: 33ea8f22e2eed5c55864a0f3d5b70957835650790ab738fc17345bb737841f2f
            • Instruction Fuzzy Hash: D311A17184D3C98FD7469F2498552E53FF0FF4A304F4900EBE8898B1A3D6399955D781
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 680404124a0bfb8ed8d87750f2c2fcdc6dfcb7e04407f94b4872c52dc0396a4a
            • Instruction ID: ffbd61adae22ed332918db3dade1b64fff30fd3637b1c00c23fac969f0872e8f
            • Opcode Fuzzy Hash: 680404124a0bfb8ed8d87750f2c2fcdc6dfcb7e04407f94b4872c52dc0396a4a
            • Instruction Fuzzy Hash: 12118774A1891D8FDF94EB58D891BEDB7F1FF98300F5041A9D00DE3246CA34A941CB41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1318fdf944e52103f1b88316df393894781a4e0415a169f24695437b124be8a5
            • Instruction ID: 0b9566b373f6daf7279a6994e852632de8ce2f3e28be0677026e244ee48b1019
            • Opcode Fuzzy Hash: 1318fdf944e52103f1b88316df393894781a4e0415a169f24695437b124be8a5
            • Instruction Fuzzy Hash: 0B01DE3094868A4FEB09EF2498412EA7BE1FF89304F450839E81C872C6DEBDA915C791
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 69c52565896e2218a3c5a5eab5a865707c48df3f23cdc01f7c2a6c15b5d3416f
            • Instruction ID: 33a112dcfc285da7f84f9a5ebc85b292bdd7cca6742efb7eb8ce48fc035d6113
            • Opcode Fuzzy Hash: 69c52565896e2218a3c5a5eab5a865707c48df3f23cdc01f7c2a6c15b5d3416f
            • Instruction Fuzzy Hash: 19116535D1868D5FE791EBA498112FE7BF1FF45210F9001BAE10AE72E2CE2C5915C792
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07117f58b5a2564a3053ed79a8de21eb2a550c34c0ebbe0c2277a92eaadf32d1
            • Instruction ID: e786135a0ecf428435457b425c495de2d66472cde3107df8e458a10332afc07e
            • Opcode Fuzzy Hash: 07117f58b5a2564a3053ed79a8de21eb2a550c34c0ebbe0c2277a92eaadf32d1
            • Instruction Fuzzy Hash: 23115534A18A2D8FDF98EF18C894BA9B7F1FB69300F5041E9940DE7651DA30AD81DF01
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f2e7c35b79b390b6a41f5fc7a93eca3409e1f2ae139d367cf256b7ee14b5ea9a
            • Instruction ID: ce407e07f1cdbcf5fae8b578e7c7f978bd94f8aa788483bd5caaaaf1d7cdf5a6
            • Opcode Fuzzy Hash: f2e7c35b79b390b6a41f5fc7a93eca3409e1f2ae139d367cf256b7ee14b5ea9a
            • Instruction Fuzzy Hash: 1A015A30D0860E8EEB95FF6484192FE76F0FF45304F40083AE40DA72A2DB78A944DB41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c9843c0b85b21813d1d3de9895e96ac310355327fe3f6dd4a33a8350311e2790
            • Instruction ID: 3a1849cd308159d5375234ac7c0b1f3984dcfe3a4c5aa6a5d9d9cb10dee4a8d5
            • Opcode Fuzzy Hash: c9843c0b85b21813d1d3de9895e96ac310355327fe3f6dd4a33a8350311e2790
            • Instruction Fuzzy Hash: 7D01D730A585098FDB98EFA8C4956ADBBF1FF4D304F504079D40AE7792CA345841DB10
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47bb18a570404e6f32dc10f19ac04c4c8c5a45f828fd6f63eed1a3e9870f4d8a
            • Instruction ID: a844b0474042db735dc1f650a5a9369d69224a1f7e505d192b4f9ac9e62fa4e4
            • Opcode Fuzzy Hash: 47bb18a570404e6f32dc10f19ac04c4c8c5a45f828fd6f63eed1a3e9870f4d8a
            • Instruction Fuzzy Hash: 03F0F974D0894E8FEB91EF6898496FE7BE0FF58305F40046AE818D32A1DB745590DB80
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e42a5d081ffc62ecc1fbd4f0260f3568e21301091bbf55f4ec695beb0e387a03
            • Instruction ID: 90fae94e2bbfc5ab283eb7a29e8592800411e545d23492c27d841ccf8e71d555
            • Opcode Fuzzy Hash: e42a5d081ffc62ecc1fbd4f0260f3568e21301091bbf55f4ec695beb0e387a03
            • Instruction Fuzzy Hash: 4FF09278A0966D8FDB68DB58D891BE8B3B1FB58345F0045AAD40EF3241CB75AA91CF10
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 095f8e11d0aac130f279879d1a0f6de8f3024f4dac92bd54532d0a48bfa40619
            • Instruction ID: b495454cfc30651f7cb887eff23819c49101f44baf643764a45ce8face1c6aa8
            • Opcode Fuzzy Hash: 095f8e11d0aac130f279879d1a0f6de8f3024f4dac92bd54532d0a48bfa40619
            • Instruction Fuzzy Hash: 71F06D3181868E8FEF54EF18D8466E97BE0FF58318F01023AF80C93291CA74A554C7C1
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b4fa6da8e0eb0b61232fbbfcb95e3eb64ae2b7432edb871eaf13bc28675b610
            • Instruction ID: 532fa4e9f3cb88eacaada6da9b4878ef43b82eea63adca59e2c02c3652a50a5e
            • Opcode Fuzzy Hash: 7b4fa6da8e0eb0b61232fbbfcb95e3eb64ae2b7432edb871eaf13bc28675b610
            • Instruction Fuzzy Hash: A5F0583091464DCFDB44EF28D8456EA77E0FF48309F80057AF80D872A0DB39A561DB81
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 018fa0a674c959f07a1ceb96f06bab0a836fe3f8679abad718c1ffbc0c59c168
            • Instruction ID: 80e418e876b58e73c1c8681d097338740453c25ea021295b6d9d831bfb601c19
            • Opcode Fuzzy Hash: 018fa0a674c959f07a1ceb96f06bab0a836fe3f8679abad718c1ffbc0c59c168
            • Instruction Fuzzy Hash: 65F0FE74A18A0D9FDB84EB58C8956ACB7F2FF98310F544125D00CE3295DE34AC42CB41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 104a6805005a9995c11916ef76010d4bf50a1fa4a4df3b5b42debfbab25f0ce3
            • Instruction ID: b732f1ebcc9ff3690d653c14f6ddae45bcc86754efa5c71205753ba3d24487c5
            • Opcode Fuzzy Hash: 104a6805005a9995c11916ef76010d4bf50a1fa4a4df3b5b42debfbab25f0ce3
            • Instruction Fuzzy Hash: 9EE0C274A48A499FCBE4EB28D894BA933E1EF1A300F0540A5E40DDB266CA30AC85CB00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ea700cc6e08ca058be5dfe574091d0f2478a6f75a9f91748a122c9c36ea1ff3
            • Instruction ID: 8ee4427b8e41cb21b2b8fc76fcb235e82ed96c49fe45fc999915487ebcc0c05b
            • Opcode Fuzzy Hash: 5ea700cc6e08ca058be5dfe574091d0f2478a6f75a9f91748a122c9c36ea1ff3
            • Instruction Fuzzy Hash: 7BE08C3042858E4FCB80EF24CC915EE7BA2FF44304F4005A5E45D971A6CE34A921C700
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3825cee37c60179e6e650c2003e808f72b00cca16839dfde1acbfe5c8146c8c8
            • Instruction ID: 01a86c374b0d4e250df6ac26b2206970d77da3c59e56dbd1f6c246a0c8cc2a52
            • Opcode Fuzzy Hash: 3825cee37c60179e6e650c2003e808f72b00cca16839dfde1acbfe5c8146c8c8
            • Instruction Fuzzy Hash: 93E0927468490D8FCBD4EF18C8A8BA973E1FF59300F4080A4A44DD7266CE30AC85CB00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b6bc88d1f53cd0a997e655de1d2aa226fad50471955ebb85a35f1a8bc19cb8cd
            • Instruction ID: 4889346bee047457b7054fb97f5090cc02225d78a23beae3aa8a8666c9e8b674
            • Opcode Fuzzy Hash: b6bc88d1f53cd0a997e655de1d2aa226fad50471955ebb85a35f1a8bc19cb8cd
            • Instruction Fuzzy Hash: 18E0B67465491D8FCBD0EF28C858BA973F1FF59300F0000A4A40ED7266CB30AC41CB00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8e7866275e5466a0708b7d8ad93da2cdafb3f97c40a3e6cfe61eee45502f7339
            • Instruction ID: 04b440ae127811b47cb3111391246e7cfb9e5d703c8b05f4c9fa079589ad2387
            • Opcode Fuzzy Hash: 8e7866275e5466a0708b7d8ad93da2cdafb3f97c40a3e6cfe61eee45502f7339
            • Instruction Fuzzy Hash: 84E0923064494D8FCBD4EF28C898B9973E1EF5A300F0040A4A40DDB666CF30EC85CB00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0409532faf39c68046e34a363207ad356af4bccb4a09125226e8170df1464d08
            • Instruction ID: 89f2a1667cdb69b4ba91b42b2bd7c5d0c55161d671537b15895ad46b8d0c92a4
            • Opcode Fuzzy Hash: 0409532faf39c68046e34a363207ad356af4bccb4a09125226e8170df1464d08
            • Instruction Fuzzy Hash: 70E048719286CD8FE795BF2884482A57AD0FF54204F40047AE418C52F2DE345554C640
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24f935b480ba28495fe5e8bcddf84d5d81864eb92f96b58130a20758fda42b8a
            • Instruction ID: a9e664f1d8f4fd93085516941d24a9f3636459c314b7650e124e73a276a5c46c
            • Opcode Fuzzy Hash: 24f935b480ba28495fe5e8bcddf84d5d81864eb92f96b58130a20758fda42b8a
            • Instruction Fuzzy Hash: 0DE0C230D2451D9FE799EB68C992AECB6F1BB48300F4044BAC11DE22D1CE782A819F40
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be3e97be48a54d586cc5d199d9851f994ed04c4de6d1938e27d1e23048980fed
            • Instruction ID: ca1ed9b42466ea18e69c2930ec1c5c8e268dd5f5ced024786ad07927878d3628
            • Opcode Fuzzy Hash: be3e97be48a54d586cc5d199d9851f994ed04c4de6d1938e27d1e23048980fed
            • Instruction Fuzzy Hash: ACD01230C1461DCEDB54DFA5D4415EDB7B2FBD4304F20D13AC009A7258C6356042DB40
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19d79b0004fa8df4828a348fff185c45a3841aa7a3c037a930332e077d70af69
            • Instruction ID: e6f3e425da520414e82b6f5fe001b1a8bd548b583c5c1f3153da9b85d3f90266
            • Opcode Fuzzy Hash: 19d79b0004fa8df4828a348fff185c45a3841aa7a3c037a930332e077d70af69
            • Instruction Fuzzy Hash: 6DD04230A58A2C9EDBD0EB188845BA9B6F7FB68310F5041E5840DE2265DF305985CB42
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 755e85cf4a7d97df481c63e5ae6c24c52875dcaccc0176cad7b379928fe1f68e
            • Instruction ID: 1a83c9f51cbacddb8d4fb081531a2493d13a3b66baf2f381eeeedece78f100b2
            • Opcode Fuzzy Hash: 755e85cf4a7d97df481c63e5ae6c24c52875dcaccc0176cad7b379928fe1f68e
            • Instruction Fuzzy Hash: 68C01231C8848E86DB92BA2098410FB73A4AF40304F080832E82D8A1A2CD283920E501
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b79cb7762116dfeeb1f9b083938d76c42834715637608e5829c0b64069111a94
            • Instruction ID: 4a727e3e1e5ed2cc78f5fa81702fead7eaec6a67769d975fd50ef82b7fc614c8
            • Opcode Fuzzy Hash: b79cb7762116dfeeb1f9b083938d76c42834715637608e5829c0b64069111a94
            • Instruction Fuzzy Hash: F6D09230914A1C5FEB98EB188864BACB6E1FB58304F9080AA904DE32A1DD302984DB00
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6e1adc35fa95a6fa5cab5fc708d9114384fb66a47756d1136707073aefa5890
            • Instruction ID: f9cace1f9c02c90213d3567dfed2cdd996fe2f24bb6639390ff800ce373050fe
            • Opcode Fuzzy Hash: a6e1adc35fa95a6fa5cab5fc708d9114384fb66a47756d1136707073aefa5890
            • Instruction Fuzzy Hash: 65C0806191594B0AE791A72404853B827D5DF75201F141461940DD33A3DC3854511310
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d249cc8dbd138af9b6ad16cec76c8584ae678737cf3f44741daa867403dc44c7
            • Instruction ID: ab10b016c1e159a28eac5d6813aa1355099ae06a658daae45c984dceae9efa76
            • Opcode Fuzzy Hash: d249cc8dbd138af9b6ad16cec76c8584ae678737cf3f44741daa867403dc44c7
            • Instruction Fuzzy Hash: B3C02B31B08A588FE3029F5008142E4D4E2BF74200F0040E7C08CE62D3EF300844C713
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID: ]_^$]_^$]_^Z$]_^\$]_^b$]_^f$]_^h$]_^v$]_^x
            • API String ID: 0-1279556635
            • Opcode ID: 19387c94cbd409b19ad785aae1571ae67a51b69d407ee4ce69b808f0a191c3ce
            • Instruction ID: 5e9a9788e059b92163ae09d2d90dd7dc885b23fcc5377692eb70f641fdbdcf77
            • Opcode Fuzzy Hash: 19387c94cbd409b19ad785aae1571ae67a51b69d407ee4ce69b808f0a191c3ce
            • Instruction Fuzzy Hash: 0431366BB0E1155BE7047A6D78C12E83BC0EF8533974901B3C6DCEE293F9466D4B9194
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.259975150.00007FFF30150000.00000040.00000001.sdmp, Offset: 00007FFF30150000, based on PE: false
            Similarity
            • API ID:
            • String ID: ]_^($]_^)$]_^8$]_^:
            • API String ID: 0-1888661989
            • Opcode ID: 44a97adbc6001b72a5bb7262d4e5e7aff4bb222da35353d3980cb525b9683d29
            • Instruction ID: 9a99a55ef4b1ce502f32fd0e8c96ddfe172462f5da608587532e9d1659fbd4f4
            • Opcode Fuzzy Hash: 44a97adbc6001b72a5bb7262d4e5e7aff4bb222da35353d3980cb525b9683d29
            • Instruction Fuzzy Hash: DE21A46B90501527A7047E3DB8821DC2B85FF44771B910573D8DDBA0F3EE16A8EAC1C9
            Uniqueness

            Uniqueness Score: -1.00%