Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.MachineLearning.Anomalous.94.14541.14773

Overview

General Information

Sample Name:SecuriteInfo.com.MachineLearning.Anomalous.94.14541.14773 (renamed file extension from 14773 to exe)
Analysis ID:528564
MD5:4ce54eda7650ff0f8062189f089b162e
SHA1:0eaa03d538e574a17ac685b3356816f696e47f4b
SHA256:9246176ddd535c1d48514759ef33e8a129dc6881f685580484a8291940ea5e85
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe" MD5: 4CE54EDA7650FF0F8062189F089B162E)
    • powershell.exe (PID: 7052 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "m@huiijingco.com", "Password": "lNLUrZT2", "Host": "smtp.huiijingco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000002.561614573.0000000002AA6000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.302163969.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000000.302163969.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.3730f20.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.3730f20.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe" , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, ParentProcessId: 6176, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, ProcessId: 7052
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe" , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, ParentProcessId: 6176, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, ProcessId: 7052
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823515381024433.7052.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "m@huiijingco.com", "Password": "lNLUrZT2", "Host": "smtp.huiijingco.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeVirustotal: Detection: 15%Perma Link
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeReversingLabs: Detection: 15%
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://XYJLds.com
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmp, SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561606326.0000000002A9E000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmp, SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b4ABBB2DBu002dDC5Fu002d4430u002d976Au002dBB4790921822u007d/DA284AAAu002dF83Fu002d465Au002dA43Bu002d53A7D878247B.csLarge array initialization: .cctor: array initializer size 11772
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b4ABBB2DBu002dDC5Fu002d4430u002d976Au002dBB4790921822u007d/DA284AAAu002dF83Fu002d465Au002dA43Bu002d53A7D878247B.csLarge array initialization: .cctor: array initializer size 11772
                      Source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4ABBB2DBu002dDC5Fu002d4430u002d976Au002dBB4790921822u007d/DA284AAAu002dF83Fu002d465Au002dA43Bu002d53A7D878247B.csLarge array initialization: .cctor: array initializer size 11772
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b4ABBB2DBu002dDC5Fu002d4430u002d976Au002dBB4790921822u007d/DA284AAAu002dF83Fu002d465Au002dA43Bu002d53A7D878247B.csLarge array initialization: .cctor: array initializer size 11772
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_009282500_2_00928250
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_0092D2E80_2_0092D2E8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_04C289180_2_04C28918
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_04C284F40_2_04C284F4
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D1AB883_2_00D1AB88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D124003_2_00D12400
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D14D003_2_00D14D00
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D117F03_2_00D117F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D1DE483_2_00D1DE48
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D1BFD83_2_00D1BFD8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00FC46A03_2_00FC46A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00FC45B03_2_00FC45B0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B675403_2_05B67540
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B694F83_2_05B694F8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B669283_2_05B66928
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B66C703_2_05B66C70
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.310317327.0000000005890000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHWxEDVqDRWLfvlztRLwemdtqgYZsGrtZFgpKLP.exe4 vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.309864020.00000000052D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHWxEDVqDRWLfvlztRLwemdtqgYZsGrtZFgpKLP.exe4 vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.558898538.00000000007A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.558712793.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHWxEDVqDRWLfvlztRLwemdtqgYZsGrtZFgpKLP.exe4 vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeBinary or memory string: OriginalFilenameKeyValuePairTypeIn.exe. vs SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeVirustotal: Detection: 15%
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeReversingLabs: Detection: 15%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe:Zone.IdentifierJump to behavior
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211125Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0qsiy5n.jol.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: /KeyValuePairTypeIn;component/views/addbook.xaml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: views/addbook.baml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: views/addcustomer.baml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: /KeyValuePairTypeIn;component/views/addcustomer.xaml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: /KeyValuePairTypeIn;component/views/addbook.xaml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: views/addcustomer.baml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: views/addbook.baml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: /KeyValuePairTypeIn;component/views/addcustomer.xaml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: a/KeyValuePairTypeIn;component/views/addbook.xamlw/KeyValuePairTypeIn;component/views/borrowfrombookview.xamlm/KeyValuePairTypeIn;component/views/borrowingview.xamlg/KeyValuePairTypeIn;component/views/changebook.xamlo/KeyValuePairTypeIn;component/views/changecustomer.xamlk/KeyValuePairTypeIn;component/views/customerview.xamlo/KeyValuePairTypeIn;component/views/deletecustomer.xamle/KeyValuePairTypeIn;component/views/errorview.xamli/KeyValuePairTypeIn;component/views/smallextras.xamli/KeyValuePairTypeIn;component/views/addcustomer.xaml
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.a0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.a0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.5a0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.5a0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.5a0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.5a0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.5a0000.11.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.5a0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_000A9347 push ds; ret 0_2_000A934C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_000A9361 push ds; retf 0_2_000A9364
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 0_2_000A92F5 push ds; ret 0_2_000A9340
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_005A9347 push ds; ret 3_2_005A934C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_005A92F5 push ds; ret 3_2_005A9340
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_005A9361 push ds; retf 3_2_005A9364
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D1EB90 push eax; retf 3_2_00D1EB91
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B60402 push E801035Eh; ret 3_2_05B60409
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B603F7 push E802005Eh; retf 3_2_05B60401
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.8787752496
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.2669094.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.26fc110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 6176, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmp, SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmp, SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6260Thread sleep count: 1553 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6276Thread sleep time: -38337s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239733s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6260Thread sleep count: 2179 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239621s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239499s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239281s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239171s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -239000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238623s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238296s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238185s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -238077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237733s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237623s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237514s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237385s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237249s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -237109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -236946s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -236821s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -236406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -235406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -234406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6288Thread sleep time: -234264s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4024Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6236Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6240Thread sleep count: 1350 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe TID: 6240Thread sleep count: 8475 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239843Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239733Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239621Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239499Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239390Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239281Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239171Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238765Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238623Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238515Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238296Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238185Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238077Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237953Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237843Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237733Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237623Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237514Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237385Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237249Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237109Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 236946Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 236821Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 236406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 235406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 234406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 234264Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWindow / User API: threadDelayed 1553Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWindow / User API: threadDelayed 2179Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5548Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2922Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWindow / User API: threadDelayed 1350Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWindow / User API: threadDelayed 8475Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239843Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 38337Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239733Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239621Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239499Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239390Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239281Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239171Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 239000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238765Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238623Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238515Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238296Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238185Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 238077Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237953Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237843Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237733Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237623Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237514Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237385Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237249Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 237109Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 236946Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 236821Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 236406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 235406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 234406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 234264Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.310715504.0000000006AD0000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: pl"SOFTWARE\VMware, Inc.\VMware T<
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: pl"SOFTWARE\VMware, Inc.\VMware T
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: pl"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.310715504.0000000006AD0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareUCTT_MD9Win32_VideoController4GALLHDCVideoController120060621000000.000000-00066824200display.infMSBDA1R4STXWMPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsS2_48PSX]
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: pl%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_00D1ECC0 LdrInitializeThunk,3_2_00D1ECC0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeJump to behavior
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561005106.0000000001380000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561005106.0000000001380000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561005106.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561005106.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCode function: 3_2_05B65D44 GetUserNameW,3_2_05B65D44

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.3730f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.36fb900.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.36fb900.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.3730f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.302163969.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.303645199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.558585999.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.304322848.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561614573.0000000002AA6000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 4396, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 4396, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.3730f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.36fb900.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.36fb900.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.3730f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.302163969.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.303645199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.558585999.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.304322848.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561614573.0000000002AA6000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 4396, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation311Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery321Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion241Security Account ManagerVirtualization/Sandbox Evasion241SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe15%VirustotalBrowse
                      SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe16%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://XYJLds.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://api.ipify.org%GETMozilla/5.0SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://DynDns.comDynDNSSecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://XYJLds.comSecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmp, SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmpfalse
                        		high
                        https://api.ipify.org%SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000002.561606326.0000000002A9E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmp, SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe, 00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:528564
                        Start date:25.11.2021
                        Start time:14:04:37
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 20s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:SecuriteInfo.com.MachineLearning.Anomalous.94.14541.14773 (renamed file extension from 14773 to exe)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@6/4@0/0
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 89
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:05:36API Interceptor758x Sleep call for process: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe modified
                        14:05:40API Interceptor42x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):22284
                        Entropy (8bit):5.601591505646068
                        Encrypted:false
                        SSDEEP:384:1tCD2q0LOkO1R8MYB9PRwS0nUjultI2H7Y9gtrSJ3xCT1MabZlbAV7lW2LWZBDIr:q1R8MYBETUCltJXxcQCqfw8VQ
                        MD5:4D124085F73CFF9200F6CDFCFB6EC839
                        SHA1:98910C984B94FB2247EED9AAD4536467C513A785
                        SHA-256:1245D0CAEA84E856F84675B49D143C7C5C645DD737A64E6158FF22A2204F05AD
                        SHA-512:4410C52F276599D933F5D43A7B6EB2A00383B8715C0F8C37CDCBAFB52D3AA1EA9BDCC50A5DB48689067049BD4FA0D77EF83FFF54B91F5AE86BE6F1268F1F8905
                        Malicious:false
                        Reputation:low
                        Preview: @...e...........|.......h...[.Q.N.........F..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1j2o2gx.24c.psm1
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0qsiy5n.jol.ps1
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview: 1
                        C:\Users\user\Documents\20211125\PowerShell_transcript.287400.d+yQR6Ej.20211125140539.txt
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):5921
                        Entropy (8bit):5.380444983318727
                        Encrypted:false
                        SSDEEP:96:BZUh5N/tqDo1Z7Zjh5N/tqDo1ZRga4jZ7h5N/tqDo1Zi9oodZa:1
                        MD5:4A1BB70E8685422D7051C4D6C5CC2F40
                        SHA1:D995EC8EEFDA7F5959E7821D4A22F53336B3978C
                        SHA-256:742AA9A762245844C70FD0C35A6872E9E500520F1CBA9A5351BC3DB7BC6F5D6E
                        SHA-512:2C89B4B8A15F37FDF73FFBD3847DFA68F88165447479458256BBE7F3AE530336899EED0060D04AFB336A0C9CAB4D18BD163DBDBD7AF4D6293312C2D326158E9E
                        Malicious:false
                        Reputation:low
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125140540..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe..Process ID: 7052..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125140540..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe..**********************..Windows PowerShell transcript start..Start time: 20211125140932.

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.868157297120685
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                        File size:498688
                        MD5:4ce54eda7650ff0f8062189f089b162e
                        SHA1:0eaa03d538e574a17ac685b3356816f696e47f4b
                        SHA256:9246176ddd535c1d48514759ef33e8a129dc6881f685580484a8291940ea5e85
                        SHA512:2a04edb11d4d26580cc3d39840897b273b0c33fdae8a0a8f4649ce5318a9cabfd8e30961dc625cb6d1720611bf7098b7d19ef0fefc93615dd0c0105436be6d59
                        SSDEEP:12288:f8sBOM0eixBFmzbSyuEpAgXoXJTo2+9A3x2pHlAQomss61Qna:f8sAM0ei1EcEr8Smh2pHlAL+61Qna
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.a..............0.................. ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x47b0b6
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x619F59DB [Thu Nov 25 09:39:39 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [ebp+0800000Eh], ch
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x7b0640x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x5ec.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x790cc0x79200False0.895851473813data7.8787752496IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x7c0000x5ec0x600False0.438802083333data4.2127347954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x7e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x7c0900x35cdata
                        RT_MANIFEST0x7c3fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright Rogers Peet
                        Assembly Version8.0.6.0
                        InternalNameKeyValuePairTypeIn.exe
                        FileVersion5.6.0.0
                        CompanyNameRogers Peet
                        LegalTrademarks
                        Comments
                        ProductNameBiblan
                        ProductVersion5.6.0.0
                        FileDescriptionBiblan
                        OriginalFilenameKeyValuePairTypeIn.exe

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 6176 Parent PID: 6076

                        General

                        Start time:14:05:35
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe"
                        Imagebase:0xa0000
                        File size:498688 bytes
                        MD5 hash:4CE54EDA7650FF0F8062189F089B162E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.307311514.000000000360D000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.306897551.00000000026CB000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.306734942.0000000002601000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Analysis Process: powershell.exe PID: 7052 Parent PID: 6176

                        General

                        Start time:14:05:38
                        Start date:25/11/2021
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                        Imagebase:0xaa0000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 6120 Parent PID: 7052

                        General

                        Start time:14:05:38
                        Start date:25/11/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7f20f0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 4396 Parent PID: 6176

                        General

                        Start time:14:05:39
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe
                        Imagebase:0x5a0000
                        File size:498688 bytes
                        MD5 hash:4CE54EDA7650FF0F8062189F089B162E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.302889154.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.561614573.0000000002AA6000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.302163969.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.302163969.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.303645199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.303645199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.558585999.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.558585999.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.304322848.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.304322848.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.561540935.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 6176 Parent PID: 6076 SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCOMMON

                          Executed Functions

                          Function 0092D2E8, Relevance: 5.0, Strings: 3, Instructions: 1293COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.306237956.0000000000920000.00000040.00000001.sdmp, Offset: 00920000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: 48ul$48ul$d
                          • API String ID: 0-640939438
                          • Opcode ID: 482d7f6a316613101c9d473506996d3d9c008f45e5652a26ebc0118d9dae1a73
                          • Instruction ID: 3ede7f0ae6ea4e4ddf0da2f42b0dad2ba643db8191ced0e49a90458db64a8945
                          • Opcode Fuzzy Hash: 482d7f6a316613101c9d473506996d3d9c008f45e5652a26ebc0118d9dae1a73
                          • Instruction Fuzzy Hash: 4AC24B74B01215CFDB18DF64D499AA977B2FF99304F1084A9D9099B369DB38DC82CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C28918, Relevance: 1.8, Strings: 1, Instructions: 538COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: P
                          • API String ID: 0-3110715001
                          • Opcode ID: 827dcac20dde969669a88fab3491adff298caafc168d74a79b0e70c9b595f108
                          • Instruction ID: 1fa3b868b5e8ab7e00821a628d2769af43f1da14df271f40ef8ef8088f3ebc2f
                          • Opcode Fuzzy Hash: 827dcac20dde969669a88fab3491adff298caafc168d74a79b0e70c9b595f108
                          • Instruction Fuzzy Hash: BA120671A01225CBCB00DFA9CA806EEB7B3FF45310F048636E5159B681D7B9ED86CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C284F4, Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: =
                          • API String ID: 0-2322244508
                          • Opcode ID: 3e6eac66359207a144bd43fddd15f1d7e8211157730e9d799aca110877946762
                          • Instruction ID: 47ffad1674a275bd6e90eef7a43bcf561a1adbd84a6f8a7fe674f401ed148fc2
                          • Opcode Fuzzy Hash: 3e6eac66359207a144bd43fddd15f1d7e8211157730e9d799aca110877946762
                          • Instruction Fuzzy Hash: E5F1E971A04225CFD704EFA9C9817EEB7B3EB45314F088636E405DB281D7B8A946C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00928250, Relevance: .6, Instructions: 574COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306237956.0000000000920000.00000040.00000001.sdmp, Offset: 00920000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 79b4edae3cfe9fc172858d93a0b298ea61c78349d3b07b5b860eee4516a0278d
                          • Instruction ID: 6f55bb72f97110085ad931df17ea7783db042816edd741130c3b691ec9bcaa28
                          • Opcode Fuzzy Hash: 79b4edae3cfe9fc172858d93a0b298ea61c78349d3b07b5b860eee4516a0278d
                          • Instruction Fuzzy Hash: 0A220635A06271CFDF24DB74E8546BF77A6AF81304F158869E8159B289CF38CC45C786
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C24EAA, Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: $%ql$$%ql
                          • API String ID: 0-3927764975
                          • Opcode ID: e38d40724f715735cfac93bcc7c38969b499feae830b15092b277a522b3ee762
                          • Instruction ID: 03279e87d59bff5c04994320fd8e03b51791f6086999174e3f7a557b41f0e252
                          • Opcode Fuzzy Hash: e38d40724f715735cfac93bcc7c38969b499feae830b15092b277a522b3ee762
                          • Instruction Fuzzy Hash: 9A2101747006108FD705EBB8C5588AFBBF6EF81205B058869D516DB7A0EF70ED098B96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00924497, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 00924522
                          Memory Dump Source
                          • Source File: 00000000.00000002.306237956.0000000000920000.00000040.00000001.sdmp, Offset: 00920000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: f3c9f25a34ff3b246c953d1aab65477a3c03e1b0665c82e5c675b98d722681af
                          • Instruction ID: 3d5cc0811a1ab693a7b0ea9fae8cafff25ba79b98f3d2701edd42becf9c73417
                          • Opcode Fuzzy Hash: f3c9f25a34ff3b246c953d1aab65477a3c03e1b0665c82e5c675b98d722681af
                          • Instruction Fuzzy Hash: 2C21BBB19003858FCF20DFA9E9487DEBFF4EB59314F20842AD845A7201D3789946CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00924747, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 009247CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.306237956.0000000000920000.00000040.00000001.sdmp, Offset: 00920000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: ca280eb94a5360e5b9454038806ca2a210645db8b89d9fc489df38a95b7cf55c
                          • Instruction ID: e325411b67ff8c1891da94efe78e1997a64f663bd7989548e3619ebc12501a61
                          • Opcode Fuzzy Hash: ca280eb94a5360e5b9454038806ca2a210645db8b89d9fc489df38a95b7cf55c
                          • Instruction Fuzzy Hash: 7121DFB19003588FDB20DFA5E9447DABBF8EB19318F24442ED855E7241D37DA905CFA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009244A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 00924522
                          Memory Dump Source
                          • Source File: 00000000.00000002.306237956.0000000000920000.00000040.00000001.sdmp, Offset: 00920000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 176baa91d834cdf4239b95435bcfbcd2ad2334f7e6dd01522873e21d03f14546
                          • Instruction ID: a751fa182cffb98e4b971b18c1c43bbc1376cb4b202198cca268a05b5bb1e907
                          • Opcode Fuzzy Hash: 176baa91d834cdf4239b95435bcfbcd2ad2334f7e6dd01522873e21d03f14546
                          • Instruction Fuzzy Hash: 0E119A7090031A8FCF20DFA9D5087DEBBF8EB59318F108429D804A7605D77CA945CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C2F7D8, Relevance: .3, Instructions: 270COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b00aa99816d83720c3f47339f69ea11a07d3fb4e8565300635a0711ed9bb3216
                          • Instruction ID: 166c0827025360ffb39bcf03606248f2db3bc509a140037ad8e8c6d0c3d786ce
                          • Opcode Fuzzy Hash: b00aa99816d83720c3f47339f69ea11a07d3fb4e8565300635a0711ed9bb3216
                          • Instruction Fuzzy Hash: C9A19B30B00229AFCB15DF65C955AAE7BB7AF89304F04842DE8069B394CF70ED46DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C2F5D8, Relevance: .2, Instructions: 180COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37f6bacc4a429ef0c0fb31921f821d7aa2a7743d2a963baaa4a29e727053bcfc
                          • Instruction ID: 539f5ba5aae8ddba18c3c902f4a5dda6f0154183a3798e884213a22fa9d08824
                          • Opcode Fuzzy Hash: 37f6bacc4a429ef0c0fb31921f821d7aa2a7743d2a963baaa4a29e727053bcfc
                          • Instruction Fuzzy Hash: 1251E231B0022E8FCB10DFB5CA88A6E77B7AB89704F15442DD405C7364EBB0F901AB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C256EA, Relevance: .2, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 667a49bc36cdc7619c22745567063b13b3ebf3cfbb81ba6738b45e89a8f3457a
                          • Instruction ID: 9e651cecac54927201987fc9ddcfa65ecb68324a90698784136e08bd81127c4d
                          • Opcode Fuzzy Hash: 667a49bc36cdc7619c22745567063b13b3ebf3cfbb81ba6738b45e89a8f3457a
                          • Instruction Fuzzy Hash: 0C715B35A00618DFDB14DFA9C954A9DBBF2FF88310F108569E909AB360DB71AD85CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C218A4, Relevance: .2, Instructions: 157COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84a5bd90e64a103afdc635de84b8a3caf3bf72854d301571a90afc9785e8b3ae
                          • Instruction ID: 91ec7fc7e75a7469db3cb1b47357fb98fd934007336e29a9c4839fee23ed8ea2
                          • Opcode Fuzzy Hash: 84a5bd90e64a103afdc635de84b8a3caf3bf72854d301571a90afc9785e8b3ae
                          • Instruction Fuzzy Hash: BF51D031B012558FDB04DBB9D8548AFBBB7EFC5224B148929E429DB390EB70DD068791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C2933E, Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 247f547a9eec8255036f34b362e2199ffa3c8ec490958b7155d49dbd65f852dc
                          • Instruction ID: f345d1d4e94ac671bf6ef86a141c2e1d81d05283ab4bbea3805135dffa56d9fb
                          • Opcode Fuzzy Hash: 247f547a9eec8255036f34b362e2199ffa3c8ec490958b7155d49dbd65f852dc
                          • Instruction Fuzzy Hash: C4515BB0B04A66CFCB00CF69C6416BEFBB2FF44305F148666E4599B6A1E774E940CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C24FC0, Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74d124d8453a80ab98944d3ad86dfc408836b695b717c18b07bcdfff87ec38c8
                          • Instruction ID: fd883454aea21738fc95701916536e397372316e5fab9b23650d41a6debf69f4
                          • Opcode Fuzzy Hash: 74d124d8453a80ab98944d3ad86dfc408836b695b717c18b07bcdfff87ec38c8
                          • Instruction Fuzzy Hash: CE41A1B1D01219DFDB10DFE9C984ACEFBB5AF48308F24852AD509BB214D7756A4ACF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C21118, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9bf1bb73f59f17d6e5eaac850844e81d83847ad39ce1a0796bdc5b3c6cca5d74
                          • Instruction ID: f20213344b68dbdc9c63973c1c82efa903d7ebff89bb08392b87538031aa1494
                          • Opcode Fuzzy Hash: 9bf1bb73f59f17d6e5eaac850844e81d83847ad39ce1a0796bdc5b3c6cca5d74
                          • Instruction Fuzzy Hash: 40315D343002448FD710EB76C884D9AB7E6EFC5708B14896EE2069F7B8DBB1EC018B94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C29BAF, Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbd20d1da097d9b33b5c5e78a39fa94be4e4fbf27ebe35a467ec1c409b116f74
                          • Instruction ID: c40162b9994247e8037affae44d18d77027d12180759c3f554d8d800933ad770
                          • Opcode Fuzzy Hash: cbd20d1da097d9b33b5c5e78a39fa94be4e4fbf27ebe35a467ec1c409b116f74
                          • Instruction Fuzzy Hash: 9A3150F0B05624CBDB20CB69CA416AAF3E2FF44311F088656E06ADB291D3B4E954D755
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C274F7, Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf235a60c74627d980b9472a9eb305ab38e054ff98a2028d975aaffabf1a2098
                          • Instruction ID: 0c7c8e03ac858988e1db39c6a35e6f3d92b1b67c236fd482a9fa5d19a1ca5ab8
                          • Opcode Fuzzy Hash: cf235a60c74627d980b9472a9eb305ab38e054ff98a2028d975aaffabf1a2098
                          • Instruction Fuzzy Hash: 8E21B6B2A16662CFD7154F28CAC82B5B7A2DB12325F1840BBD0458F162E7B5A947C711
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C29072, Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bbf90159cccf16cafc1ec57b22f726e95e7287b44621dc5633bfe0f8dea26d8
                          • Instruction ID: 84b317cdd6fe445429a972adce7fe87334ef3b75afbda08abe2fb6dbe1317cba
                          • Opcode Fuzzy Hash: 5bbf90159cccf16cafc1ec57b22f726e95e7287b44621dc5633bfe0f8dea26d8
                          • Instruction Fuzzy Hash: 66212CF0F08565CBC700CB6ACA003BEB662FF84310F0881279455DA2D1D778E991C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006ED054, Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306037102.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bf5087dec79a7acdf2ff938de600bda61c6cd347c1a8df9bbbf6d045919c94ec
                          • Instruction ID: d38c077960e0037e70aa5e882a5625e0ad09a4d82eb48346438ab34be63b5f9f
                          • Opcode Fuzzy Hash: bf5087dec79a7acdf2ff938de600bda61c6cd347c1a8df9bbbf6d045919c94ec
                          • Instruction Fuzzy Hash: C3210672501380EFCF15DF50D9C4BABBBA6FB88314F248669E9091B246C336D816CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006ED698, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306037102.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0aacc8556ca3194586bf435fcbc32e02b6eba9830403b6f77e60eaf53218e78a
                          • Instruction ID: fa3bd3e1455abc2cb2dd72e6aa59ae5a2d1d541a7c54fb7f93a6aebd165f95a0
                          • Opcode Fuzzy Hash: 0aacc8556ca3194586bf435fcbc32e02b6eba9830403b6f77e60eaf53218e78a
                          • Instruction Fuzzy Hash: 6C2103B1505380EFDF05CF50D9C4B6ABB66FB98328F248569E8090B356C336E846CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006FD01C, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306077194.00000000006FD000.00000040.00000001.sdmp, Offset: 006FD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd0a7a1a0abdeb2ac464bcfb3fe7f6ce3b41b11a3909774714936a22cb071806
                          • Instruction ID: 09eb91ab78ebc0f8af9fdb3862e39372822b77b0da32e745e1309c23676f8d88
                          • Opcode Fuzzy Hash: cd0a7a1a0abdeb2ac464bcfb3fe7f6ce3b41b11a3909774714936a22cb071806
                          • Instruction Fuzzy Hash: 9121F571504248DFDB14DF60D9C4B66BB67FB84314F24C96DEA094B346CB36E847CA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C2E9C8, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f7115b08d2b87ff310f7f6427bf4495ac61d142315e780c1063528856fe44759
                          • Instruction ID: 47b0be5be5e114956fc9b5413b08fa73d1000e54a62ddb068b4d32548e7bb4ca
                          • Opcode Fuzzy Hash: f7115b08d2b87ff310f7f6427bf4495ac61d142315e780c1063528856fe44759
                          • Instruction Fuzzy Hash: 4121FF70B04214AFE745AB748D06BEE3FBBEB85300F10C869E505EB285DF70AE0587A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C24734, Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9edba81fca78d6dd89bbbf1bbfc6a0f0f4bf5c5923b8d8d356abc3fdc4e89356
                          • Instruction ID: 784a5777e2c644ca304f9e7891bdef83b22af9ef2e61547d25846c6d32a055d0
                          • Opcode Fuzzy Hash: 9edba81fca78d6dd89bbbf1bbfc6a0f0f4bf5c5923b8d8d356abc3fdc4e89356
                          • Instruction Fuzzy Hash: 7A31C2B0D01228DFDB24DFD9C584BCEBBF9AB48314F24846AE504BB240D7B5A945CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006FD006, Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306077194.00000000006FD000.00000040.00000001.sdmp, Offset: 006FD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dcf99af0750e74e70b3b7074b7da70fc8532cb3b1bfd020ed01002eb7bb2cc20
                          • Instruction ID: bd6aebc831ec04064ca9612904ac434b7bcbb4bc0d0d1774ef505e003c870e2a
                          • Opcode Fuzzy Hash: dcf99af0750e74e70b3b7074b7da70fc8532cb3b1bfd020ed01002eb7bb2cc20
                          • Instruction Fuzzy Hash: 712180755093C48FCB02CF20D990715BF72EB46314F28C5EAD9498B697C33A980ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006ED04F, Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306037102.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 33cf08b4bb2ad5d99244916b0f8a18bc6804ba9c3a6733da1d6e7bec8f293790
                          • Instruction ID: e313e003901407c7f2ce6ced5953a0b5a117acb54aca10af8ba15a34f4c17387
                          • Opcode Fuzzy Hash: 33cf08b4bb2ad5d99244916b0f8a18bc6804ba9c3a6733da1d6e7bec8f293790
                          • Instruction Fuzzy Hash: A621AF76404280DFCF16CF10D9C4B96BF72FB88314F2886A9D9480B656C33AD866CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C21A90, Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec5380d5b5adb7deb8fd2efc00fa2ee103c0609653cd0e0ade382a815c5f3e96
                          • Instruction ID: 8efb555849956bc2e1ab5d4eed274b7bddb45cb4ccb0bf35ca874904af3277c3
                          • Opcode Fuzzy Hash: ec5380d5b5adb7deb8fd2efc00fa2ee103c0609653cd0e0ade382a815c5f3e96
                          • Instruction Fuzzy Hash: 9A118C31B002198B8B54EBB999105EEB7F6AFC5314B18807AC504E7740EF719E15CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006ED693, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306037102.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 126d6a370d32116efd8d3f42ee2ee6af0e33e49a79e3b015178476bcf27a00c2
                          • Instruction ID: cd7c8eb046fa4a114cf2ae475a7b2b2429c623f62f548236803fac6cacc2ad7b
                          • Opcode Fuzzy Hash: 126d6a370d32116efd8d3f42ee2ee6af0e33e49a79e3b015178476bcf27a00c2
                          • Instruction Fuzzy Hash: A9119D76404280DFCF16CF10D5C4B5ABF62FB94324F2886A9D8450B656C336D85ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C26578, Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d980680acd270dc075fc2d340c4749e3575c874c54332feaf8c1dca25746dee2
                          • Instruction ID: 7f278b8453b074fed725803f190897c3e25401372821f7aa01fdf7fc3ba11afc
                          • Opcode Fuzzy Hash: d980680acd270dc075fc2d340c4749e3575c874c54332feaf8c1dca25746dee2
                          • Instruction Fuzzy Hash: F60188B4D082089FDB00DFB4DA146EEBFB1FF5A314F0085AAD829A3350D7701A00DB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C24740, Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee58290c582e9c10e35a4ceb4a2c4f8c7791615dcead96cdd54ff4d40479c5e0
                          • Instruction ID: cf87ae01a95034d586586493db0bc5d90a62fc5a32bcbd26f19d4a9d34bd99dc
                          • Opcode Fuzzy Hash: ee58290c582e9c10e35a4ceb4a2c4f8c7791615dcead96cdd54ff4d40479c5e0
                          • Instruction Fuzzy Hash: 5F1122B59002089FCB10DFAAC484BDFBBF8EB58324F14841AE559A7300D374AA44CFE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006ED955, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306037102.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b67f27fb35ebdd257445966481c546994f83cf0b7610f2a78e93f02c1b1c564
                          • Instruction ID: 1301f988f5f45f00165fc16ea2b6bf8b800bc990b159481911904bedc0f0eead
                          • Opcode Fuzzy Hash: 9b67f27fb35ebdd257445966481c546994f83cf0b7610f2a78e93f02c1b1c564
                          • Instruction Fuzzy Hash: D501F7715063C09AE7108A67CCC4BA7BB9DDF41728F18881AE9041B387D3789844CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C21090, Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d070dfc6dba4e3f72b315bcb96248e2afb4cd92df4a51c4b5a1ec54f50fa09ba
                          • Instruction ID: e104122752b261c6620ea653b8ac7b1eb1a0a5727603bcc38f9518d634d53ca7
                          • Opcode Fuzzy Hash: d070dfc6dba4e3f72b315bcb96248e2afb4cd92df4a51c4b5a1ec54f50fa09ba
                          • Instruction Fuzzy Hash: 88F036312007149B9310DFAAD8808DBB7ABDFC52187408E2EE08A9B711DB71F90A4BE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 006ED954, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.306037102.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c97f88aa9d94b44e21ed6e9a62a9cf0752285277baf7c9b03d8c9d05789386c9
                          • Instruction ID: 3fdee8b1feb4e884b43451e4be13297210b397f278f58878eecd80f0fbe99a93
                          • Opcode Fuzzy Hash: c97f88aa9d94b44e21ed6e9a62a9cf0752285277baf7c9b03d8c9d05789386c9
                          • Instruction Fuzzy Hash: 19F062714053849AEB108E16CC84BA6FF98EB51734F18C45AED485F786D378AC44CAB5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C253F8, Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e21e363161c74b4d233ca165aef00b9a9f12f6866ed66ae4073945d36f0539b0
                          • Instruction ID: f2f79228d9866850609448d494d789a00d387e0a8f10d93990208eef5a0eb089
                          • Opcode Fuzzy Hash: e21e363161c74b4d233ca165aef00b9a9f12f6866ed66ae4073945d36f0539b0
                          • Instruction Fuzzy Hash: F101E870800629EFDB14CF6AC5043AEBAF2EF48351F14C225E824AA294D7B45A44CFD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C265D6, Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa92fbdae6e3e50601edfff3cd8c5aa6b1dbfc2b59de8ef28dbcd51907a4c0e2
                          • Instruction ID: e6e462324a23041da9c2f6e1869673274ac04eff35c32cfee58dfea4b1897e7b
                          • Opcode Fuzzy Hash: aa92fbdae6e3e50601edfff3cd8c5aa6b1dbfc2b59de8ef28dbcd51907a4c0e2
                          • Instruction Fuzzy Hash: 1A01C974D01209DFCB40DFA8D684A9EBBF1FF49304F148AA9D814A7365D770AA45CF80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C26511, Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 04409c935e579a4934cca1d28e170b0e62fcb074eb81a7a6e8485d8a0e866e14
                          • Instruction ID: af014d356b04d1a83cbf002da557192ca59c8fc7e30c66a099055515775b8fe9
                          • Opcode Fuzzy Hash: 04409c935e579a4934cca1d28e170b0e62fcb074eb81a7a6e8485d8a0e866e14
                          • Instruction Fuzzy Hash: 40F037B4D08248DFDB00DFB4EA656AEBFB1FB4A300F1081AAC814A3251D7700A01DB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C25498, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 573850051cb287a52f9f8df95318b936f82967a3702436d721718e8cb5bc881f
                          • Instruction ID: ae661b02f0c93df6b7ecea1b44d42d92dce3d3aa0edb70116f4b2a4a9412ea6f
                          • Opcode Fuzzy Hash: 573850051cb287a52f9f8df95318b936f82967a3702436d721718e8cb5bc881f
                          • Instruction Fuzzy Hash: 72E065727001645F5304D66EDC84C6BB7EEEBCD6743518179F60CC7310D9309C00C6A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C26520, Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 12a6d717b0149a559f5ed0fca66a458e42eaaca96f42091a9ffba016ea2d32f6
                          • Instruction ID: 19c487ddfeaba9b0e2e62c4ed9b558f391c6d0c4c7f2a57d0958492cee0ba672
                          • Opcode Fuzzy Hash: 12a6d717b0149a559f5ed0fca66a458e42eaaca96f42091a9ffba016ea2d32f6
                          • Instruction Fuzzy Hash: 62F0D474D0420CEFDB44DFA9EA04AAEBBB2FB49300F1095AAD814A3354DB705A51DF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C2E808, Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2883365577348b83b56a35d4c25eb83bd99ca8885cfbfca0a35e7a259004771e
                          • Instruction ID: 1c489a7ee8c06ca2252c301f05d5eae2cfd14d2d20ff30e0e26b8c856f3d3d4f
                          • Opcode Fuzzy Hash: 2883365577348b83b56a35d4c25eb83bd99ca8885cfbfca0a35e7a259004771e
                          • Instruction Fuzzy Hash: C5E0863234026427E11921569827FB7B60ED7C0A50F10806EF9058F786CDE26D0642A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C24A60, Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a362a5e45e68d522790a983fd7b87ca57d7c4d6505c2cbeb7f7e1b69884fa67
                          • Instruction ID: 4f4a37317612db5e06520ed73be28451241df8d90fafffdb4cabe897ad206dd9
                          • Opcode Fuzzy Hash: 5a362a5e45e68d522790a983fd7b87ca57d7c4d6505c2cbeb7f7e1b69884fa67
                          • Instruction Fuzzy Hash: E5E04F30505108EBCB00EFA0D9428AE77BEEB49214B118559D90997318DA316E019B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C20802, Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e7c131cc492ef75489e887305f4f85dbe230b2656a553358075ed1af50abf294
                          • Instruction ID: e239a282c17227723992db46a6481d16d23c91fcad3a9e0446ab89e48cf3db14
                          • Opcode Fuzzy Hash: e7c131cc492ef75489e887305f4f85dbe230b2656a553358075ed1af50abf294
                          • Instruction Fuzzy Hash: 40D02B64F0C3E10FEB6A06B625102E61F939A8202430E00DFC2029B453FA90780187C2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C29958, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 216c39918026a543ff7ae6a08de85357acad0198e7e5ef9e0e5b5363865c0fe5
                          • Instruction ID: 1448ba7650df9953539b05d8fa149637024615e461027ba0debcefa099a4d3ec
                          • Opcode Fuzzy Hash: 216c39918026a543ff7ae6a08de85357acad0198e7e5ef9e0e5b5363865c0fe5
                          • Instruction Fuzzy Hash: 56D0C9357001148FC704EB5DE44499537EDEF8E66575140BAF50ACB3A1DAB1AC419B80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C21884, Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8a2d6fd396e8dee145bb52f26bb1de21e6eb6b85087ad6faa64e2a6ed2f9ec5
                          • Instruction ID: abff290590b25cf009809b30b29484865d7ee1fd051c80c68c1907b3fbda2d58
                          • Opcode Fuzzy Hash: d8a2d6fd396e8dee145bb52f26bb1de21e6eb6b85087ad6faa64e2a6ed2f9ec5
                          • Instruction Fuzzy Hash: 77C04C35144110AA8601A7518695C9A76D6FB55204B498C6665C446120DB61D515EB06
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04C26BD8, Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.309398742.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f7b61ea13e44f8c3c13359f5aac7302c7830e42488fca82ebc108a3d02f9da3
                          • Instruction ID: 517fa50f8b265090b9ab3f6ba48ed575670e3248225827374384f4f057cc64d8
                          • Opcode Fuzzy Hash: 7f7b61ea13e44f8c3c13359f5aac7302c7830e42488fca82ebc108a3d02f9da3
                          • Instruction Fuzzy Hash: EDC04C39100508ABCB05AF55F9099597B6AEB9C263714C121F84946220DB75AD519AA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exe PID: 4396 Parent PID: 6176 SecuriteInfo.com.MachineLearning.Anomalous.94.14541.exeCOMMON

                          Executed Functions

                          Function 00D1ECC0, Relevance: 1.7, APIs: 1, Instructions: 173libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.560573891.0000000000D10000.00000040.00000010.sdmp, Offset: 00D10000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c9fc4c999065d76fa1d3a154c47f68e12a2fdabdff70946d67c0607bfd24b627
                          • Instruction ID: 71f3ac3b32cb810a70f21db14218eb81fd0b9fc70e86412c34c1a0c908c515c8
                          • Opcode Fuzzy Hash: c9fc4c999065d76fa1d3a154c47f68e12a2fdabdff70946d67c0607bfd24b627
                          • Instruction Fuzzy Hash: ED51B431B042059FCB04EBB4D855AEEB7E5BF85304F1489AAE5019B396EF74DC448BA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B65D44, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05B6B63B
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: 8f2493a773dadee36a998274645a6853faf48f3dd0b1e67fcf496e562ce2d485
                          • Instruction ID: d79c4d0df024317efc6ec9559b7c26db26338f70ce82802ea46c568d80e73897
                          • Opcode Fuzzy Hash: 8f2493a773dadee36a998274645a6853faf48f3dd0b1e67fcf496e562ce2d485
                          • Instruction Fuzzy Hash: 8451E370D102188FDB14CFA9C894BDEBBB1FF48314F54856AE815AB350D778A844CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC6902, Relevance: 6.1, APIs: 4, Instructions: 141threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 00FC69A0
                          • GetCurrentThread.KERNEL32 ref: 00FC69DD
                          • GetCurrentProcess.KERNEL32 ref: 00FC6A1A
                          • GetCurrentThreadId.KERNEL32 ref: 00FC6A73
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 12c823cf6357598b6b24f31003c5515913ae3be400f98b906c722355b6ba3acd
                          • Instruction ID: c7f5a742d80ef38ffa8c402931b078ad2239cdd750c946dcbb169d7fdf3714ee
                          • Opcode Fuzzy Hash: 12c823cf6357598b6b24f31003c5515913ae3be400f98b906c722355b6ba3acd
                          • Instruction Fuzzy Hash: 535165B09043898FDB11CFA9D648BDEBFF0EF89314F14849EE049A7261D7746845CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 00FC69A0
                          • GetCurrentThread.KERNEL32 ref: 00FC69DD
                          • GetCurrentProcess.KERNEL32 ref: 00FC6A1A
                          • GetCurrentThreadId.KERNEL32 ref: 00FC6A73
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: ebc2b46736537a7463a7fb70f92f51d6c1611e9a738e636a605df68844529d21
                          • Instruction ID: 834c6f2b86e7c0d6441280e53e3f255f9b1786ef87c72bfefd9ffbc5803caf20
                          • Opcode Fuzzy Hash: ebc2b46736537a7463a7fb70f92f51d6c1611e9a738e636a605df68844529d21
                          • Instruction Fuzzy Hash: 8E5132B0D002498FDB14CFAAD648BDEBBF4EF88318F24845EE049B7250D774A944CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C7B6, Relevance: 2.1, APIs: 1, Instructions: 597COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: f2386c78678fbd93d1ade2f14bf9b5dcb0fa7d2d2cf1fa93e4bfe1c4f8e06377
                          • Instruction ID: 78288eafd60d1820e079103c7d28f31a879374b99f44ac36c536fb3dd7fb0967
                          • Opcode Fuzzy Hash: f2386c78678fbd93d1ade2f14bf9b5dcb0fa7d2d2cf1fa93e4bfe1c4f8e06377
                          • Instruction Fuzzy Hash: 55520934A01228CFCB65DF20D9586ADBBB6BF89305F5041EAE40AA7350DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C7D7, Relevance: 1.8, APIs: 1, Instructions: 350COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 0a8e84c1cb1c10a4ea5d9c6f1b9612e41245ce5f0ccb23ca73b614aeab96d66c
                          • Instruction ID: a395ca60731e5d229f161516239173a89bd7423b998cf6b8b71a24ae2ac47dd1
                          • Opcode Fuzzy Hash: 0a8e84c1cb1c10a4ea5d9c6f1b9612e41245ce5f0ccb23ca73b614aeab96d66c
                          • Instruction Fuzzy Hash: DFF11B35A01268CFCB65DF24D9586ADBBB6BF49306F5041EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C81C, Relevance: 1.8, APIs: 1, Instructions: 343COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 883993856c1c52e4f53e710381935d31a8c2e4538a43ea98edb71f18ed97b620
                          • Instruction ID: 5452e420c69831b1ce80a2ca545c1e6e2107419d28393fbaf3168cb3dbb0d0ca
                          • Opcode Fuzzy Hash: 883993856c1c52e4f53e710381935d31a8c2e4538a43ea98edb71f18ed97b620
                          • Instruction Fuzzy Hash: 82F12B35A01268CFCB65DF24D9586ADBBB6BF49306F5041EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C861, Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 3bab77e46db383f22d937c5315a9ca014e29ac2af1e449dbad9ba56ce3316743
                          • Instruction ID: 242235d38fa8c4971405e256d39b7a055098ff4874b2bc9d8c633a4156487387
                          • Opcode Fuzzy Hash: 3bab77e46db383f22d937c5315a9ca014e29ac2af1e449dbad9ba56ce3316743
                          • Instruction Fuzzy Hash: 94F12B35A01268CFCB65DF24D9586ADBBB6BF49306F5041EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C8A6, Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: a0797edb4a2d1dc70318a9723f6c693400d1f1686e7ab85bc6bab60cf3e162bf
                          • Instruction ID: d7b687d8b5c763e723cad16368fd6e04ef95549827a34ea4379e139ec1f1e4be
                          • Opcode Fuzzy Hash: a0797edb4a2d1dc70318a9723f6c693400d1f1686e7ab85bc6bab60cf3e162bf
                          • Instruction Fuzzy Hash: 79F12B35A01268CFCB65DF24D9586ADBBB6BF49306F5041EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C8EB, Relevance: 1.8, APIs: 1, Instructions: 320COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: fcf473785b34bdfb4b2205ef08fa691b12e375d4eb532d75163febaeadca5a2e
                          • Instruction ID: cf954c4bc0b41a220c1fa6bdd214c650c68d19ed02c80bc16fb87ff97d36cd72
                          • Opcode Fuzzy Hash: fcf473785b34bdfb4b2205ef08fa691b12e375d4eb532d75163febaeadca5a2e
                          • Instruction Fuzzy Hash: E3E12B35A01268CFCB65DF24D9586ADBBB6BF49306F5041EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C927, Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 70643c2cafde67c9290465f817666bd32d21e99639d83d8f968ac314f10b7635
                          • Instruction ID: 5fdc07fc7afb547a2e917ad476693337553253be20e9475af74fe10b9a5c7a4b
                          • Opcode Fuzzy Hash: 70643c2cafde67c9290465f817666bd32d21e99639d83d8f968ac314f10b7635
                          • Instruction Fuzzy Hash: 93E11A35A01268CFCB65DF24D9586ADBBB6BF49306F5040EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C96C, Relevance: 1.8, APIs: 1, Instructions: 308COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 3c5aab799483c38e3f77e9accb3de4550e12f8a618d8d9f188b59f10327b1be0
                          • Instruction ID: 2786ed5374e9799d3cbee701bf9f7f1d1c229f870d5fb8fda113f3cc389dfc43
                          • Opcode Fuzzy Hash: 3c5aab799483c38e3f77e9accb3de4550e12f8a618d8d9f188b59f10327b1be0
                          • Instruction Fuzzy Hash: 38E11B35A01268CFCB65DF24D9586ADBBB6BF49306F5041EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C9B1, Relevance: 1.8, APIs: 1, Instructions: 301COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: d3ce8edbc44c518bc1f365e16dc791bb73da26225c23e7423b80b467c9361696
                          • Instruction ID: 22e00edde116caf3f2aeb0d1ad62ed20d3686f4adc3e8dff2e02d1a7fe76089e
                          • Opcode Fuzzy Hash: d3ce8edbc44c518bc1f365e16dc791bb73da26225c23e7423b80b467c9361696
                          • Instruction Fuzzy Hash: FFE12B35A01268CFCB65DF24D9586ADBBB6BF49306F5040EAE40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C9F6, Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 3181220ab996450b9565b851572fcb8f3a507650f1d0f15961bd7c4ac814aa94
                          • Instruction ID: 282a46397f058b1a6d52a7be62f8b50f92b4c2ec6a8aa5c8fa8aaf7cda38411b
                          • Opcode Fuzzy Hash: 3181220ab996450b9565b851572fcb8f3a507650f1d0f15961bd7c4ac814aa94
                          • Instruction Fuzzy Hash: 7DD12B35A01268CFCB65DF24D9586ADBBB6BF49306F5040EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CA3B, Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 789b4d1dda15d034732d7c54219c4f0d052759e8fbaa3e303e6fb25209c0054c
                          • Instruction ID: 895500773e7d44674ff524a9aa514dc773f7d951877a9c337afdf17e23591fb6
                          • Opcode Fuzzy Hash: 789b4d1dda15d034732d7c54219c4f0d052759e8fbaa3e303e6fb25209c0054c
                          • Instruction Fuzzy Hash: 32D12B35A01268CFCB65DF24D9586ADBBB6BF89306F5040EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CA80, Relevance: 1.8, APIs: 1, Instructions: 280COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: ca50903b1681d458e4883af6f1efdcdb135111eef03cba6b6799f10796c3a7d7
                          • Instruction ID: d45fa7cf80d3e79f0775f7acb79eae6582685551c6cba95bd0d1525af2f7141f
                          • Opcode Fuzzy Hash: ca50903b1681d458e4883af6f1efdcdb135111eef03cba6b6799f10796c3a7d7
                          • Instruction Fuzzy Hash: 2BD12C35A01268CFCB65DF24D9586ADBBB6BF89306F5041EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CAC5, Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: dc050db0b62d87476ef4282a76d4001df1646a08ac556db0280240491dd2d070
                          • Instruction ID: 21a35adf925c364dc2d90dfc233c917060a798ab1ef5392ca0dcdd04104a3307
                          • Opcode Fuzzy Hash: dc050db0b62d87476ef4282a76d4001df1646a08ac556db0280240491dd2d070
                          • Instruction Fuzzy Hash: 13C12C35A01268CFCB65DF24D9586ADBBB6BF89306F5040EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CB0A, Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 5c6d33a4259ce3183ba9c8da4622a1aef49fe0b0ef22578d38a8bc71ca931cc4
                          • Instruction ID: b186952bfc1560ad79cbaf8ed44c37adc025b6341ef44f7aeffdcb1e9195758e
                          • Opcode Fuzzy Hash: 5c6d33a4259ce3183ba9c8da4622a1aef49fe0b0ef22578d38a8bc71ca931cc4
                          • Instruction Fuzzy Hash: D8C12D35A01268CFCB65DF64D9586ADBBB6BF89306F5040EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CB4F, Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 6025e42263d39a90ee84e2a6180747a687e5a0d3d592fe04a408f441cb88b348
                          • Instruction ID: 90cf67083318d48c71c156cc65392039272a403dca43bccdaeb578c296116f2f
                          • Opcode Fuzzy Hash: 6025e42263d39a90ee84e2a6180747a687e5a0d3d592fe04a408f441cb88b348
                          • Instruction Fuzzy Hash: FBC12C35A01268CFCB65DF64D9586ADBBB6BF89306F5040EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CB94, Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: dc14715f26aa900f211f26b1cce44df1656482a57ec5c82d871890bda1e0c021
                          • Instruction ID: 59e716c65675ec905a84f26df86c5721447817a5d23545dfcbc5319e48573d61
                          • Opcode Fuzzy Hash: dc14715f26aa900f211f26b1cce44df1656482a57ec5c82d871890bda1e0c021
                          • Instruction Fuzzy Hash: 21C11C35A01268CFCB65DF64D9586ADBBB6BF89306F5040EAE409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CBD9, Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 84a876d493aef3df9d3e94be0d5a46501aa47731e1fb9664d6ae9464319d03a6
                          • Instruction ID: b7ab9662b8319d0cd11e0139b82989f00be9a9a6f290c271cd850b0ca4668758
                          • Opcode Fuzzy Hash: 84a876d493aef3df9d3e94be0d5a46501aa47731e1fb9664d6ae9464319d03a6
                          • Instruction Fuzzy Hash: 8CB11B35A01268CFCB65DF64D9586ADBBB6BF89305F5040EAD409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CC1E, Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: f42c6484f259e4ea444a777ca96e557d3f06c150300882c8dc566da033fc3c8c
                          • Instruction ID: 6ace0f1ca7917ceeb0ff91b2995f9e75273de49b2635646790806e4240934be5
                          • Opcode Fuzzy Hash: f42c6484f259e4ea444a777ca96e557d3f06c150300882c8dc566da033fc3c8c
                          • Instruction Fuzzy Hash: 8CB14C35A41268CFCB65DF24D958AADBBB6BF89305F5040EAD409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CC63, Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 4540df001ec5dabec9797be0fc5531e8183c635c704a7cd71a4259983f903dd2
                          • Instruction ID: 53d51ca8585c9356e3428c76e738ca4c4d6647160e68e63bc4306adf1c15921b
                          • Opcode Fuzzy Hash: 4540df001ec5dabec9797be0fc5531e8183c635c704a7cd71a4259983f903dd2
                          • Instruction Fuzzy Hash: 17A13B35A41268CFCB65DF24D958AADBBB6BF89305F5040EAD409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CCA8, Relevance: 1.7, APIs: 1, Instructions: 222COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: c222e4344377b6f8753e7dd86a5f30a3d8c337a5660fbf2d2525daefaf3eb54b
                          • Instruction ID: 136d4ad1892590689156fcb2b92b6fd7c7200b6aceacfd7829e2b599e7a6a1a1
                          • Opcode Fuzzy Hash: c222e4344377b6f8753e7dd86a5f30a3d8c337a5660fbf2d2525daefaf3eb54b
                          • Instruction Fuzzy Hash: 13A14C35A41268CFCB65DF24D958BADBBB6BF89205F5040EAD40AA3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CCE4, Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 468c33f5d3baf2aa62547b14a205a01e9a6ba92def291f01b1ea8d4026bfe015
                          • Instruction ID: 4ea39f12c8c31d0ec5fd3687ff2311be54a5536ca98c28dd0d2cb8d67cda1801
                          • Opcode Fuzzy Hash: 468c33f5d3baf2aa62547b14a205a01e9a6ba92def291f01b1ea8d4026bfe015
                          • Instruction Fuzzy Hash: 01A15D35A41268CFCB65DF24D958BADBBB6BF89205F5080EAD409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CD29, Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 675e8aaef80f24553fec4022a2f5bc2a8be5caf1703599bbefa1bbc76d96bbe1
                          • Instruction ID: f982c1494d5ce9d043015917003a3e8eeb33522ef283cc6f9fb7d9681588e278
                          • Opcode Fuzzy Hash: 675e8aaef80f24553fec4022a2f5bc2a8be5caf1703599bbefa1bbc76d96bbe1
                          • Instruction Fuzzy Hash: C4915D35A01268CFCB65DF64D958BADBBB6BF89205F5080EAD409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CD6E, Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: d44ef996bd72d4b547923383b7883699e07a63151dcffa80bfb1bd813f1122c5
                          • Instruction ID: 74ff69317b3457fda7671377ce4c80447ab096c6ced43a1063c63bdb2b27c970
                          • Opcode Fuzzy Hash: d44ef996bd72d4b547923383b7883699e07a63151dcffa80bfb1bd813f1122c5
                          • Instruction Fuzzy Hash: 5B916D31A01268CFCB65DF64D9587ADBBB6BF89205F5080EAD409A3340DF34AE81CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CDB3, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: adf85d7ed93c0191fb1b1b279e2182262c408df0208284f67ed55171b8e9d460
                          • Instruction ID: c4cd6110ec1e052e0e1d734ddf855133db4f3e438c97f628d9079a6f39ffa564
                          • Opcode Fuzzy Hash: adf85d7ed93c0191fb1b1b279e2182262c408df0208284f67ed55171b8e9d460
                          • Instruction Fuzzy Hash: 0F815C71A40268CFCB65DF64D9587ADB7B6BF89205F5080EAD40AA3340DF34AE82CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CDF8, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: aceda24bd0b48e410bbe2cda5c7b1174d90dcb3f1de9fb6ea5207348cf262537
                          • Instruction ID: 79bac221d6aeb02f5d4194c9b4c46a3147ae7949620de4841182b98c0fbcce77
                          • Opcode Fuzzy Hash: aceda24bd0b48e410bbe2cda5c7b1174d90dcb3f1de9fb6ea5207348cf262537
                          • Instruction Fuzzy Hash: FA814C71A40268CFCB65DF64C9587ADB7B6BF89205F5084EAD409A3340DF34AE82CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CE3D, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 28696be67202196fec1725cbb23a4cf88e5d034c5d30d8ccbbb6c03b843adddc
                          • Instruction ID: 07b1240d53c7e7b0dfac124870c805b518626efbd2cac6aec4b65c748ce37778
                          • Opcode Fuzzy Hash: 28696be67202196fec1725cbb23a4cf88e5d034c5d30d8ccbbb6c03b843adddc
                          • Instruction Fuzzy Hash: 6D714C71A01268CFCB65DB64C9587ADB7B6BF89201F5084EAD409E3340DF34AE82CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CE85, Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 41263fcc10e4f3b0690b1f72da8a1341c8ae536422f172f7a6ddd7d87de4b90b
                          • Instruction ID: 1cccce079d20d68fdad4221098d262e256ff840c3cbb5df753e7287eebb77ff1
                          • Opcode Fuzzy Hash: 41263fcc10e4f3b0690b1f72da8a1341c8ae536422f172f7a6ddd7d87de4b90b
                          • Instruction Fuzzy Hash: 97715C71A012688FCB65DB64CD58BADB7B6BF89201F5084EAD809E3344DF349E82CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CECD, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: fcc84b39fc990c7493e33e64df8bdaed618f042ee398557d1da61e74b76ac5b0
                          • Instruction ID: 78b54f4815f4fff9af4514f582223b3543751d0fbc4a9729d70bb1038eaa89b6
                          • Opcode Fuzzy Hash: fcc84b39fc990c7493e33e64df8bdaed618f042ee398557d1da61e74b76ac5b0
                          • Instruction Fuzzy Hash: 2E616E70A012688FCB65DB64CD58BADB7B6BF88201F5080EAD409E3344DF749E82CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CF09, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 3c7ae75c08cdf408019a6bfc697a47d5644b7f311dd52e9178f6fa4fdb8526a5
                          • Instruction ID: 0b3f4731c93cd8ea96b8cdf9a4de44939ab9b692229e5ad40f3268a8e20596c7
                          • Opcode Fuzzy Hash: 3c7ae75c08cdf408019a6bfc697a47d5644b7f311dd52e9178f6fa4fdb8526a5
                          • Instruction Fuzzy Hash: 58615070A012688FCB55DB64CC58BADB7B6BF88201F5084DAD409E3344DF349E82CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CF51, Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: f6ba98189042e765a355595d55eb6b2eb529b8420022a7cd32c6c271dd903e4f
                          • Instruction ID: e53827a41db1276cafaf5f5b02a69b9243b886ec0d886ca4206fffd589113f11
                          • Opcode Fuzzy Hash: f6ba98189042e765a355595d55eb6b2eb529b8420022a7cd32c6c271dd903e4f
                          • Instruction Fuzzy Hash: C6516070A102688FCB55DB64CC68BADB7B6AF88205F5084DAD809E3744DF349E81CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CF99, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 05B6CFC0
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: bfae1ea5e62bd3810e2b9a4176e2666874f060aaaefdc5ddd5424f736d04c196
                          • Instruction ID: 9f33d79fbccda25e8786244b3f4bcf516d632b4aaa90809dec7eb61bf618f2b2
                          • Opcode Fuzzy Hash: bfae1ea5e62bd3810e2b9a4176e2666874f060aaaefdc5ddd5424f736d04c196
                          • Instruction Fuzzy Hash: EC516170B102648FCB55DB64CC68BADB7B6AF88205F5084DAD809E3744DF349E82CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6B4F5, Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05B6B63B
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: c6fb3d573dfa36280e1d2cf4c9bdd529b933438fd8c70a529cf3287e42986443
                          • Instruction ID: b035f906d256688f99df5b7571d6ec1235ea23133761a65caaff0b059defa040
                          • Opcode Fuzzy Hash: c6fb3d573dfa36280e1d2cf4c9bdd529b933438fd8c70a529cf3287e42986443
                          • Instruction Fuzzy Hash: AE51EFB0D002188FDB18CFA9C898BDDBBB1BB48314F15856AE815AB390D778A844CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B691EC, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05B6B63B
                          Memory Dump Source
                          • Source File: 00000003.00000002.562005039.0000000005B60000.00000040.00000001.sdmp, Offset: 05B60000, based on PE: false
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: 7c4190a1bf6cf3774ae6c2c3c7d84f11777ef439428a7e27fd7b4fd239665a56
                          • Instruction ID: eb24a7fa1a96658eea821cd3b9829126dc531afe498d2310201bc68420252677
                          • Opcode Fuzzy Hash: 7c4190a1bf6cf3774ae6c2c3c7d84f11777ef439428a7e27fd7b4fd239665a56
                          • Instruction Fuzzy Hash: 9D51D271D102188FDB14CFA9C894BDEBBB1FF48314F54856AE815AB390D778A844CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC5084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FC51A2
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 76c44269faf4a822d84ec058b40eef1ba8eedf4ceeffb05df7998e635124a4c6
                          • Instruction ID: 474dd201e01695701aeaad03ed8d67f79801433c2ad43c6a12693109024225c9
                          • Opcode Fuzzy Hash: 76c44269faf4a822d84ec058b40eef1ba8eedf4ceeffb05df7998e635124a4c6
                          • Instruction Fuzzy Hash: ED51C1B1D003099FDF14CFA9C985ADEBBB5BF88314F24812EE815AB210D775A985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FC51A2
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: a55e35b569c7cf78a2948f29ed570503f14b2095b30750e067dce1fb6dad3934
                          • Instruction ID: 16a4d7fffd73d2559689968862233be4320a200baafeea4637bcd67b4462a3d5
                          • Opcode Fuzzy Hash: a55e35b569c7cf78a2948f29ed570503f14b2095b30750e067dce1fb6dad3934
                          • Instruction Fuzzy Hash: 0741C1B1D003099FDF14CF9AC984ADEBBB5BF48314F64812EE819AB210D775A985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC7780, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 00FC7F01
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: d531f73dcda5f3df3978dd5634c3341fae824cae6783d9eb9678515e08aae6d2
                          • Instruction ID: b34969811914d1af90f387f29a056925a498e43cb8cb486c50ed4d69e4436ca0
                          • Opcode Fuzzy Hash: d531f73dcda5f3df3978dd5634c3341fae824cae6783d9eb9678515e08aae6d2
                          • Instruction Fuzzy Hash: A74128B59043068FCB14CF99C489FAABBF5FB48324F24889DE419A7321D374A841DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FCC109, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 00FCC192
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: a0d4837ef88d03feced71bd712864575b46286a6ffb7b87bb0c4a1d06089ab6d
                          • Instruction ID: 025deb59d5b8879954e83fded5e15136a774a3d5dbeff4d73f38b01bc79f346a
                          • Opcode Fuzzy Hash: a0d4837ef88d03feced71bd712864575b46286a6ffb7b87bb0c4a1d06089ab6d
                          • Instruction Fuzzy Hash: BB31E071C052858FDB11CFB5D6467EEBFB0EB06318F28845ED489A7242C7795809CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FC6BEF
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 31bec21fc548b0f3aacb8e8a7b6081e9d0fc1d43abc36e6b25e0eb420b7691a9
                          • Instruction ID: fab78748eba341128839aa0205195344fda76b8debe9d2cb68bb7c9a7a1176b5
                          • Opcode Fuzzy Hash: 31bec21fc548b0f3aacb8e8a7b6081e9d0fc1d43abc36e6b25e0eb420b7691a9
                          • Instruction Fuzzy Hash: C421D3B5D002499FDB10CFAAD984ADEBBF8FB48324F14841AE955B3350D374A944DFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC6B62, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FC6BEF
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: b17b1a67099d414eadcec66217a2f2e4952f287179db967c761d42c2ca4a2242
                          • Instruction ID: dd38d635524980f9a80f8c2fd2a18d9afd22d912b357a1422d769cac8b9c90b3
                          • Opcode Fuzzy Hash: b17b1a67099d414eadcec66217a2f2e4952f287179db967c761d42c2ca4a2242
                          • Instruction Fuzzy Hash: 732112B5900249DFDB10CFAAD985ADEBBF8FB48320F14841AE954B3350D374A944DFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FCC118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 00FCC192
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: c6ba630024e0fb9db204f58ea1ae7e3b237c36d2f287db0e257a98530937c442
                          • Instruction ID: ef60083e33ef37bbfea40cb33984bb93ad94f88597027036789d1937e585778f
                          • Opcode Fuzzy Hash: c6ba630024e0fb9db204f58ea1ae7e3b237c36d2f287db0e257a98530937c442
                          • Instruction Fuzzy Hash: 46116DB1D0130A8FDB10DFA6C649B9EBBF4FB04724F24882ED409A3641C7796944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC32D8, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC4116
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 3f8bff804d2668e08c05ae1fcbeeaecc4f5fc67b3ddda3568b98f2711b5ebb0a
                          • Instruction ID: d4ad2052f0142cad71747ee076cbfc40149e03e58af21eb637ad496cffdfd577
                          • Opcode Fuzzy Hash: 3f8bff804d2668e08c05ae1fcbeeaecc4f5fc67b3ddda3568b98f2711b5ebb0a
                          • Instruction Fuzzy Hash: 6B11F0B6C0064A8BDB20CF9AD548BDEBBF4EB48324F14842ED959B7600D375A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FC40AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00FC4116
                          Memory Dump Source
                          • Source File: 00000003.00000002.560816674.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 9133462a85288464aa1ea996fa0023acc1f52f7604cf51009570f10a2e2ac516
                          • Instruction ID: d253a22637d58f63b7408adeebf03b9f84d62e452aba00febbf2f27f600756f7
                          • Opcode Fuzzy Hash: 9133462a85288464aa1ea996fa0023acc1f52f7604cf51009570f10a2e2ac516
                          • Instruction Fuzzy Hash: 9D1132B6C002498FCB20CFAAC845BDEBBF4EB88324F14842ED469B7600D374A545CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions