Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Sipari#U015f formu.exe

Overview

General Information

Sample Name:Sipari#U015f formu.exe
Analysis ID:528524
MD5:032bbfd4181a7cee029849db610a318b
SHA1:c99434f7f007f6f0f1317839cc7129db813d0750
SHA256:9ae8f73164a7e8159a942f5c304cb55560f975ca943f00c2ef4f6dd489ce0656
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Sipari#U015f formu.exe (PID: 5356 cmdline: "C:\Users\user\Desktop\Sipari#U015f formu.exe" MD5: 032BBFD4181A7CEE029849DB610A318B)
    • Sipari#U015f formu.exe (PID: 5956 cmdline: C:\Users\user\Desktop\Sipari#U015f formu.exe MD5: 032BBFD4181A7CEE029849DB610A318B)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "-640017301", "Chat URL": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Sipari#U015f formu.exe.2d971c8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              3.0.Sipari#U015f formu.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.0.Sipari#U015f formu.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  3.2.Sipari#U015f formu.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    3.2.Sipari#U015f formu.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "-640017301", "Chat URL": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument"}
                      Source: Sipari#U015f formu.exe.5356.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendMessage"}
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: Sipari#U015f formu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Sipari#U015f formu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://nQZIDO.com
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocumentdocument-----
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Sipari#U015f formu.exeJump to behavior
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658187478.0000000001228000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: Sipari#U015f formu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A85C240_2_00A85C24
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_02BC82500_2_02BC8250
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_02BCD2F80_2_02BCD2F8
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055FF5D00_2_055FF5D0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F5AB00_2_055F5AB0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F5AA00_2_055F5AA0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00595C243_2_00595C24
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF60783_2_00CF6078
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF53183_2_00CF5318
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF2E703_2_00CF2E70
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFD0603_2_00CFD060
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA9023_2_00CFA902
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00DC5D983_2_00DC5D98
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00DC13103_2_00DC1310
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EB49603_2_00EB4960
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EB49503_2_00EB4950
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EBDF603_2_00EBDF60
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilename vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.660812533.0000000005DC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658187478.0000000001228000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.662053728.0000000006350000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilename vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917015212.0000000000798000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilenameHa.exe. vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile read: C:\Users\user\Desktop\Sipari#U015f formu.exe:Zone.IdentifierJump to behavior
                      Source: Sipari#U015f formu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe "C:\Users\user\Desktop\Sipari#U015f formu.exe"
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exe
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exeJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sipari#U015f formu.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/2@0/0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addbook.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addbook.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addcustomer.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addbook.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addcustomer.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addbook.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: A/Ha;component/views/addbook.xamlW/Ha;component/views/borrowfrombookview.xamlM/Ha;component/views/borrowingview.xamlG/Ha;component/views/changebook.xamlO/Ha;component/views/changecustomer.xamlK/Ha;component/views/customerview.xamlO/Ha;component/views/deletecustomer.xamlE/Ha;component/views/errorview.xamlI/Ha;component/views/smallextras.xamlI/Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Sipari#U015f formu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Sipari#U015f formu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Sipari#U015f formu.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Sipari#U015f formu.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Sipari#U015f formu.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.Sipari#U015f formu.exe.590000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A89361 push ds; retf 0_2_00A89364
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A892F5 push ds; ret 0_2_00A89340
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A89347 push ds; ret 0_2_00A8934C
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F56E0 push esp; iretd 0_2_055F56E9
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00599347 push ds; ret 3_2_0059934C
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_005992F5 push ds; ret 3_2_00599340
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00599361 push ds; retf 3_2_00599364
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA35B pushfd ; iretd 3_2_00CFA35E
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA359 pushfd ; iretd 3_2_00CFA35A
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA354 pushfd ; iretd 3_2_00CFA356
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA360 pushfd ; iretd 3_2_00CFA362
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF4778 push 00000041h; iretd 3_2_00CF477A
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88235938246
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.2d971c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.2e25574.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3240Thread sleep count: 591 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3240Thread sleep count: 2085 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239728s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5404Thread sleep time: -30884s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239624s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239405s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239296s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239187s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238968s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238827s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238606s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -237343s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236249s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 1296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 7084Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5408Thread sleep count: 865 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5408Thread sleep count: 8996 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239843Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239728Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239624Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239515Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239405Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239296Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239187Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239077Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238968Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238827Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238718Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238606Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 237343Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236750Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236249Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 591Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 2085Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 865Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 8996Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239843Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239728Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 30884Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239624Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239515Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239405Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239296Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239187Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239077Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238968Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238827Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238718Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238606Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 237343Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236750Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236249Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFEDC8 LdrInitializeThunk,3_2_00CFEDC8
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exeJump to behavior
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Users\user\Desktop\Sipari#U015f formu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Users\user\Desktop\Sipari#U015f formu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1Input Capture111Process Discovery2Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsSystem Information Discovery114SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.Sipari#U015f formu.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.Sipari#U015f formu.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Sipari#U015f formu.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://nQZIDO.com0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://api.ipify.org%GETMozilla/5.0Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://DynDns.comDynDNSSipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocumentdocument-----Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpfalse
                          		high
                          http://nQZIDO.comSipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		low
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:528524
                            Start date:25.11.2021
                            Start time:13:18:14
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 59s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:Sipari#U015f formu.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@3/2@0/0
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 121
                            • Number of non-executed functions: 3
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 92.122.145.220
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            13:19:03API Interceptor835x Sleep call for process: Sipari#U015f formu.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sipari#U015f formu.exe.log
                            Process:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):2239
                            Entropy (8bit):5.354287817410997
                            Encrypted:false
                            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                            MD5:913D1EEA179415C6D08FB255AE42B99D
                            SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                            SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                            SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                            C:\Windows\System32\drivers\etc\hosts
                            Process:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):835
                            Entropy (8bit):4.694294591169137
                            Encrypted:false
                            SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                            MD5:6EB47C1CF858E25486E42440074917F2
                            SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                            SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                            SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.871616213599999
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Sipari#U015f formu.exe
                            File size:500736
                            MD5:032bbfd4181a7cee029849db610a318b
                            SHA1:c99434f7f007f6f0f1317839cc7129db813d0750
                            SHA256:9ae8f73164a7e8159a942f5c304cb55560f975ca943f00c2ef4f6dd489ce0656
                            SHA512:aa504d9d1235478c61bb0545cbef88e03bf2ab0a852ddbdae1c65ba79511bf44ac43c023bcf5cf15c80aec4adf90a452a3d611cc32a6107c60f5c70fc13bf8e1
                            SSDEEP:12288:xe1O0GEJPlAFHRv2wAtHcrhCaMI7oPLH8ixBFm:xkO0GkPlQRv2lt8rdVMPLH8i1
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.a..............0.............^.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00828e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x47b95e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x619F43BA [Thu Nov 25 08:05:14 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [ebp+0800000Eh], ch
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7b90c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x5ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x799740x79a00False0.897995889003data7.88235938246IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x7c0000x5ac0x600False0.425130208333data4.10522833329IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x7e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0x7c0900x31cdata
                            RT_MANIFEST0x7c3bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright Rogers Peet
                            Assembly Version8.0.6.0
                            InternalNameHa.exe
                            FileVersion5.6.0.0
                            CompanyNameRogers Peet
                            LegalTrademarks
                            Comments
                            ProductNameBiblan
                            ProductVersion5.6.0.0
                            FileDescriptionBiblan
                            OriginalFilenameHa.exe

                            Network Behavior

                            No network behavior found

                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: Sipari#U015f formu.exe PID: 5356 Parent PID: 1000

                            General

                            Start time:13:19:02
                            Start date:25/11/2021
                            Path:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Sipari#U015f formu.exe"
                            Imagebase:0xa80000
                            File size:500736 bytes
                            MD5 hash:032BBFD4181A7CEE029849DB610A318B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Chronological Activities

                            Analysis Process: Sipari#U015f formu.exe PID: 5956 Parent PID: 5356

                            General

                            Start time:13:19:04
                            Start date:25/11/2021
                            Path:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\Sipari#U015f formu.exe
                            Imagebase:0x590000
                            File size:500736 bytes
                            MD5 hash:032BBFD4181A7CEE029849DB610A318B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Chronological Activities

                            Disassembly

                            Code Analysis

                            Reset < >

                              Analysis Process: Sipari#U015f formu.exe PID: 5356 Parent PID: 1000 Sipari#U015f formu.exeCOMMON

                              Executed Functions

                              Function 02BCD2F8, Relevance: 2.5, Strings: 1, Instructions: 1292COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.658497729.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: 42ed97976f4736c2a03cef87b3b0a5baac21df991ddaa27e3f7d3511fe3f9c68
                              • Instruction ID: b5c5a57a8f9831a94f1d927ba6c37338f31d0814263c09720bfbe48005f86f60
                              • Opcode Fuzzy Hash: 42ed97976f4736c2a03cef87b3b0a5baac21df991ddaa27e3f7d3511fe3f9c68
                              • Instruction Fuzzy Hash: 14C22978B10215CFCB18DF64D455AA9BBB2FB89305F2580E9D90A9B355DB34EC82CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055FF5D0, Relevance: 1.0, Instructions: 1016COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 55ef2f6cac5601b0d0f2b46c7fcfb1a324ea83f29060cbbb1df70402bc61f8b5
                              • Instruction ID: 40d692339c57a1386502bc99da0c3b5745a5ed1c6ccf19ef74d08098ea643ab4
                              • Opcode Fuzzy Hash: 55ef2f6cac5601b0d0f2b46c7fcfb1a324ea83f29060cbbb1df70402bc61f8b5
                              • Instruction Fuzzy Hash: 0EF1C131B0521A9FCB14DFA4D884AAEB7B7BF88304F158469EA06DB794DB30DC51CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02BC8250, Relevance: .5, Instructions: 519COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658497729.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb9e7891f55a306ed03a6efb3ef14acdeaae8be93785721a023912334f081157
                              • Instruction ID: 7898be24c499995cf9eba649973702b95bd49b11a4a58060eeab4cdcbebe61ea
                              • Opcode Fuzzy Hash: bb9e7891f55a306ed03a6efb3ef14acdeaae8be93785721a023912334f081157
                              • Instruction Fuzzy Hash: 3912E131A142168FCF16DB64C4947BE7BA2EF84304F2584BEE816AB391DB78DD41CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02BC4497, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 02BC4522
                              Memory Dump Source
                              • Source File: 00000000.00000002.658497729.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: cbdedf2cc9eea1f5f4c47a1a84e199cd0196ba3888b0c85bfc3b5e770a54703a
                              • Instruction ID: d2f4aa3af5384a88679d15325057e2c8137bab01230a490493e6d42b1b60d32e
                              • Opcode Fuzzy Hash: cbdedf2cc9eea1f5f4c47a1a84e199cd0196ba3888b0c85bfc3b5e770a54703a
                              • Instruction Fuzzy Hash: CF216AB1900344CFDF50CFA9D54A39ABFF4FB48318F24846AD405A2641DB39A548CF96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02BC4747, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 02BC47CD
                              Memory Dump Source
                              • Source File: 00000000.00000002.658497729.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: b882eabff45d923bb86866bea2c79887a15a9c5e8745f1bab02f7b42503509c5
                              • Instruction ID: 431fbfe8fe08c9cc5c5dc052fdfeb098e02ecadc70125a312e7e368920f40915
                              • Opcode Fuzzy Hash: b882eabff45d923bb86866bea2c79887a15a9c5e8745f1bab02f7b42503509c5
                              • Instruction Fuzzy Hash: FC219D719103888FCB10DFA9D55939ABFF8EB09318F20846ED404E7641CB39A658CFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02BC44A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 02BC4522
                              Memory Dump Source
                              • Source File: 00000000.00000002.658497729.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: 5bd33d18729045c8aff04c3983c97ca38c88cdb9f65cae2a2a6c853d2730ddd6
                              • Instruction ID: df453584a8957f2156ff0ab864fdcd40e556a4e0229577d1d3a963af5771a3cf
                              • Opcode Fuzzy Hash: 5bd33d18729045c8aff04c3983c97ca38c88cdb9f65cae2a2a6c853d2730ddd6
                              • Instruction Fuzzy Hash: 5D1167B0900349CFDF60CFA9D54A79ABBF4FB48314F20846AD405A3641DB39A648CFA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02BC4758, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 02BC47CD
                              Memory Dump Source
                              • Source File: 00000000.00000002.658497729.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: f0d425847a88a8a54f4dd0675c0a379ab8f2368d5f95e6e31c952fb6362076db
                              • Instruction ID: 2b4175fa4609288459c25c4f35aff67043e8e40bbfad6f8ea3da00545d94a25a
                              • Opcode Fuzzy Hash: f0d425847a88a8a54f4dd0675c0a379ab8f2368d5f95e6e31c952fb6362076db
                              • Instruction Fuzzy Hash: 791149B1D103498FCB10DF99D54979ABBF8EB08318F20846ED415A7641DB79A618CFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6BF8, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: ="
                              • API String ID: 0-1535570552
                              • Opcode ID: c73eb86b2f2b122ead4fc1e0fa32a728ec53e31aba971ace2f7a83d1a5fb6bef
                              • Instruction ID: 8c9d3048fe434a932ea4424461786e042ec5579758a47afa56f888ab158cd4a6
                              • Opcode Fuzzy Hash: c73eb86b2f2b122ead4fc1e0fa32a728ec53e31aba971ace2f7a83d1a5fb6bef
                              • Instruction Fuzzy Hash: 6B31BC307192048FD7089B64E819A6E7FA2FB89311B19847AFA06CB3D6DF399C41C751
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6F7D, Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: ="
                              • API String ID: 0-1535570552
                              • Opcode ID: 5df46b7fdaf0f124a119115e10e252218865050dfdcd95f4e5979e548ba13b97
                              • Instruction ID: e00bbea07b43d603de717166429b4d2870361211bcd313ab668394bace9d0471
                              • Opcode Fuzzy Hash: 5df46b7fdaf0f124a119115e10e252218865050dfdcd95f4e5979e548ba13b97
                              • Instruction Fuzzy Hash: FC018671608411FAC724CB69D9412BAB7B2FB84394F008E26F297CB5C8D334E655C7A5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F7C30, Relevance: .2, Instructions: 192COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 210a26b4e879d2f267d906e2412e88c4711aa1665e5aaa8fe8ac508d7b954689
                              • Instruction ID: 22a8cb2fac9e0962ad46f5b48c70e6881c36b92b35ba8c095836c6461de26efb
                              • Opcode Fuzzy Hash: 210a26b4e879d2f267d906e2412e88c4711aa1665e5aaa8fe8ac508d7b954689
                              • Instruction Fuzzy Hash: 0A510031B511118FDB149BB8C854BBEBAA6FF8C314F558479DA19DB390DF709C0287A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055FF1A8, Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a5d40ffcc4517076e35922a15f2c98391a0592cc2db7599f543e3ebdff14fde
                              • Instruction ID: b8953e50bd0a01c7247c99902e82854511b8075d315a7930332acd05bb48b4c7
                              • Opcode Fuzzy Hash: 6a5d40ffcc4517076e35922a15f2c98391a0592cc2db7599f543e3ebdff14fde
                              • Instruction Fuzzy Hash: 5A619C35B001248FCF14DFA8D954AAD7BB6BF89311F158469EA02EB790CB31DC41CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F56EA, Relevance: .2, Instructions: 169COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d67dd474793bcff25e14952a77aa6af2a726c7277128cd037a6da3c0c7f4b9db
                              • Instruction ID: 3a8d59943461ff978b5b824215dc937821fc94bae96605c28e86d6917e074034
                              • Opcode Fuzzy Hash: d67dd474793bcff25e14952a77aa6af2a726c7277128cd037a6da3c0c7f4b9db
                              • Instruction Fuzzy Hash: 47712D35A00619DFCB14DFA8D494A9DBBF2FF88314F208169E509AB364DB71ED85CB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F8918, Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7dd9b475f8c7b5566a9982430c52ad064ef4eb874a5b29715c6aaa9f7db772ae
                              • Instruction ID: 08de330c41a311ada812c765c4f91bd088044626ac3e50daae05ff4546b3a88d
                              • Opcode Fuzzy Hash: 7dd9b475f8c7b5566a9982430c52ad064ef4eb874a5b29715c6aaa9f7db772ae
                              • Instruction Fuzzy Hash: 3651B071B01158EBDB04CB94D9457BEB7B3FB89310F14C13AE6196B384DB748946CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F18A4, Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 54f789bdd64e08b1c572dff588b282d2aad5d7ea3fa7f71968de00a8a321ded2
                              • Instruction ID: 100dd29d8607e807aeaf1d1d210fde5b939ff518e3f0ab816546440dcc98caac
                              • Opcode Fuzzy Hash: 54f789bdd64e08b1c572dff588b282d2aad5d7ea3fa7f71968de00a8a321ded2
                              • Instruction Fuzzy Hash: 37519031B112068FCB14DBB9D8489BFBBB6FFC5224B158529E529DB390EF309C068791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F74E4, Relevance: .1, Instructions: 115COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 55bbc5c4698fe16fcea695eb38746737c76985e971f1d6fc057e5a149f41d9f7
                              • Instruction ID: 80dac14cd9294e43751e4cfcffb0ec06680cfc70ac84cdbe1cf4de11bcc46de0
                              • Opcode Fuzzy Hash: 55bbc5c4698fe16fcea695eb38746737c76985e971f1d6fc057e5a149f41d9f7
                              • Instruction Fuzzy Hash: 22413530A29601CBE7108B6CCD44BBABBB2FF49304F58856BE666CF291D339C842C751
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F9B18, Relevance: .1, Instructions: 107COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f33e11dc361dc38ecb3b63033c38c4f1f0ec4f1852f21d5257958a545346a02f
                              • Instruction ID: 053f80b9f439efc5498f044da4e8593cf621f3b43c838dc8d7f8b2fa6e0dc7d6
                              • Opcode Fuzzy Hash: f33e11dc361dc38ecb3b63033c38c4f1f0ec4f1852f21d5257958a545346a02f
                              • Instruction Fuzzy Hash: 0B416970A09A15CBCB14CF69C8407EAF7F2FF88304F05856AE66AE7295D334D850DBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F9B08, Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12771781feb391ba55e25d681cfdf1947c26041436e54b49aecc9c1791001671
                              • Instruction ID: 92d7e771ddfea8964c059c78fe89d00a0ea0b81ee20c8b746228c2b4c3c5b66d
                              • Opcode Fuzzy Hash: 12771781feb391ba55e25d681cfdf1947c26041436e54b49aecc9c1791001671
                              • Instruction Fuzzy Hash: B1416B70A09A15CBCB10CF68C8407EAFBF2FF89301F0545AAE659E7295D3349850CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F1108, Relevance: .1, Instructions: 99COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bc63cc112ce8eeea81d08f83c5f16d97ffb906b248ca1c07e1c731112e224f3
                              • Instruction ID: 0bcf164333aa1367d33518299866527e8e743ca3c7da204a34e484d9e44d47b6
                              • Opcode Fuzzy Hash: 6bc63cc112ce8eeea81d08f83c5f16d97ffb906b248ca1c07e1c731112e224f3
                              • Instruction Fuzzy Hash: 4B318C353502059FC704EF28D881E9AB7E6FF80708B158969E606CF3B4DB75EC059B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F1118, Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b45550de2d54c6a1277d91b983eb003a039bbad564471478f93af820fd598c5
                              • Instruction ID: 0c3fb76b2f3707f42dd76ff5f006b00fa3d7934dc7bc37cebc5781f275bf1162
                              • Opcode Fuzzy Hash: 5b45550de2d54c6a1277d91b983eb003a039bbad564471478f93af820fd598c5
                              • Instruction Fuzzy Hash: B33176393502059FC714EF29C881D9AB7E6FF84708B158969E20ACF3B4DB71EC019B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055FE858, Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 098eac17ae2b8ce66ea849866355d46f0653d06a171b6af9783e3b78a0614207
                              • Instruction ID: ee72e5d5e97fe355893d59205aeb88e5460ebf1b40dac66f2da035c5f742ad6c
                              • Opcode Fuzzy Hash: 098eac17ae2b8ce66ea849866355d46f0653d06a171b6af9783e3b78a0614207
                              • Instruction Fuzzy Hash: F731B576904119CBDB80DF59E9426BEF7BAFF44300F044967EA15D7261C370D954CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4758, Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3535bbf12d7a6544dd2bd49fc59a1110aa63083fae53927939c216d56d67ba8
                              • Instruction ID: 02c5ec982eec16d7747d4aeabaa8cad9023cff9f8c69e8cbec574471800819ab
                              • Opcode Fuzzy Hash: f3535bbf12d7a6544dd2bd49fc59a1110aa63083fae53927939c216d56d67ba8
                              • Instruction Fuzzy Hash: C8210472A053825FCB06DB789C506FB7BB7FFC616071A456AD555CB282EF308D068361
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F9072, Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82db48cb02711c35a170c3951203d8d5c554d92ddf43a1aeef254b3a6e0f5b34
                              • Instruction ID: d266c4843d3ad3cbbfc3d7a1a6e67c6218c7d6028a9196b563fdee7bd92cc80a
                              • Opcode Fuzzy Hash: 82db48cb02711c35a170c3951203d8d5c554d92ddf43a1aeef254b3a6e0f5b34
                              • Instruction Fuzzy Hash: 6E21E171F0C9518BC710CA68C8507FBB6BABF81210F048637A6A5C62D6C6389981C7D2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011BD37C, Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658094733.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7771ea6dab2342a3afeaf85b5484982778cba929e2dc1e382d257ae3204f2ed2
                              • Instruction ID: 6982b565cf0bf1fe98388a999d7eb93b8f0cf8dcdd7a9d9ea7232ffd5dd12bfb
                              • Opcode Fuzzy Hash: 7771ea6dab2342a3afeaf85b5484982778cba929e2dc1e382d257ae3204f2ed2
                              • Instruction Fuzzy Hash: 5D210871504200DFCF0DCF94E8C0B9ABF65FB88328F14C569D9050B646C33AE856CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011BD644, Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658094733.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8da0f3dc3adc9c1748a59c66f5d409017347b1c32904d856e47de3c96e284915
                              • Instruction ID: c109187d0eb75175deb488a3621118bf36784f6fd092c6468bd755e728e5ede1
                              • Opcode Fuzzy Hash: 8da0f3dc3adc9c1748a59c66f5d409017347b1c32904d856e47de3c96e284915
                              • Instruction Fuzzy Hash: C4210675504244DFDF0DDF94E8C0B97BB65FB8832CF248569D9094B246C33AD856C6A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011CD01C, Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658111394.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 845e14a0204459ce73c6f77d1cb27b312659145ffe586e4541bc1baabeea8066
                              • Instruction ID: 44e7c557e6643cc63ce81619623ad47c9c855782aab4ab75334731ed324b688c
                              • Opcode Fuzzy Hash: 845e14a0204459ce73c6f77d1cb27b312659145ffe586e4541bc1baabeea8066
                              • Instruction Fuzzy Hash: 5B212571504240DFCF19CF58E8C4B16BBA5FB94B64F20C97DD8094B246C73AD867CAA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055FE9C0, Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 871aeef5faf0adefac7ea57c2dadab187e7af0104fbcc07371ea88bc49140514
                              • Instruction ID: cf958a8ae0b23216662a2378993b2dc8655f25ce373686af85e71ec7a56ae773
                              • Opcode Fuzzy Hash: 871aeef5faf0adefac7ea57c2dadab187e7af0104fbcc07371ea88bc49140514
                              • Instruction Fuzzy Hash: 4A21F330A04114AFEB44EBB48C56BFE7BBBEF85340F10C866E606DA280DF315E5587A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4FB4, Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82108136af3bfa1477be224d7426148718eb70cd86c526c78ade99f5f66b5aa5
                              • Instruction ID: 914d2ed50f0cbff2ea1abd4c0aa3d33039130eb31da620b46c24348e13ee677c
                              • Opcode Fuzzy Hash: 82108136af3bfa1477be224d7426148718eb70cd86c526c78ade99f5f66b5aa5
                              • Instruction Fuzzy Hash: 6D31C0B1D007089FCB10CF9AC584ACEFBF9BF48710F25802AD409AB211E775694ACF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4EAA, Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 893e3843a38c8680eaa371c98da736694ebf067985153d33d2efe8d3e4e50b98
                              • Instruction ID: 102868dd4ed9a52d1919aba3ee27dd0f7c4c946267b69d6a209e9a6775d28827
                              • Opcode Fuzzy Hash: 893e3843a38c8680eaa371c98da736694ebf067985153d33d2efe8d3e4e50b98
                              • Instruction Fuzzy Hash: A72105757002069FCB04DB78C4599AFB7F6EF80204B458829D516DB750EF34EC04CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4734, Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a0c6f56158eabd7747f661f8e4c37040b65865fe2c20bf8b88d2cbc7e4b835d
                              • Instruction ID: e9dcc0a1a137c59bcc347867b89a4d1db73dcbc02bac9fecc0913d3f63e927a5
                              • Opcode Fuzzy Hash: 9a0c6f56158eabd7747f661f8e4c37040b65865fe2c20bf8b88d2cbc7e4b835d
                              • Instruction Fuzzy Hash: 5631CEB0D01218DFDB20CF99C588B9EBBF5BB48314F24846AE505BB640D7B56889CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4944, Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab06a824b5d8c102b48fa7b071f834fc46c45d03373c26645318349e2d590504
                              • Instruction ID: ce8dec33ac508d0681485b5af14acb89dc93390443c1782979ad18615e71796a
                              • Opcode Fuzzy Hash: ab06a824b5d8c102b48fa7b071f834fc46c45d03373c26645318349e2d590504
                              • Instruction Fuzzy Hash: 0131ECB1D01218DFDB20CF99C588BDEBBF5BB08314F24841AE505BB640D7B99889CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011CD006, Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658111394.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4aefab1c56bd5eac67dc816001676afea2961ac97c1c97861e11aca9cce4f51
                              • Instruction ID: ed668cd09b53b7be52e62c23fef28cb097be5dfd8ce15e8a13414d88188d7e92
                              • Opcode Fuzzy Hash: f4aefab1c56bd5eac67dc816001676afea2961ac97c1c97861e11aca9cce4f51
                              • Instruction Fuzzy Hash: 3E21C2714083809FCB07CF18D994B11BF71EB46614F28C5EAD8458F297C33A985ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4FC0, Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ede006bc2b496d8f21ea89e440b5519fc894e3023c6d338f70e22387826f54a3
                              • Instruction ID: 2bc816ef857b54e3c7ae0e6a978d03a678fb01ec481b73571cd2aec13b5422f7
                              • Opcode Fuzzy Hash: ede006bc2b496d8f21ea89e440b5519fc894e3023c6d338f70e22387826f54a3
                              • Instruction Fuzzy Hash: C721AEB1D007089FDB10CF9AC584ACEFBF9BF48304F24812AD509AB211E7756A49CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F1897, Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e235693b34e137203c34db46f352afebaf68412f02f9c179228bbb4ea907db90
                              • Instruction ID: 33369b9037f142c8034569f5e355b28a9aad6dd57cc3bc4d8fb2c3d2ba654405
                              • Opcode Fuzzy Hash: e235693b34e137203c34db46f352afebaf68412f02f9c179228bbb4ea907db90
                              • Instruction Fuzzy Hash: D011CE75B012469B8F10DA799C849BFBBFBFBC5260314892DE629D7340EF30A9028791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F1A90, Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ce6b40cd5b6fc7e0833f11cfd48c287f37e291e34a8e805cece5043748964bb
                              • Instruction ID: 47d28dd01f939d187b2436caa4e1946b68258d9a2f1be6659fd78f28fb73a106
                              • Opcode Fuzzy Hash: 9ce6b40cd5b6fc7e0833f11cfd48c287f37e291e34a8e805cece5043748964bb
                              • Instruction Fuzzy Hash: 81114832B00659CB8B54EBA8D8115EEB6F6BFD8254B24407AC605EB744EB328D15CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011BD377, Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658094733.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ab898f1c6ab74212a29baec6bd362927df378e6c3e01bd4b77bdae7e85799e0
                              • Instruction ID: 21aa0142dfc1a64d8445512c0c1a396a9862762b4c6007dc614b65a8b8b10d87
                              • Opcode Fuzzy Hash: 2ab898f1c6ab74212a29baec6bd362927df378e6c3e01bd4b77bdae7e85799e0
                              • Instruction Fuzzy Hash: 6821B476404240DFCF1ACF54E9C4B96BF71FB84324F24C5A9D8080BA56C33AD456CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011BD63F, Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658094733.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction ID: 249dfb6c534e226caa38037c3d089ed81b6c65f550d61401169b53f9a05095bd
                              • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction Fuzzy Hash: FF11B176404680CFCF1ACF54E9C4B56BF71FB84328F24C6A9D9484B656C336D45ACBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6050, Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25e8816b60876a15d06088ae9b14ad569a08791084d2fd5e5ee79b3a94244648
                              • Instruction ID: 3823ab10717193063dc7e471d8d868fdff1718a1843bc36d889663410417ed53
                              • Opcode Fuzzy Hash: 25e8816b60876a15d06088ae9b14ad569a08791084d2fd5e5ee79b3a94244648
                              • Instruction Fuzzy Hash: 63017C3290425AAFCF06DFA4E8009DFBB76FF86315F01846AED10BB251C776655ACB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4740, Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bfd0da8f9c6aad747105eac614e6e62a5618c6a11c101e844cb0b9e16652bda
                              • Instruction ID: 1e330cd21a781f7945985fb954e600095d547d21d843dbbb9b0cc0e16adf8354
                              • Opcode Fuzzy Hash: 0bfd0da8f9c6aad747105eac614e6e62a5618c6a11c101e844cb0b9e16652bda
                              • Instruction Fuzzy Hash: 7F11F2B5904648CFCB10DF9AC488B9EFBF4FB48724F14841AD915A7300D778A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F55A0, Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e40d38968d949cb5779fa5c6d05b8598493cc5b74bccd0fab31b24aff467f11
                              • Instruction ID: babc54f6c33d798d4a2a0b50af9e1da3fff4ac97e4ac4de54f9f30669a1abb98
                              • Opcode Fuzzy Hash: 6e40d38968d949cb5779fa5c6d05b8598493cc5b74bccd0fab31b24aff467f11
                              • Instruction Fuzzy Hash: 7111F2B59006488FCB10DF9AC485BDEFBF8FB48324F14841AD955A7340D778A948CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011BD929, Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658094733.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a6ddbce8768d996a6540ad657a6d6a2c6c723a0629333aaf052f0886b395067
                              • Instruction ID: 5c900c932cff78cd18457389654cbe1d39d01f60c9c020669fd8f6f6385377e1
                              • Opcode Fuzzy Hash: 6a6ddbce8768d996a6540ad657a6d6a2c6c723a0629333aaf052f0886b395067
                              • Instruction Fuzzy Hash: 8401F771408340EAEB1D8A99E8C07E3FB98EF4566CF08845AE9045A243E77A9844C6B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6060, Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7e793a7d781c934d857a8aa7455913c31f6e8ede35829520d48ace88f3a1b6e
                              • Instruction ID: 638de51260883d8fe85632775a971f4a6c2588b06e89e7a1860247e0e6872fa8
                              • Opcode Fuzzy Hash: c7e793a7d781c934d857a8aa7455913c31f6e8ede35829520d48ace88f3a1b6e
                              • Instruction Fuzzy Hash: 6AF0F63291451AEBCF15DEA4E8049DEB77AFF8A315F00842AEE103B240C772655ACB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F65C9, Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a08947770378b2517e1d21c567bb0050284a19b5e8bb90bf4291b60de35baefd
                              • Instruction ID: 55a0cd7c5d656e4f2be3d958353914d8428c1efdf9afc5b61761cb093462e970
                              • Opcode Fuzzy Hash: a08947770378b2517e1d21c567bb0050284a19b5e8bb90bf4291b60de35baefd
                              • Instruction Fuzzy Hash: 7301247491420A9FCB40EFA8C481AAEFBF5FB08304F008AA9D855E7314D330AA81CF80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F5488, Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97e12296b4ca5252dc59f2d73ebff431dc6ee909501a95a4afe2d2e52320a04c
                              • Instruction ID: 90785b7fe27bf9c5f34540182670c1fa460fbbd7e67497e77fb48102d7f2fe67
                              • Opcode Fuzzy Hash: 97e12296b4ca5252dc59f2d73ebff431dc6ee909501a95a4afe2d2e52320a04c
                              • Instruction Fuzzy Hash: B9F082737001246F930486AADC95EABB7EDEBCC6747658576F50CC7310D9359C4187A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F53EC, Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f4ea08f9951564d1bca2d808f3dfc4fe4e5e27025973ffdee1ff92982079290
                              • Instruction ID: 502f04754e98dc7969a399cfa8e293addb9814e10846b2767e87b77dbc38d0a7
                              • Opcode Fuzzy Hash: 1f4ea08f9951564d1bca2d808f3dfc4fe4e5e27025973ffdee1ff92982079290
                              • Instruction Fuzzy Hash: 53012C71800219DFDB14CF56C4483EEBBF1FF08321F208525E925AA290E7744A44CBD1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 011BD928, Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.658094733.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1b93186d4a7f0715784622756af21ce3cd45e70f083e2ebddaa1180156f23c1
                              • Instruction ID: 81729d22c6dbf691feba46f67c1ad19e699c53e73080c4f91022605e1f4ddecd
                              • Opcode Fuzzy Hash: b1b93186d4a7f0715784622756af21ce3cd45e70f083e2ebddaa1180156f23c1
                              • Instruction Fuzzy Hash: 03F0F671404344EEEB158E1ADCC4BA3FFA8EF41678F18C45AED484B283D37A9844CAB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F53F8, Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28822e319d438e2406263f7dc89e699eadfb02b78c6c07090d0385fce3776619
                              • Instruction ID: 57c5cd015c37d3c03b3c7dc246780e673f9c789194f91e9d6075834bc1a2a2c9
                              • Opcode Fuzzy Hash: 28822e319d438e2406263f7dc89e699eadfb02b78c6c07090d0385fce3776619
                              • Instruction Fuzzy Hash: 4301E871800219DFDB15CF6AC4083AEBAF1BF48351F108625E925AA290E7744A44CBD1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6511, Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60ce3a6b852031f8eba030e2b40d603564d80578caa996fa609b54188fd27cc3
                              • Instruction ID: 55d6be243e05293f3d2c5396565b34d19e82381a8f03954ce5175aef80846c01
                              • Opcode Fuzzy Hash: 60ce3a6b852031f8eba030e2b40d603564d80578caa996fa609b54188fd27cc3
                              • Instruction Fuzzy Hash: A9F0F4B4D04208EFDB08DFA5E9057AEFBB1FB48301F1085AAD828A3344E7744A41CB84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F5498, Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cce69e77dfacc4836c79c9a13e35966664b31b299ecb44b70b047dc979d3fbd5
                              • Instruction ID: d84135a560f61f09fe047697cc7d197505863588a0ecf86194260df9e66f5efd
                              • Opcode Fuzzy Hash: cce69e77dfacc4836c79c9a13e35966664b31b299ecb44b70b047dc979d3fbd5
                              • Instruction Fuzzy Hash: DFE039727001246F5308DAAAD884C6BBBEEEBCD664355817AF51CC7310DA309C0086A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6578, Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b72266aca9ba6580143fa0cacf8ff9c0201b4f36518c4612fa6504220c086ea
                              • Instruction ID: b131308e7aee9f1f4e1eb04dc6e787b6c9eccef530282eb2bc8dc48a9f3055ab
                              • Opcode Fuzzy Hash: 2b72266aca9ba6580143fa0cacf8ff9c0201b4f36518c4612fa6504220c086ea
                              • Instruction Fuzzy Hash: BCF0FEB5D082089BDB08DFF9E8116EDFBF4FB44304F1089AAD818E3344D77456418B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6520, Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: caf07c35cf9af87ec86bbce47ba965ae153afc3b83283a60f892eac1cb6aba23
                              • Instruction ID: 2143ec159fb3a42a39e8859417a8db4809ec6d32b5e23b96a0197faab42228f3
                              • Opcode Fuzzy Hash: caf07c35cf9af87ec86bbce47ba965ae153afc3b83283a60f892eac1cb6aba23
                              • Instruction Fuzzy Hash: 52F0DA74D04208DFDB48DFE5E9056AEFBB1FB48301F1085AAD828A3344E7705A41DF84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4A4F, Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7e9b67bebf28fd6c8bd4aa036ebb7ca445a2b2ce76253a6b6521b5978981a14a
                              • Instruction ID: 50694367ad9c6ac5de885f13d221ddeb89b2859000e76ff9dce85452b85de14b
                              • Opcode Fuzzy Hash: 7e9b67bebf28fd6c8bd4aa036ebb7ca445a2b2ce76253a6b6521b5978981a14a
                              • Instruction Fuzzy Hash: EFF0E53560520DEFC700EFA4D98299D7FB5EB4210431181E5D809C7311CB34AE198B51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055FE800, Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b518390b5b39e8cf708dfe458b8b217f1b73c4093542772d8f760e58af7e4004
                              • Instruction ID: 29404d1e9e2f92fbe732b7e69b3d62107c503d9ed00608585d556f61bb3d96c0
                              • Opcode Fuzzy Hash: b518390b5b39e8cf708dfe458b8b217f1b73c4093542772d8f760e58af7e4004
                              • Instruction Fuzzy Hash: 16E0CD3234022037E60E31559C57FB7724ED7C0A60F15803AF6068F6C1DEF2AD064394
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F9948, Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b12e9545399b1ffc595e3accb1eef0c7a738efb67bc5925693d0b3b1d4f8b7eb
                              • Instruction ID: 85d1fe42969f67a024f9c2c2c76da625fc68bbd668f7632770540803c5c62b0c
                              • Opcode Fuzzy Hash: b12e9545399b1ffc595e3accb1eef0c7a738efb67bc5925693d0b3b1d4f8b7eb
                              • Instruction Fuzzy Hash: 67E0DF302193808FC3228729E4049523FBDAF4769035200EBE486CB267D9609C00C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F4A60, Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19be9a2415eeb861b7d7e7b63849a4c5cd374a053a1b1521f0bdcf6a38f842e9
                              • Instruction ID: ab99dd0b7ed83eb4f650a9091753fba32758f8e454e65284656129eb10ce58ac
                              • Opcode Fuzzy Hash: 19be9a2415eeb861b7d7e7b63849a4c5cd374a053a1b1521f0bdcf6a38f842e9
                              • Instruction Fuzzy Hash: 20E0867991110DEF8700EFA4D54299E7BF9FB452047104058D80593704DB31BE109F51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F1868, Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0262f70174eb3175687a4306bffeb8973a63037642e1d81a4de12cae673db374
                              • Instruction ID: 223699b4233539ebddf3f2d2e06d026d1920acd2f6728aa2b3521436133e10cd
                              • Opcode Fuzzy Hash: 0262f70174eb3175687a4306bffeb8973a63037642e1d81a4de12cae673db374
                              • Instruction Fuzzy Hash: B2E02B2510C2414FC306E73CD461AD67F73FF16204F464CA7D2C98B121C6018C14D353
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F0802, Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4e55420bcbe78a4b7893e86400d5477268b1db1e8b2dd3ccf0d6cd9ed0cf616
                              • Instruction ID: 5c000b6aabc5f0dbb642e4cd6570547c49b52e85d2861630734e938fe4a29b3a
                              • Opcode Fuzzy Hash: f4e55420bcbe78a4b7893e86400d5477268b1db1e8b2dd3ccf0d6cd9ed0cf616
                              • Instruction Fuzzy Hash: 26D05E42E8D2C10BCA4392B974287A92FD12BD2150B5E889EC3878B2B7D819898383C5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6BC8, Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d655fe2bc9af5b66176bdc2965cfeb362c637b2fee12efd9dc2c4594a31a141
                              • Instruction ID: aa16284ab6ee912298e8dbeed3efcbc8feffc5e161f79d62c80c9f317232ac5b
                              • Opcode Fuzzy Hash: 3d655fe2bc9af5b66176bdc2965cfeb362c637b2fee12efd9dc2c4594a31a141
                              • Instruction Fuzzy Hash: 66D05E35106248AFC7029F54E82449A7F3AAB85210B04C052F4448B266DA359E14C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F9958, Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 32afe9b0fb863ea787683f08195b8ac01fa679926df00317ef7109d61790f4d4
                              • Instruction ID: 1c67515612f7e8f2b0c5627b5620166c3c43d09bfaa7ec574c449c01c54a0d8f
                              • Opcode Fuzzy Hash: 32afe9b0fb863ea787683f08195b8ac01fa679926df00317ef7109d61790f4d4
                              • Instruction Fuzzy Hash: 89D0C9357501148FC704DB5DE44499537EDEF897A575001BAF50ACB365EEB1AC018B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F1A58, Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9b1bfe27a3fc1cfbfeabfb8357da58b6ed6b2ff6e7ef4eec1d3bfaee7cff07e9
                              • Instruction ID: 3007dab67e46a8551b675f28e3e4c419180f642ab553382f50136013b57759ac
                              • Opcode Fuzzy Hash: 9b1bfe27a3fc1cfbfeabfb8357da58b6ed6b2ff6e7ef4eec1d3bfaee7cff07e9
                              • Instruction Fuzzy Hash: D6C08C3F0044019AC3409680EA42FC87BF1FB58220F988822D144CA220CB6CC196DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F6BD8, Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4e0867ecdc7641451668bd78d668394403cd6bee3b68a81e9a1780afb72baa41
                              • Instruction ID: c019cbaf36f76407f52306a7f02d8be105be3e2a0106915195597ba9be5d7679
                              • Opcode Fuzzy Hash: 4e0867ecdc7641451668bd78d668394403cd6bee3b68a81e9a1780afb72baa41
                              • Instruction Fuzzy Hash: ABC04C3511120CABCB05AF99F819859BF6AFB94261B14C121F84986265DF31A910DA95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 00A85C24, Relevance: 1.4, Instructions: 1404COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.657840524.0000000000A82000.00000002.00020000.sdmp, Offset: 00A80000, based on PE: true
                              • Associated: 00000000.00000002.657831710.0000000000A80000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a6db56bdfd38cad0cd58cbf0e739b156eb486dd54e24afbaabbc80abe5f59131
                              • Instruction ID: ccf24228599af891cbbc00410dd7e2db94a6c5b34a5fb8f6631ea4aebecc8f95
                              • Opcode Fuzzy Hash: a6db56bdfd38cad0cd58cbf0e739b156eb486dd54e24afbaabbc80abe5f59131
                              • Instruction Fuzzy Hash: AFC2126280E7C14FDB139B789DB5295BFB1AE2721871E49CBC4C1CF0A3E1191A5BD722
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F5AA0, Relevance: .3, Instructions: 270COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64209a9d25fa733f1e60bf87da5ebfa42fef17cfb04355410d6f7892d59e1420
                              • Instruction ID: 0438f1c5eb46d75d62ea5ec8f49f62bc3464e1084d0a79ec38aea436cdcda606
                              • Opcode Fuzzy Hash: 64209a9d25fa733f1e60bf87da5ebfa42fef17cfb04355410d6f7892d59e1420
                              • Instruction Fuzzy Hash: F8D1F735C2075A9ACB00EF64C991ADEB775FF95200F508B9AE04977264FB70BAC5CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 055F5AB0, Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.660300134.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c9b15bf60627c4367974a0e9bba24843112c72ec883a315bb9abf5ac04694e6
                              • Instruction ID: b0c239c42e267a51121de712851cdb70d115dd68371c445a58d54717d72674a9
                              • Opcode Fuzzy Hash: 3c9b15bf60627c4367974a0e9bba24843112c72ec883a315bb9abf5ac04694e6
                              • Instruction Fuzzy Hash: 4BD1F635C2075A9ACB00EF64C991ADEB375FF95200F508B9AE04977264FB70BAC5CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Analysis Process: Sipari#U015f formu.exe PID: 5956 Parent PID: 5356 Sipari#U015f formu.exeCOMMON

                              Executed Functions

                              Function 00CFEDC8, Relevance: 2.5, APIs: 1, Instructions: 1030COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d69fcf17566c4a423cb8d38ce3beb75bb379a3bdc79a60fdba499e53bf98d84c
                              • Instruction ID: 217370c0c71ff28d104ed52e67fe9a8a944e3cf085940b276c894a3ad4477950
                              • Opcode Fuzzy Hash: d69fcf17566c4a423cb8d38ce3beb75bb379a3bdc79a60fdba499e53bf98d84c
                              • Instruction Fuzzy Hash: C2922834A00208CFDB64DB68C498BADB7F2EF88315F148469E51ADB3A1DB75DD86CB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF5318, Relevance: 2.4, APIs: 1, Instructions: 898COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: ScrollShow
                              • String ID:
                              • API String ID: 3611344627-0
                              • Opcode ID: cabef86542195d0baaffbd4230c78f432c90a4ee869c95099d12d5c15f8fe54f
                              • Instruction ID: 134ad34bc8855774d373e4812a5065bb4f98108fb3923850223cfcb6483777b8
                              • Opcode Fuzzy Hash: cabef86542195d0baaffbd4230c78f432c90a4ee869c95099d12d5c15f8fe54f
                              • Instruction Fuzzy Hash: 3F727E30A006199FCB54DFA9C884AAEBBB6FF88304F158469E715DB391DB34DD41CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF2E70, Relevance: 1.9, APIs: 1, Instructions: 422COMMON
                              Download Yara Rule
                              APIs
                              • PhysicalToLogicalPoint.USER32(?,?,?,?,00000000), ref: 00CF3315
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: LogicalPhysicalPoint
                              • String ID:
                              • API String ID: 1795878559-0
                              • Opcode ID: a551f3241933462a4f76a3754b6290e9f2a7cdf75d4de8a86d17869c2df666d0
                              • Instruction ID: d311b9b2dcbad2627fd4b3e60db321d59bcafb436e79f2fb536ede470481221c
                              • Opcode Fuzzy Hash: a551f3241933462a4f76a3754b6290e9f2a7cdf75d4de8a86d17869c2df666d0
                              • Instruction Fuzzy Hash: F5E1A334F002489FDB54DBA9C8947BEB7B6EF89300F14842AE616EB381DB74DD458B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00DC5D98, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917500389.0000000000DC0000.00000040.00000010.sdmp, Offset: 00DC0000, based on PE: false
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: b4a5da5ffff46c854d5f1cd92ccf6096f09a163c34c227181317940e67991d91
                              • Instruction ID: bb4eecb4845741b09a4e3afbc298c225a01b0e2845620546c574039c7368d2ed
                              • Opcode Fuzzy Hash: b4a5da5ffff46c854d5f1cd92ccf6096f09a163c34c227181317940e67991d91
                              • Instruction Fuzzy Hash: 92F12A74A0020ACFDB14DFA9C884BADBBF1FF88304F19856DE419AB265DB70E945CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0A66, Relevance: 6.6, APIs: 4, Instructions: 611windowCOMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0AAB
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: a5cc235b788dac43567505b5a4925e69c89bab9eea4411541f2ad699dc7f3f26
                              • Instruction ID: 831f413b8f9ee65ece3f35f1568ad6115f0c42b62b4b19dc82f38b619915ad78
                              • Opcode Fuzzy Hash: a5cc235b788dac43567505b5a4925e69c89bab9eea4411541f2ad699dc7f3f26
                              • Instruction Fuzzy Hash: 1152E434A01328CFCBA5DF60D9987ADB7B6AF49305F2041EAE50AA7750CB359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0A87, Relevance: 6.4, APIs: 4, Instructions: 364windowCOMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0AAB
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: dd5cc3c52fbcae2794e192a02f0f475cd3c5cd309bda04386b2ece2e172d31c0
                              • Instruction ID: 113fb240db16981550a33a7b5e0b90379c8dae5e6f1e09e3c43cc94f3b85c1e7
                              • Opcode Fuzzy Hash: dd5cc3c52fbcae2794e192a02f0f475cd3c5cd309bda04386b2ece2e172d31c0
                              • Instruction Fuzzy Hash: ED02E934A01329CFCBA5DF20D9986ADB7B6BF49305F2041EAE509A6750CF359E81CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB6BE3, Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00EB6C60
                              • GetCurrentThread.KERNEL32 ref: 00EB6C9D
                              • GetCurrentProcess.KERNEL32 ref: 00EB6CDA
                              • GetCurrentThreadId.KERNEL32 ref: 00EB6D33
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 20985c5badd5cf31e159581295fbb1b9371bca62de6f279050ed576c9a8c9a53
                              • Instruction ID: 49be4097855d90bc83202fa419a2c08a1bfd2b3baca324983affc3885b1551d1
                              • Opcode Fuzzy Hash: 20985c5badd5cf31e159581295fbb1b9371bca62de6f279050ed576c9a8c9a53
                              • Instruction Fuzzy Hash: 725176B4A002498FCB11CFAAC549BDEBFF0EF89304F14849AE058A7351D7746849CF62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB6C00, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00EB6C60
                              • GetCurrentThread.KERNEL32 ref: 00EB6C9D
                              • GetCurrentProcess.KERNEL32 ref: 00EB6CDA
                              • GetCurrentThreadId.KERNEL32 ref: 00EB6D33
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 9fcd70420fba9510f586d4557b0cc32a1b8f89735fb70afb0448662ee91ddcef
                              • Instruction ID: 8b90518ba8ac621e9df651ced27d2f4ea3009f38399b64b1fa5ce925c3faff55
                              • Opcode Fuzzy Hash: 9fcd70420fba9510f586d4557b0cc32a1b8f89735fb70afb0448662ee91ddcef
                              • Instruction Fuzzy Hash: 475146B4A006498FDB10CFAAD5487DEBBF1EF88304F248459E519B7350D7746844CF62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0ACC, Relevance: 4.9, APIs: 3, Instructions: 357windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: bffa118845a641984926cbebcc243a7cdb89bd162f5b51b9a3e1a6b31a4cacad
                              • Instruction ID: 7d7873af23a98cd65565d7701aea69e6fae0ece7a7061909b0538c684cfaa907
                              • Opcode Fuzzy Hash: bffa118845a641984926cbebcc243a7cdb89bd162f5b51b9a3e1a6b31a4cacad
                              • Instruction Fuzzy Hash: 1B02E934A01329CFCBA5DB20D9986ADB7B6BF49305F2041EAE509A6740CF359E81CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0B11, Relevance: 4.8, APIs: 3, Instructions: 350windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: b28233ed8574654007383ee95f194f06bd0646fe7588c1459e4ac358b520350d
                              • Instruction ID: 24ce7db44c5d4b0859cc183be21595fbb83f32d34f3d80c81d03a83b8c6b38ee
                              • Opcode Fuzzy Hash: b28233ed8574654007383ee95f194f06bd0646fe7588c1459e4ac358b520350d
                              • Instruction Fuzzy Hash: 3CF1E934A01329CFCBA5DB60D9986ADB7B6BF49305F2041EAE509A7740CF359E81CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0B56, Relevance: 4.8, APIs: 3, Instructions: 343windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: 6f915685128dab9dd01927c9d78d4ebc63a62d23d560da448c7b556dd92a0ce6
                              • Instruction ID: 4419bf28f54424d51c4e7eaf72ab36fafc142de33a35d645a315fd5b8d80af4a
                              • Opcode Fuzzy Hash: 6f915685128dab9dd01927c9d78d4ebc63a62d23d560da448c7b556dd92a0ce6
                              • Instruction Fuzzy Hash: ACF1E934A01329CFCBA5DB60D9986ADB7B6BF49305F2041EAE509A6740CF359E81CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0B9B, Relevance: 4.8, APIs: 3, Instructions: 336windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: 5306d00f28219f919f0f6d03484b64815420d0bc88d7cf007cb17f9514175eaf
                              • Instruction ID: 902b25822aa49e1e3c864ab029bc84d016a2b0cd5244b906efecec98ef1288a7
                              • Opcode Fuzzy Hash: 5306d00f28219f919f0f6d03484b64815420d0bc88d7cf007cb17f9514175eaf
                              • Instruction Fuzzy Hash: DDF1FA34A01329CFCBA5DB20D9986ADB7B6BF49305F2041EAE509A7750CF359E81CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0BE0, Relevance: 4.8, APIs: 3, Instructions: 329windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: 84957b5d413521a7741c884b8db870c21f33351612da46734cdaa29ffb90fd29
                              • Instruction ID: 260500c29383b7e108fce79a479c8b269a233479d56e0e2240ede121eaaedcd5
                              • Opcode Fuzzy Hash: 84957b5d413521a7741c884b8db870c21f33351612da46734cdaa29ffb90fd29
                              • Instruction Fuzzy Hash: 11F1FA34A01329CFCBA5DB60D9986ADB7B5BF49305F2041E9E509A7740CF355E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0C25, Relevance: 4.8, APIs: 3, Instructions: 322windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: 85e652202238ef88b63d32d9904cb60c0cc9c01ab84257513cdb2a785fb34856
                              • Instruction ID: 26a1ff992b8a373cf98691ee08bc09b9c856eb9dc5ea8e6a704cae8974e01ed9
                              • Opcode Fuzzy Hash: 85e652202238ef88b63d32d9904cb60c0cc9c01ab84257513cdb2a785fb34856
                              • Instruction Fuzzy Hash: 61E1EA34A01329CFCBA5DB60D9986ADB7BABF49305F2041EAE509A7740CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0C6A, Relevance: 4.8, APIs: 3, Instructions: 313windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: ad25c54d2bd077799865e87450871030dbe90329f9c2beaf4ead9f07d20676a9
                              • Instruction ID: 36c26d5ea40b4dd3fd63f9f0f904724956f61f4a4c4f1fc1f63de8bc14bc1336
                              • Opcode Fuzzy Hash: ad25c54d2bd077799865e87450871030dbe90329f9c2beaf4ead9f07d20676a9
                              • Instruction Fuzzy Hash: A4E1FA34A01329CFCBA5DB20D9986ADB7BABF49305F2040E9E509A7740CF355E81CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0CA6, Relevance: 4.8, APIs: 3, Instructions: 308windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: 7a5a3e8b44899d71e91e607a25b8d3bc86b8ad6eafad949235d6ce3b3727c971
                              • Instruction ID: fcaeffb6fa984a3dc0650e30d234a060b4e83013cf55e327f15b11588d839ca6
                              • Opcode Fuzzy Hash: 7a5a3e8b44899d71e91e607a25b8d3bc86b8ad6eafad949235d6ce3b3727c971
                              • Instruction Fuzzy Hash: A7E1E934A01329CFCBA5DB60C9986ADB7BABF49305F2440EAE509A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0CEB, Relevance: 4.8, APIs: 3, Instructions: 301windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: fe5994a2b7a6e86044280b52f7e06ecfc49fc9d0031748dd80d3e02a3f499537
                              • Instruction ID: 8a67dc8f0f20b10b25faeb6cb5c4103e709931a71da312ea337361c2c3d1637a
                              • Opcode Fuzzy Hash: fe5994a2b7a6e86044280b52f7e06ecfc49fc9d0031748dd80d3e02a3f499537
                              • Instruction Fuzzy Hash: 2CE1E834A01329CFCBA5DB60C9986ADB7BABF49305F2440EAE509A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0D30, Relevance: 4.8, APIs: 3, Instructions: 294windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDialogMessageW.USER32 ref: 00CF0D54
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser$DialogMessage
                              • String ID:
                              • API String ID: 2987088471-0
                              • Opcode ID: 332703081f5b2b050cf48620c7e581b5d86fe8cb178253954ef9d1af3a260a5c
                              • Instruction ID: 4c1650c636ddcb539d74ef7913297adcee2e4db9f47b53bc99fd2e785f685fdb
                              • Opcode Fuzzy Hash: 332703081f5b2b050cf48620c7e581b5d86fe8cb178253954ef9d1af3a260a5c
                              • Instruction Fuzzy Hash: C5D1E634A01329CFCBA5DB60C9986ADB7BABF49305F2440EAE509A7744CB359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB6BD0, Relevance: 4.6, APIs: 3, Instructions: 104threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 00EB6C9D
                              • GetCurrentProcess.KERNEL32 ref: 00EB6CDA
                              • GetCurrentThreadId.KERNEL32 ref: 00EB6D33
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: Current$Thread$Process
                              • String ID:
                              • API String ID: 3664162594-0
                              • Opcode ID: 490d58a9180593f6e020028c93bd009ec6db5d4b14c4866d39a0f90cf7b8f13f
                              • Instruction ID: 0ff5fd979a94a654ced5ff6e57e547d4e8d07ad7b1de9a24e43d60bbf165ccc1
                              • Opcode Fuzzy Hash: 490d58a9180593f6e020028c93bd009ec6db5d4b14c4866d39a0f90cf7b8f13f
                              • Instruction Fuzzy Hash: 32418BB4A042458FDB01CFA9D5487EEBBF1EF88308F248499D159B7361DB746849CF62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0D75, Relevance: 3.3, APIs: 2, Instructions: 287COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: c189c56d411cc1a0a68ea19539de0514f70b1648e35af8745375742b54ebab64
                              • Instruction ID: 359b7b268034f9b0f9c660a958bb50b730c8390ae4a240fcc3cf07c357ee499d
                              • Opcode Fuzzy Hash: c189c56d411cc1a0a68ea19539de0514f70b1648e35af8745375742b54ebab64
                              • Instruction Fuzzy Hash: 87D1F734A01329CFCBA5DB60C9987ADB7BABF49305F2440EAE509A7744CB359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0DBA, Relevance: 3.3, APIs: 2, Instructions: 280COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 664c41c566b1e33494cba134251709f9c7e2c482f94c64c129b78eefb3063c3b
                              • Instruction ID: 84f58124149a7eb1954fe32398f82607ef5f83c3052807c9cbc3737c8d1cc3de
                              • Opcode Fuzzy Hash: 664c41c566b1e33494cba134251709f9c7e2c482f94c64c129b78eefb3063c3b
                              • Instruction Fuzzy Hash: F9D1E734A01329CFCBA5DB60C9987ADB7BAAF49305F2440EAE509A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0DFF, Relevance: 3.3, APIs: 2, Instructions: 273COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 42bf296a6002de24fdc55dd26e98773abb1b2bc51b9cf9411f194bd5dce71dc7
                              • Instruction ID: fa74a9f737e5cadf97b377cd5ac620aaf3481e40239db176d21188f11face7e5
                              • Opcode Fuzzy Hash: 42bf296a6002de24fdc55dd26e98773abb1b2bc51b9cf9411f194bd5dce71dc7
                              • Instruction Fuzzy Hash: DDC1E734A01329CBCBA5DB60C9987ADB7BAAF49305F2440EAE509A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0E44, Relevance: 3.3, APIs: 2, Instructions: 266COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: b069d1aca58457ba6f09f1171e1b411e1f478d23f4947e3b7013ab2e4bf2c678
                              • Instruction ID: 1e40f5b13c650709639ed505fa547f45bd53119511da07e1175b0e8cecc2875a
                              • Opcode Fuzzy Hash: b069d1aca58457ba6f09f1171e1b411e1f478d23f4947e3b7013ab2e4bf2c678
                              • Instruction Fuzzy Hash: 6DC1E734A01329CBCBA5DB60C9987ADB7BABF49305F2440EAE509A7744CB359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0E89, Relevance: 3.3, APIs: 2, Instructions: 259COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: c6a62c14724467479909e91eec272267cbd44a1593baa219eeceb5b9ce4d5da2
                              • Instruction ID: e20b28deda67c0b2d69c76ae8da844da932617b61f81cab3a7f08665ddd09a4c
                              • Opcode Fuzzy Hash: c6a62c14724467479909e91eec272267cbd44a1593baa219eeceb5b9ce4d5da2
                              • Instruction Fuzzy Hash: 64C1F934A01329CFCBA5DB60C9987ADB7BAAF49305F2440EAE509A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0ECE, Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 4cf0120c0ff18c7e3161e14d9249884c1cf8df7f5ea2703fb256750d07b330da
                              • Instruction ID: 7c24007cf9a9419f423d646496bbd1939d626ab584156e7114662c093765f944
                              • Opcode Fuzzy Hash: 4cf0120c0ff18c7e3161e14d9249884c1cf8df7f5ea2703fb256750d07b330da
                              • Instruction Fuzzy Hash: 3DB1FA34A01329CFCBA5DB60C9987ADB7BAAF48305F2440EAE509A7754CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0F13, Relevance: 3.2, APIs: 2, Instructions: 243COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF0F2E
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: ab0a416f2decd8e46622034c1e6d2890a7b198148c530e1e546f8f66b8afebad
                              • Instruction ID: 8c9cd5c08c180578f2255b00147746481d291f9a1b3aa681e83a05eb039cd0e9
                              • Opcode Fuzzy Hash: ab0a416f2decd8e46622034c1e6d2890a7b198148c530e1e546f8f66b8afebad
                              • Instruction Fuzzy Hash: 76B1FA34A01329CFCBA5DB60C9987ADB7BAAF48305F2440EAE509A7754CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF8988, Relevance: 1.9, APIs: 1, Instructions: 372COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 63799a8760c1cd2560c6276d65669e04eb9203c02f94accdf60fb8dd290976fa
                              • Instruction ID: af6ee279ed12bb2473817745efa460bc629e8d950a21743806a9235970dcd014
                              • Opcode Fuzzy Hash: 63799a8760c1cd2560c6276d65669e04eb9203c02f94accdf60fb8dd290976fa
                              • Instruction Fuzzy Hash: B7A12730F052198FCB549B68C8816BEB7B6AFC5304F29856AD6159B395CF30DD0AC7A3
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0F4F, Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 25c2c45ef948c79237780b6b554f6c7ced6cc976282f5c88060c94443a2bbcf6
                              • Instruction ID: f09f7ea045ada5977385d6fcb4542d78d37197dc9c6f04dca2648fe02b9b3f38
                              • Opcode Fuzzy Hash: 25c2c45ef948c79237780b6b554f6c7ced6cc976282f5c88060c94443a2bbcf6
                              • Instruction Fuzzy Hash: 44B1FB34A01329CFCBA5DB60C9987ADB7BAAF48305F2440EAE509A7754CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0F94, Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 1f533ad771493fb3f2beca437dd48cab9d6cb54408176b24e95f130210a140b8
                              • Instruction ID: abb285ce9196807a3448ed135a5266b507ee90519cc0f1847302984917f7ad07
                              • Opcode Fuzzy Hash: 1f533ad771493fb3f2beca437dd48cab9d6cb54408176b24e95f130210a140b8
                              • Instruction Fuzzy Hash: D9A1F934A01329CFCBA5DB60C8987ADB7BAAF48305F2440EAE509A7754CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF0FD9, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 5b54b952bd4288f2f584a658052e26d14268ffdfc68863bf5b1cf9487322d2f8
                              • Instruction ID: c038e29ebb2a33aafb5a61741dc65f97d25e10232327fd9ae5ba0a896deed4ea
                              • Opcode Fuzzy Hash: 5b54b952bd4288f2f584a658052e26d14268ffdfc68863bf5b1cf9487322d2f8
                              • Instruction Fuzzy Hash: E1A1FA34A01369CFCBA5DB60C9987ADB7BAAF48305F2440EAE509A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF101E, Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 173fa8b56681f1f859f12cb640aebe2794105b00731c4d789d44cb54bcd7d7c1
                              • Instruction ID: 8af09c2617d97ef916107a1caa5fbe4ac6743b28d387155673f90fa8f3da3e4b
                              • Opcode Fuzzy Hash: 173fa8b56681f1f859f12cb640aebe2794105b00731c4d789d44cb54bcd7d7c1
                              • Instruction Fuzzy Hash: 7DA10934A01329CFCBA5DB60C9987ADB7BAAF48305F2440E9E909A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF1063, Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 9a1eeb2224dc36d285b2af1227f6d9c71bb140faec29b2d478c934f867843441
                              • Instruction ID: cab723ee0e227599458b8c954364e2d2396e005463ceee79c8952ed7402bec96
                              • Opcode Fuzzy Hash: 9a1eeb2224dc36d285b2af1227f6d9c71bb140faec29b2d478c934f867843441
                              • Instruction Fuzzy Hash: 2391F934A01369CFCBA5DB64C8987ADB7BAAF48305F2440E9E909A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF10A8, Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 7c12f4d06aa0267eab4ab9eeb6bcb0403621c8d2dc6d8a3f4ec4c04a43b1d215
                              • Instruction ID: 45775aebfb0e056068832d74d3ebe2e728409b0dd4dda94e2c74a33a99cd5f09
                              • Opcode Fuzzy Hash: 7c12f4d06aa0267eab4ab9eeb6bcb0403621c8d2dc6d8a3f4ec4c04a43b1d215
                              • Instruction Fuzzy Hash: 23910A34A01329CFCBA5DB64C8987ADB7BAAF48305F2440E9E909A7744CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF10ED, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 70df91b0bc1e30c86c7bdbf8462cadb44878e2b0e9e69b09770f32455a7427d6
                              • Instruction ID: 317b9860c4a4c0acb1496db5cbe91ae091e0ef0ebc152ffc0bdbb24e69bd6c71
                              • Opcode Fuzzy Hash: 70df91b0bc1e30c86c7bdbf8462cadb44878e2b0e9e69b09770f32455a7427d6
                              • Instruction Fuzzy Hash: D3810A34A01329CFCBA5DB64C8987ADB7BAAF48305F2440E9E909A7344CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF1135, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: b460203a9164bbb26fbd4f68148f90e5f73014115060023fbfa444fae86b5811
                              • Instruction ID: 810e9764b56c6437d1782e88b6609f0ce5c0e8aa1d26f76fa1ac436180fb0b39
                              • Opcode Fuzzy Hash: b460203a9164bbb26fbd4f68148f90e5f73014115060023fbfa444fae86b5811
                              • Instruction Fuzzy Hash: 15811B74A01229CFCBA5DB64C8947ADB7BAAF48305F2480E9E909A7354CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF117D, Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 00CF1198
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: e8a6eaceab9e9bdc4bf2c1136c0a81e3ba6a5f1ad35457d388aa8f541b0817c4
                              • Instruction ID: 68439216517d56a866235856b5abbcbd9f8e96c9bd8140d27b2fda83b449f3ea
                              • Opcode Fuzzy Hash: e8a6eaceab9e9bdc4bf2c1136c0a81e3ba6a5f1ad35457d388aa8f541b0817c4
                              • Instruction Fuzzy Hash: 1E712C74A01229CFCBA5DB64C8947ADB7BAAF48305F2480EDE909A7344CF359E81CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EBDDB8, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • PhysicalToLogicalPoint.USER32 ref: 00EBDEEC
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: LogicalPhysicalPoint
                              • String ID:
                              • API String ID: 1795878559-0
                              • Opcode ID: 7dfbef292d1683c8c5a98460389e69385c122225b2bf92a809b34982e7552ce9
                              • Instruction ID: 0478f12cd3c4a1228a5c8a39e6cf119c27cc8f916ceeb5ce699987280acab392
                              • Opcode Fuzzy Hash: 7dfbef292d1683c8c5a98460389e69385c122225b2bf92a809b34982e7552ce9
                              • Instruction Fuzzy Hash: 7741F035B0D3514BDB294A688C943FF7BA6ABE5318F18543EE506EB281FB74CC058752
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EBABB8, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: BandWindow
                              • String ID:
                              • API String ID: 3050286395-0
                              • Opcode ID: 2ca4e1e9951444e78407efe2d9e54de3c3c6a0d630951b5da5b90bf64df342f9
                              • Instruction ID: b653a35cfdf999ca837eac3fd2b6aa9fdc91a914cff3f0271ffd927c1e2f1f72
                              • Opcode Fuzzy Hash: 2ca4e1e9951444e78407efe2d9e54de3c3c6a0d630951b5da5b90bf64df342f9
                              • Instruction Fuzzy Hash: 5541AF347442459FCF069F64D854AEB7BA2EF84304F188068FA05AB395CB35DC26DB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB440E, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00EB43D6
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: c603dc25959ba6a5e5021ce27f69bcda92c84fc9e3a0c6d58c08e44de133ba02
                              • Instruction ID: 10a836599eb2a412af26eb6b9ba6db51b7f0be173ad5f8cc990713eb5700127b
                              • Opcode Fuzzy Hash: c603dc25959ba6a5e5021ce27f69bcda92c84fc9e3a0c6d58c08e44de133ba02
                              • Instruction Fuzzy Hash: 815164B1D042498FCB24CFA9D4857EEBBF1EB48314F14811AE865BB282D7749846CF92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB5344, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EB5462
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 68028f849b73d62b689db4c57e9e38c9a2c08442549dad237d1e5ee014ea9a5b
                              • Instruction ID: 7ab7e7c99c00f6067ec1e0827cd0d7087a41920b5350ef8ef14b8ae88f62c8fc
                              • Opcode Fuzzy Hash: 68028f849b73d62b689db4c57e9e38c9a2c08442549dad237d1e5ee014ea9a5b
                              • Instruction Fuzzy Hash: 3D51B0B1D007499FDB14CFAAC884ADEBBB5BF48314F24912AE819AB210D7749885CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF47C9, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: BandWindow
                              • String ID:
                              • API String ID: 3050286395-0
                              • Opcode ID: 4999da32df74063f0eb23df097abb90db8fa309993e40528d188c5b784eafe26
                              • Instruction ID: ec02ac4d910e1d32d81d4365eac73b5332b54b95552c16e53731b819f0da7817
                              • Opcode Fuzzy Hash: 4999da32df74063f0eb23df097abb90db8fa309993e40528d188c5b784eafe26
                              • Instruction Fuzzy Hash: 7C41D0316042499FCF4AAF29D854ABF3BA6FF84350F108029FA15D7291DB35DE229B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB5350, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EB5462
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: d356a216d4da7bbe168c1e474defdcb2fdaa7d67116800912f8518cbe275b19e
                              • Instruction ID: 4f32c8f32ecb1f6ddd2c55339d45788ef91e7b640973f0ecdbf8ff302c5b0f32
                              • Opcode Fuzzy Hash: d356a216d4da7bbe168c1e474defdcb2fdaa7d67116800912f8518cbe275b19e
                              • Instruction Fuzzy Hash: 5141B0B1D00749DFDB14CF9AC884ADEBBB5BF88314F24812AE819AB210D7749885CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB6B34, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00EB7DB1
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 6a0bbaba8791c467bd486acf0bc37b16510f1eba20aa0f830477c345694ed496
                              • Instruction ID: 0945fc58b26f26bbb56405c7e212087ef4a4f966bae103028f74d72789ef4fb6
                              • Opcode Fuzzy Hash: 6a0bbaba8791c467bd486acf0bc37b16510f1eba20aa0f830477c345694ed496
                              • Instruction Fuzzy Hash: 364169B9A04305CFCB14CF99C488AABBBF5FF89314F248449E559AB721D770A845CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB4368, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00EB43D6
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 222209fdbf4632f21f3ded8c493ef9e54f82bc66f306ead3f379c3274d0edd79
                              • Instruction ID: 045f97013e03615c851d57ddb5e60173412a484e7072375f5629da02133fcd3c
                              • Opcode Fuzzy Hash: 222209fdbf4632f21f3ded8c493ef9e54f82bc66f306ead3f379c3274d0edd79
                              • Instruction Fuzzy Hash: 743167B1E007448FCB14DFAAC4406DEBBF0AF89218F14856ED419B7792E774A946CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB6E20, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EB6EAF
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 0916b2f070680eb5b2957417000eff0ffd2b8fa28fcdf5fd2310b11815417a5a
                              • Instruction ID: 7b373085b28072c713561ee97e047f029428a68f07a39e7970ceeca689bdc61e
                              • Opcode Fuzzy Hash: 0916b2f070680eb5b2957417000eff0ffd2b8fa28fcdf5fd2310b11815417a5a
                              • Instruction Fuzzy Hash: EC21E3B59002499FDB10CFAAD484AEEFBF4EB48324F14801AE914A7310D378AA55CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB6E28, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EB6EAF
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 41df703f4ea1eea694acf19fd0204dce6fe08f564007b2a1dd16eeda0c9bf7fe
                              • Instruction ID: df7600a6b79e6b86384143054b9930ea8ca519307565c10fdb156c75c198e803
                              • Opcode Fuzzy Hash: 41df703f4ea1eea694acf19fd0204dce6fe08f564007b2a1dd16eeda0c9bf7fe
                              • Instruction Fuzzy Hash: F521C2B59002499FDB10CFAAD884ADEFBF8EB48324F14841AE914A7310D778A954CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00DC1474, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,00DC2309,00000800), ref: 00DC239A
                              Memory Dump Source
                              • Source File: 00000003.00000002.917500389.0000000000DC0000.00000040.00000010.sdmp, Offset: 00DC0000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 790467359d6d628463c22703439f53bc1e2621fec1b39ddd78caf83a55fa9f4e
                              • Instruction ID: 3e99d7a1b874a0d4da83c8683b38f5dfd24226826200e98f6536f352aac83e9e
                              • Opcode Fuzzy Hash: 790467359d6d628463c22703439f53bc1e2621fec1b39ddd78caf83a55fa9f4e
                              • Instruction Fuzzy Hash: BA1103B69003498FCB10DF9AC444BEEFBF4AB88310F14842EE915A7210C778A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00DC2328, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,00DC2309,00000800), ref: 00DC239A
                              Memory Dump Source
                              • Source File: 00000003.00000002.917500389.0000000000DC0000.00000040.00000010.sdmp, Offset: 00DC0000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 4e4ea9952862dff4e1dcee47303af6b579001c77f0b6d25e1026f2f0e28f19a9
                              • Instruction ID: 25d67d5b78e607eddfd3314789e8fed1051e35e2899cc7532a0c6e649ab7175f
                              • Opcode Fuzzy Hash: 4e4ea9952862dff4e1dcee47303af6b579001c77f0b6d25e1026f2f0e28f19a9
                              • Instruction Fuzzy Hash: 971114B6D0034A8FDB10CF9AC484BEEFBF4AB89314F14852ED419A7610C778A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EBCAF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 00EBCB72
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: a21163d4e18e9ae8c412fe549ee5751673416bc5bc170b86dbc786e654fc6f18
                              • Instruction ID: 1c6428715cdd450ba3780d67e551fa943301819f29b6060bba10176bd48f1f2d
                              • Opcode Fuzzy Hash: a21163d4e18e9ae8c412fe549ee5751673416bc5bc170b86dbc786e654fc6f18
                              • Instruction Fuzzy Hash: 941186759043058FCB20DFAAC5897DEBBF4EB48318F24882AD444B3281C738A8488FA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CFFA10, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 039cef8bc849736f597a5c657209f127758b7fa4c81800b91ec4a4d778c4a358
                              • Instruction ID: 6a65c7352cb47d277024d9a90ec12b4b52567d3c9a951bcbbfad1a98997bf62a
                              • Opcode Fuzzy Hash: 039cef8bc849736f597a5c657209f127758b7fa4c81800b91ec4a4d778c4a358
                              • Instruction Fuzzy Hash: 1611F630A10219DFDB54DFA5D494BAEBBB2FF89305F20842DE501AB254CB36A986CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EB30F4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00EB43D6
                              Memory Dump Source
                              • Source File: 00000003.00000002.917570934.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: b740e67d4fff988ed95d7ec6bb1119384c891aa59dc48d6305ec04068c9f5cb4
                              • Instruction ID: 9c21267d2035d134d94a705fcdd8d75fd79472f606a8b35ad85517d288092f80
                              • Opcode Fuzzy Hash: b740e67d4fff988ed95d7ec6bb1119384c891aa59dc48d6305ec04068c9f5cb4
                              • Instruction Fuzzy Hash: EC1120B58007498BCB10DF9AC444BDFFBF4AB88324F14802AD429B7201C374A945CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF4968, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: BandWindow
                              • String ID:
                              • API String ID: 3050286395-0
                              • Opcode ID: 7043c3b5bf9d7a4e49f333952f2d3617fb7a75581eb0a4713dc50f183a336c4e
                              • Instruction ID: 9e27b1578e6700ee970bbd4ae83c8f18bab6e0483136b34d1f264ed16ef2e1d5
                              • Opcode Fuzzy Hash: 7043c3b5bf9d7a4e49f333952f2d3617fb7a75581eb0a4713dc50f183a336c4e
                              • Instruction Fuzzy Hash: 0301DB367000186B8B169E699810AFF3BEBDFC8750F14801DF705D7280DEB19E119B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00DC4D9C, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,00DC60BF), ref: 00DC6F5D
                              Memory Dump Source
                              • Source File: 00000003.00000002.917500389.0000000000DC0000.00000040.00000010.sdmp, Offset: 00DC0000, based on PE: false
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: 04db8f18831cbbbcb7a36be24e53e3a93d2c608d766f71551d4db966647bb010
                              • Instruction ID: 7e2285325a5382283047dd191b688a33a877a32dff03e508c5e69a89a61a23e0
                              • Opcode Fuzzy Hash: 04db8f18831cbbbcb7a36be24e53e3a93d2c608d766f71551d4db966647bb010
                              • Instruction Fuzzy Hash: 6F11E0B5D046498FCB10DF9AD444B9EFBF4EF48324F14851AE529A7200D374A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00DC6EF9, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,00DC60BF), ref: 00DC6F5D
                              Memory Dump Source
                              • Source File: 00000003.00000002.917500389.0000000000DC0000.00000040.00000010.sdmp, Offset: 00DC0000, based on PE: false
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: 326be6040944ac092625f38410c2f5994c239c568a8f2aa552e3972c01231596
                              • Instruction ID: 57bc4464c1f045c75b6e0262bbc60c0ad549657309cac21b65eab56311de1236
                              • Opcode Fuzzy Hash: 326be6040944ac092625f38410c2f5994c239c568a8f2aa552e3972c01231596
                              • Instruction Fuzzy Hash: D811E0B1C046498FDB10DF9AD444BDEBBF4AB48324F14855AD429A7300D378A545CFA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CF4966, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.917459049.0000000000CF0000.00000040.00000010.sdmp, Offset: 00CF0000, based on PE: false
                              Similarity
                              • API ID: BandWindow
                              • String ID:
                              • API String ID: 3050286395-0
                              • Opcode ID: 754dc5c9a7714f576333921cd920283db7c138ab1f5c44a95f0752d5ee29da25
                              • Instruction ID: 460dd15af2d2c7cdae26aa2dae4439b54f035ab7422e3a919f87e12b4c412112
                              • Opcode Fuzzy Hash: 754dc5c9a7714f576333921cd920283db7c138ab1f5c44a95f0752d5ee29da25
                              • Instruction Fuzzy Hash: F9F068367001196FDB56DE55D800AEF7BAAEFC9750F148029F714C7280DA71DA119BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CBD450, Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917393516.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d77248d4d6628dc48d4ecc5726c070313a1deb96d84e472166f2cfafd809e2da
                              • Instruction ID: efe2bc2fd0c6b29a8141483598778e380e2d43f128ed7ceafabecdab6b3ea1db
                              • Opcode Fuzzy Hash: d77248d4d6628dc48d4ecc5726c070313a1deb96d84e472166f2cfafd809e2da
                              • Instruction Fuzzy Hash: E02133B1504200DFCB15DF14D8C0B67BB65FB88324F20C569E8070B246D336E85ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CBD53C, Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917393516.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e46a7554b4a6f17496319df0c0ca1b8c9d210be8bbf5ec9a7633e92e12597a3
                              • Instruction ID: 4a4bd5dc1187b0f257d4abc8134dbde8d55c18a0e3f6578fed8107cfc17f9f04
                              • Opcode Fuzzy Hash: 8e46a7554b4a6f17496319df0c0ca1b8c9d210be8bbf5ec9a7633e92e12597a3
                              • Instruction Fuzzy Hash: 242167B1104200DFCF15DF00D8C0FA7BF65FB98328F248569E80A4B246D336D95ADBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CCD01C, Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917410989.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 107456d79662cc7255e03f037668ef4d5de3723c1728f155e4bd469c65338ae5
                              • Instruction ID: 81086444da9009ace438be09d582fde16d53f3515a108579c389c6d99e419475
                              • Opcode Fuzzy Hash: 107456d79662cc7255e03f037668ef4d5de3723c1728f155e4bd469c65338ae5
                              • Instruction Fuzzy Hash: 6D21F275504240DFCB14DF18D9C4F16BBA5FB88324F24C9BDE80A4B246C73AD857CA62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CCD005, Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917410989.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bcf7ed0d14ee042fd875a82ac7fb8ffb7edd5179e1aacc51f2e74627a46e8de0
                              • Instruction ID: fcd8fdfaa27f6172bfe03dc228138255428a8170d5a739758a92d68fe4487f55
                              • Opcode Fuzzy Hash: bcf7ed0d14ee042fd875a82ac7fb8ffb7edd5179e1aacc51f2e74627a46e8de0
                              • Instruction Fuzzy Hash: 182180755093C08FCB12CF24D994B15BF71EB46314F28C5EED8498B697C33A984ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CBD44B, Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917393516.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction ID: 70daf595a6fc754f87b2052cb99ededcf5d84d0be98f329aa1d8f70b889cf0f7
                              • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction Fuzzy Hash: 1711E6B6404280CFCF12CF10D5C4B56BF71FB94324F24C6A9D8060B656C336D95ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00CBD537, Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.917393516.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction ID: 12172d1271f8dd6c2e285299e2629994a24eae2204166115d73ff770cb8d6a09
                              • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction Fuzzy Hash: BF1108B6404280CFCF16CF10D5C4B56BF72FB94324F24C6A9D8094B656C336D95ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions