Loading ...

Play interactive tourEdit tour

Windows Analysis Report Bank payment swift message.exe

Overview

General Information

Sample Name:Bank payment swift message.exe
Analysis ID:532705
MD5:8cf71f83b169db6428ce1345eacec7e1
SHA1:50cde0ed5ae88e15fc6a190216f767c61014261f
SHA256:7c04ed79e657827d9ed17fc6f50e51a5818bf9b7db804691dee2470d5371162e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Bank payment swift message.exe (PID: 4324 cmdline: "C:\Users\user\Desktop\Bank payment swift message.exe" MD5: 8CF71F83B169DB6428CE1345EACEC7E1)
    • RegSvcs.exe (PID: 6480 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6576 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • kprUEGC.exe (PID: 4896 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kprUEGC.exe (PID: 2144 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "leell@scsgroups.com", "Password": "Scs@looi1007", "Host": "mail.scsgroups.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.303809538.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000000.303809538.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Bank payment swift message.exe" , ParentImage: C:\Users\user\Desktop\Bank payment swift message.exe, ParentProcessId: 4324, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6480
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Bank payment swift message.exe" , ParentImage: C:\Users\user\Desktop\Bank payment swift message.exe, ParentProcessId: 4324, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6480

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.0.RegSvcs.exe.400000.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "leell@scsgroups.com", "Password": "Scs@looi1007", "Host": "mail.scsgroups.com"}
                      Source: 2.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: Bank payment swift message.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Bank payment swift message.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdbP source: RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000003.505449142.0000000005D0C000.00000004.00000001.sdmp, kprUEGC.exe, 00000005.00000002.373607878.00000000004F2000.00000002.00020000.sdmp, kprUEGC.exe, 00000008.00000002.384804020.00000000008C2000.00000002.00020000.sdmp, kprUEGC.exe.2.dr
                      Source: Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 00000008.00000002.384804020.00000000008C2000.00000002.00020000.sdmp, kprUEGC.exe.2.dr
                      Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                      Source: Joe Sandbox ViewIP Address: 103.6.196.179 103.6.196.179
                      Source: global trafficTCP traffic: 192.168.2.3:49773 -> 103.6.196.179:587
                      Source: global trafficTCP traffic: 192.168.2.3:49773 -> 103.6.196.179:587
                      Source: RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: http://WjMsNT.com
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmpString found in binary or memory: http://mail.scsgroups.com
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmpString found in binary or memory: http://scsgroups.com
                      Source: RegSvcs.exe, 00000002.00000002.560227223.0000000002E05000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560316604.0000000002E75000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560323576.0000000002E79000.00000004.00000001.sdmpString found in binary or memory: https://8LBhYvjS8QE2L4B.com
                      Source: RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Bank payment swift message.exe, 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.scsgroups.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Bank payment swift message.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bBD9F9190u002d0FC4u002d46ADu002dB580u002dC5B94CAA9F09u007d/D2461129u002d5BBBu002d4B64u002d8D90u002d8D2E52631531.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBD9F9190u002d0FC4u002d46ADu002dB580u002dC5B94CAA9F09u007d/D2461129u002d5BBBu002d4B64u002d8D90u002d8D2E52631531.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBD9F9190u002d0FC4u002d46ADu002dB580u002dC5B94CAA9F09u007d/D2461129u002d5BBBu002d4B64u002d8D90u002d8D2E52631531.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bBD9F9190u002d0FC4u002d46ADu002dB580u002dC5B94CAA9F09u007d/D2461129u002d5BBBu002d4B64u002d8D90u002d8D2E52631531.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 2.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bBD9F9190u002d0FC4u002d46ADu002dB580u002dC5B94CAA9F09u007d/D2461129u002d5BBBu002d4B64u002d8D90u002d8D2E52631531.csLarge array initialization: .cctor: array initializer size 11957
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: Bank payment swift message.exeStatic file information: Suspicious name
                      Source: Bank payment swift message.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeCode function: 0_2_00E9C6F40_2_00E9C6F4
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeCode function: 0_2_00E9EB280_2_00E9EB28
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeCode function: 0_2_00E9EB380_2_00E9EB38
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeCode function: 0_2_02B0EFA80_2_02B0EFA8
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeCode function: 0_2_02B0EF970_2_02B0EF97
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010847A02_2_010847A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010846B02_2_010846B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_055F65082_2_055F6508
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_055F71202_2_055F7120
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_055F90D82_2_055F90D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_055F68502_2_055F6850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 055FBEC0 appears 48 times
                      Source: Bank payment swift message.exe, 00000000.00000002.304895734.00000000006E8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDispositi.exe4 vs Bank payment swift message.exe
                      Source: Bank payment swift message.exe, 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIryfeeEyMMUWtFFlBPOPNVPUkBT.exe4 vs Bank payment swift message.exe
                      Source: Bank payment swift message.exe, 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Bank payment swift message.exe
                      Source: Bank payment swift message.exe, 00000000.00000002.307604199.00000000050B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Bank payment swift message.exe
                      Source: Bank payment swift message.exe, 00000000.00000002.305709842.0000000002B21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Bank payment swift message.exe
                      Source: Bank payment swift message.exe, 00000000.00000002.305709842.0000000002B21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIryfeeEyMMUWtFFlBPOPNVPUkBT.exe4 vs Bank payment swift message.exe
                      Source: Bank payment swift message.exe, 00000000.00000002.308812058.0000000005CE0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Bank payment swift message.exe
                      Source: Bank payment swift message.exeBinary or memory string: OriginalFilenameDispositi.exe4 vs Bank payment swift message.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: Bank payment swift message.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Bank payment swift message.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Bank payment swift message.exe "C:\Users\user\Desktop\Bank payment swift message.exe"
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank payment swift message.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/6@2/1
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_01
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeMutant created: \Sessions\1\BaseNamedObjects\pebqqiuwljIVfajAWYWmOos
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_01
                      Source: 2.0.RegSvcs.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.3.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Bank payment swift message.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Bank payment swift message.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdbP source: RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000003.505449142.0000000005D0C000.00000004.00000001.sdmp, kprUEGC.exe, 00000005.00000002.373607878.00000000004F2000.00000002.00020000.sdmp, kprUEGC.exe, 00000008.00000002.384804020.00000000008C2000.00000002.00020000.sdmp, kprUEGC.exe.2.dr
                      Source: Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 00000008.00000002.384804020.00000000008C2000.00000002.00020000.sdmp, kprUEGC.exe.2.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Bank payment swift message.exe, xJ/OD.cs.Net Code: KBI System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Bank payment swift message.exe.670000.0.unpack, xJ/OD.cs.Net Code: KBI System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Bank payment swift message.exe.670000.0.unpack, xJ/OD.cs.Net Code: KBI System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeCode function: 0_2_00E9D740 push esp; ret 0_2_00E9D741
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0108D972 push edi; iretd 2_2_0108D974
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_055FED12 pushad ; ret 2_2_055FED59
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 5_2_00E90014 push ss; retf 5_2_00E90026
                      Source: Bank payment swift message.exeStatic PE information: 0xF5F8E4E2 [Sat Oct 9 01:44:02 2100 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79400294438
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.2b41bb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.305709842.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Bank payment swift message.exe PID: 4324, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Bank payment swift message.exe, 00000000.00000002.305709842.0000000002B21000.00000004.00000001.sdmp, Bank payment swift message.exe, 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Bank payment swift message.exe, 00000000.00000002.305709842.0000000002B21000.00000004.00000001.sdmp, Bank payment swift message.exe, 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Bank payment swift message.exe TID: 3940Thread sleep time: -36673s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exe TID: 6440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 3892Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7140Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3710Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6127Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeThread delayed: delay time: 36673Jump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Bank payment swift message.exe, 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Bank payment swift message.exe, 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Bank payment swift message.exe, 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Bank payment swift message.exe, 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: RegSvcs.exe, 00000002.00000002.560925451.0000000005CF7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_055FF720 LdrInitializeThunk,2_2_055FF720
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 00000002.00000002.559613379.0000000001530000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000002.00000002.559613379.0000000001530000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000002.00000002.559613379.0000000001530000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000002.00000002.559613379.0000000001530000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Users\user\Desktop\Bank payment swift message.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Bank payment swift message.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c15000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c4b220.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c15000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c4b220.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.303809538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.558202775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.303165752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Bank payment swift message.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6576, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6576, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c15000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c4b220.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c15000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Bank payment swift message.exe.3c4b220.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.303809538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.558202775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.303165752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Bank payment swift message.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6576, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture11Security Software Discovery211Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information11Credentials in Registry1Process Discovery2SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion131Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532705 Sample: Bank payment swift message.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Yara detected AgentTesla 2->36 38 Yara detected AntiVM3 2->38 40 6 other signatures 2->40 6 Bank payment swift message.exe 3 2->6         started        9 kprUEGC.exe 2 2->9         started        11 kprUEGC.exe 1 2->11         started        process3 file4 24 C:\...\Bank payment swift message.exe.log, ASCII 6->24 dropped 13 RegSvcs.exe 2 4 6->13         started        18 RegSvcs.exe 6->18         started        20 conhost.exe 9->20         started        22 conhost.exe 11->22         started        process5 dnsIp6 30 scsgroups.com 103.6.196.179, 49773, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 13->30 32 mail.scsgroups.com 13->32 26 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 13->26 dropped 28 C:\Windows\System32\drivers\etc\hosts, ASCII 13->28 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->42 44 Tries to steal Mail credentials (via file / registry access) 13->44 46 Tries to harvest and steal ftp login credentials 13->46 52 4 other signatures 13->52 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->50 file7 signatures8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      2.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      scsgroups.com0%VirustotalBrowse
                      mail.scsgroups.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.scsgroups.com0%VirustotalBrowse
                      http://mail.scsgroups.com0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://scsgroups.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      https://8LBhYvjS8QE2L4B.com0%Avira URL Cloudsafe
                      http://WjMsNT.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      scsgroups.com
                      103.6.196.179
                      truetrueunknown
                      mail.scsgroups.com
                      unknown
                      unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.scsgroups.comRegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      low
                      http://DynDns.comDynDNSRegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://sectigo.com/CPS0RegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560949315.0000000005D11000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://scsgroups.comRegSvcs.exe, 00000002.00000002.560279045.0000000002E4D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipBank payment swift message.exe, 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://api.ipify.org%$RegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      https://8LBhYvjS8QE2L4B.comRegSvcs.exe, 00000002.00000002.560227223.0000000002E05000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560316604.0000000002E75000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.560323576.0000000002E79000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://WjMsNT.comRegSvcs.exe, 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      103.6.196.179
                      scsgroups.comMalaysia
                      46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:532705
                      Start date:02.12.2021
                      Start time:16:26:02
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 10m 37s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:Bank payment swift message.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:20
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.adwa.spyw.evad.winEXE@9/6@2/1
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 49
                      • Number of non-executed functions: 5
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:27:02API Interceptor1x Sleep call for process: Bank payment swift message.exe modified
                      16:27:13API Interceptor776x Sleep call for process: RegSvcs.exe modified
                      16:27:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      16:27:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      103.6.196.179Bank payment swift message.exeGet hashmaliciousBrowse
                        SOA.exeGet hashmaliciousBrowse
                          DOCUMENT.exeGet hashmaliciousBrowse
                            Purchase order.exeGet hashmaliciousBrowse
                              PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                  SOA.exeGet hashmaliciousBrowse
                                    PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                      PURCHASE ORDER HIUK 211020 SY.exeGet hashmaliciousBrowse
                                        NEW ORDER EN31628 EN31630.exeGet hashmaliciousBrowse
                                          Shipping Document BL Draft.exeGet hashmaliciousBrowse
                                            Payment Advice 50053945.exeGet hashmaliciousBrowse
                                              QUOTATION.exeGet hashmaliciousBrowse
                                                New order - C.S.I No. 0987.exeGet hashmaliciousBrowse
                                                  PCIPL Introduction Profile.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Artemis44E494790094.16425.exeGet hashmaliciousBrowse
                                                      HMaq2KmJJD.exeGet hashmaliciousBrowse
                                                        2281.xlsGet hashmaliciousBrowse
                                                          2281.xlsGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            EXABYTES-AS-APExaBytesNetworkSdnBhdMYBank payment swift message.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            SOA.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            DOCUMENT.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            Purchase order.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            RFQ#00890.exeGet hashmaliciousBrowse
                                                            • 110.4.45.145
                                                            PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            SOA.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            Linux_x86Get hashmaliciousBrowse
                                                            • 103.6.196.36
                                                            PURCHASE ORDER HIUK 211020 SY.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            order PO6766.exeGet hashmaliciousBrowse
                                                            • 110.4.45.145
                                                            NEW ORDER EN31628 EN31630.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            Shipping Document BL Draft.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            Payment Advice 50053945.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            QUOTATION.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            New order - C.S.I No. 0987.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            PCIPL Introduction Profile.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            SecuriteInfo.com.Artemis44E494790094.16425.exeGet hashmaliciousBrowse
                                                            • 103.6.196.179
                                                            NEW ORDER.exeGet hashmaliciousBrowse
                                                            • 137.59.109.172

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSALES INVOICE-CINV-00095891.exeGet hashmaliciousBrowse
                                                              JSGD-09873673893873.exeGet hashmaliciousBrowse
                                                                DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                                  SOA.exeGet hashmaliciousBrowse
                                                                    Bank payment swift message.exeGet hashmaliciousBrowse
                                                                      PAYMENT PROOF.exeGet hashmaliciousBrowse
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                          DOCUMENT.exeGet hashmaliciousBrowse
                                                                            swift copy.exeGet hashmaliciousBrowse
                                                                              TT COPY.exeGet hashmaliciousBrowse
                                                                                Purchase order.exeGet hashmaliciousBrowse
                                                                                  PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                                                    INVOICE.exeGet hashmaliciousBrowse
                                                                                      IMGLM_09846456748-4098476748464.exeGet hashmaliciousBrowse
                                                                                        remitted payment.exeGet hashmaliciousBrowse
                                                                                          PAYMENT SLIP OF SY21.exeGet hashmaliciousBrowse
                                                                                            request quotation.exeGet hashmaliciousBrowse
                                                                                              swift copy.exeGet hashmaliciousBrowse
                                                                                                BCAVT_C0938763-398763693863.exeGet hashmaliciousBrowse
                                                                                                  DOC.exeGet hashmaliciousBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank payment swift message.exe.log
                                                                                                    Process:C:\Users\user\Desktop\Bank payment swift message.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1310
                                                                                                    Entropy (8bit):5.345651901398759
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                                                    MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                                                    SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                                                    SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                                                    SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                                                    Malicious:true
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
                                                                                                    Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):142
                                                                                                    Entropy (8bit):5.090621108356562
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                    C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):45152
                                                                                                    Entropy (8bit):6.149629800481177
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                    MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                    SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                    SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                    SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: SALES INVOICE-CINV-00095891.exe, Detection: malicious, Browse
                                                                                                    • Filename: JSGD-09873673893873.exe, Detection: malicious, Browse
                                                                                                    • Filename: DHL SHIPMENT NOTIFICATION 284748395PD.exe, Detection: malicious, Browse
                                                                                                    • Filename: SOA.exe, Detection: malicious, Browse
                                                                                                    • Filename: Bank payment swift message.exe, Detection: malicious, Browse
                                                                                                    • Filename: PAYMENT PROOF.exe, Detection: malicious, Browse
                                                                                                    • Filename: SOA.exe, Detection: malicious, Browse
                                                                                                    • Filename: DOCUMENT.exe, Detection: malicious, Browse
                                                                                                    • Filename: swift copy.exe, Detection: malicious, Browse
                                                                                                    • Filename: TT COPY.exe, Detection: malicious, Browse
                                                                                                    • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                                    • Filename: PAYMENT SLIP OF SY21.exe, Detection: malicious, Browse
                                                                                                    • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                                    • Filename: IMGLM_09846456748-4098476748464.exe, Detection: malicious, Browse
                                                                                                    • Filename: remitted payment.exe, Detection: malicious, Browse
                                                                                                    • Filename: PAYMENT SLIP OF SY21.exe, Detection: malicious, Browse
                                                                                                    • Filename: request quotation.exe, Detection: malicious, Browse
                                                                                                    • Filename: swift copy.exe, Detection: malicious, Browse
                                                                                                    • Filename: BCAVT_C0938763-398763693863.exe, Detection: malicious, Browse
                                                                                                    • Filename: DOC.exe, Detection: malicious, Browse
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                    C:\Windows\System32\drivers\etc\hosts
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):835
                                                                                                    Entropy (8bit):4.694294591169137
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                                                    MD5:6EB47C1CF858E25486E42440074917F2
                                                                                                    SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                                                    SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                                                    SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                                                    Malicious:true
                                                                                                    Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1
                                                                                                    \Device\ConDrv
                                                                                                    Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1141
                                                                                                    Entropy (8bit):4.44831826838854
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                    MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                    SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                    SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                    SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                    Malicious:false
                                                                                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.782175785902415
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:Bank payment swift message.exe
                                                                                                    File size:481280
                                                                                                    MD5:8cf71f83b169db6428ce1345eacec7e1
                                                                                                    SHA1:50cde0ed5ae88e15fc6a190216f767c61014261f
                                                                                                    SHA256:7c04ed79e657827d9ed17fc6f50e51a5818bf9b7db804691dee2470d5371162e
                                                                                                    SHA512:e66d9f4dfa5bb8bd30182549b11b0a78345696d48ab4f03c0571081ea63ac3005a5681ebacf50981b3d359c9fd9c3c911ea254794ba8dfa63ed93c56e9f7d1ea
                                                                                                    SSDEEP:12288:1qgpfvuXCk4O2kg7RNDvXTmTJXQfyNlCkOl:gCk4Sg1dXwBvNl6
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................N...........m... ........@.. ....................................@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x476dbe
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0xF5F8E4E2 [Sat Oct 9 01:44:02 2100 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x76d700x4b.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x4d8.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x74dc40x74e00False0.88877214238data7.79400294438IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x780000x4d80x600False0.375651041667data3.72627161824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x7a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_VERSION0x780a00x24cdata
                                                                                                    RT_MANIFEST0x782ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    Translation0x0000 0x04b0
                                                                                                    LegalCopyright
                                                                                                    Assembly Version0.0.0.0
                                                                                                    InternalNameDispositi.exe
                                                                                                    FileVersion0.0.0.0
                                                                                                    ProductVersion0.0.0.0
                                                                                                    FileDescription
                                                                                                    OriginalFilenameDispositi.exe

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 2, 2021 16:28:41.096880913 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:41.359755039 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:41.359889030 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:41.653023005 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:41.653459072 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:41.918298960 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:41.918554068 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.184674025 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.221601963 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.490335941 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.490375042 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.490396023 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.490411997 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.490447998 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.490483999 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.491869926 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.540420055 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.561965942 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.825572014 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:42.868607998 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:42.900547981 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:43.163680077 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:43.165041924 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:43.428869009 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:43.429614067 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:43.702544928 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:43.703763008 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:43.967739105 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:43.968214989 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:44.241290092 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.241837978 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:44.505103111 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.506640911 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:44.506807089 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:44.507555962 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:44.507623911 CET49773587192.168.2.3103.6.196.179
                                                                                                    Dec 2, 2021 16:28:44.770782948 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.770831108 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.771236897 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.771264076 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.772578955 CET58749773103.6.196.179192.168.2.3
                                                                                                    Dec 2, 2021 16:28:44.821904898 CET49773587192.168.2.3103.6.196.179

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 2, 2021 16:28:40.785038948 CET5902653192.168.2.38.8.8.8
                                                                                                    Dec 2, 2021 16:28:40.921739101 CET53590268.8.8.8192.168.2.3
                                                                                                    Dec 2, 2021 16:28:40.932601929 CET4957253192.168.2.38.8.8.8
                                                                                                    Dec 2, 2021 16:28:41.081876993 CET53495728.8.8.8192.168.2.3

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                    Dec 2, 2021 16:28:40.785038948 CET192.168.2.38.8.8.80x7d2cStandard query (0)mail.scsgroups.comA (IP address)IN (0x0001)
                                                                                                    Dec 2, 2021 16:28:40.932601929 CET192.168.2.38.8.8.80x2040Standard query (0)mail.scsgroups.comA (IP address)IN (0x0001)

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                    Dec 2, 2021 16:28:40.921739101 CET8.8.8.8192.168.2.30x7d2cNo error (0)mail.scsgroups.comscsgroups.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Dec 2, 2021 16:28:40.921739101 CET8.8.8.8192.168.2.30x7d2cNo error (0)scsgroups.com103.6.196.179A (IP address)IN (0x0001)
                                                                                                    Dec 2, 2021 16:28:41.081876993 CET8.8.8.8192.168.2.30x2040No error (0)mail.scsgroups.comscsgroups.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Dec 2, 2021 16:28:41.081876993 CET8.8.8.8192.168.2.30x2040No error (0)scsgroups.com103.6.196.179A (IP address)IN (0x0001)

                                                                                                    SMTP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                    Dec 2, 2021 16:28:41.653023005 CET58749773103.6.196.179192.168.2.3220-xl-galactus.mschosting.com ESMTP Exim 4.94.2 #2 Thu, 02 Dec 2021 23:28:40 +0800
                                                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                                                    220 and/or bulk e-mail.
                                                                                                    Dec 2, 2021 16:28:41.653459072 CET49773587192.168.2.3103.6.196.179EHLO 562258
                                                                                                    Dec 2, 2021 16:28:41.918298960 CET58749773103.6.196.179192.168.2.3250-xl-galactus.mschosting.com Hello 562258 [84.17.52.65]
                                                                                                    250-SIZE 52428800
                                                                                                    250-8BITMIME
                                                                                                    250-PIPELINING
                                                                                                    250-PIPE_CONNECT
                                                                                                    250-AUTH PLAIN LOGIN
                                                                                                    250-STARTTLS
                                                                                                    250 HELP
                                                                                                    Dec 2, 2021 16:28:41.918554068 CET49773587192.168.2.3103.6.196.179STARTTLS
                                                                                                    Dec 2, 2021 16:28:42.184674025 CET58749773103.6.196.179192.168.2.3220 TLS go ahead

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Start time:16:27:00
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Users\user\Desktop\Bank payment swift message.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\Bank payment swift message.exe"
                                                                                                    Imagebase:0x670000
                                                                                                    File size:481280 bytes
                                                                                                    MD5 hash:8CF71F83B169DB6428CE1345EACEC7E1
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.306719644.0000000003B29000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.305709842.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.305889560.0000000002C10000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:low

                                                                                                    General

                                                                                                    Start time:16:27:03
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                    Imagebase:0x360000
                                                                                                    File size:45152 bytes
                                                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:16:27:04
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                    Imagebase:0x7c0000
                                                                                                    File size:45152 bytes
                                                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.303493961.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.303809538.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.303809538.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.302850408.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.558202775.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.558202775.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.303165752.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.303165752.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.559822771.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:16:27:34
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                                                                                                    Imagebase:0x4f0000
                                                                                                    File size:45152 bytes
                                                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, Metadefender, Browse
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:16:27:35
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7f20f0000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:16:27:42
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                                                                                                    Imagebase:0x8c0000
                                                                                                    File size:45152 bytes
                                                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Start time:16:27:42
                                                                                                    Start date:02/12/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7f20f0000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >

                                                                                                      Executed Functions

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00E9BCB0
                                                                                                      • GetCurrentThread.KERNEL32 ref: 00E9BCED
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00E9BD2A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00E9BD83
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: a50d1998d0a44e17a133460aaa2bff779bc3301552f4d23d348cf2fc866fe719
                                                                                                      • Instruction ID: 335fca929c84b4d54176b3ee918ac35e940d659d8eb87d470706eb5c56c6a80b
                                                                                                      • Opcode Fuzzy Hash: a50d1998d0a44e17a133460aaa2bff779bc3301552f4d23d348cf2fc866fe719
                                                                                                      • Instruction Fuzzy Hash: DF5135B09006498FDB54CFA9D6497DEBBF0EF88314F24846AE019B7290C7749884CF61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00E9BCB0
                                                                                                      • GetCurrentThread.KERNEL32 ref: 00E9BCED
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00E9BD2A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00E9BD83
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: fc164f9b7add1b3bb4f6b08fa94330db9902ce0cb9be46d9e85df81f44401ee4
                                                                                                      • Instruction ID: 5779557893923c032cb1e665467c17cc986b3113071015bb2704a1f8c510466f
                                                                                                      • Opcode Fuzzy Hash: fc164f9b7add1b3bb4f6b08fa94330db9902ce0cb9be46d9e85df81f44401ee4
                                                                                                      • Instruction Fuzzy Hash: 785123B09006498FDB18CFA9D649BDEBBF4EF88314F248469E419B7390D7749884CF61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00E99B96
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 010d9e05c396642d2b15e03c118ebac2a88aa499970e6eb28fe72364ba486a52
                                                                                                      • Instruction ID: 5a020a19e81bdaf9401b056794eae82da4d765cd4c2fa8024089741dcbb780c1
                                                                                                      • Opcode Fuzzy Hash: 010d9e05c396642d2b15e03c118ebac2a88aa499970e6eb28fe72364ba486a52
                                                                                                      • Instruction Fuzzy Hash: 9E713370A00B048FDB64CF6AD14579AB7F5FF88308F008A2ED04AEBA51DB75E845CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4a6f90551418a39c1bcdbae0ab60ea185faa0b185481036b4790399c8f92cbc5
                                                                                                      • Instruction ID: dadd34ed5161430366637e715eb70ae3cc50b3b13527a29f0a059bc036c437d8
                                                                                                      • Opcode Fuzzy Hash: 4a6f90551418a39c1bcdbae0ab60ea185faa0b185481036b4790399c8f92cbc5
                                                                                                      • Instruction Fuzzy Hash: 4B7110B1C04348AFDF12CF99C880ADEBFB1EF49310F1486AAE908AB261D7359955CF51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B00442
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 2e2db1b85d452639fcf89fb3c03d605938b65ea31132d094f45fe4b2f77900ca
                                                                                                      • Instruction ID: e9bbe9366025f28410d6719656ba86972813097526aefcb297a5b69138b9446f
                                                                                                      • Opcode Fuzzy Hash: 2e2db1b85d452639fcf89fb3c03d605938b65ea31132d094f45fe4b2f77900ca
                                                                                                      • Instruction Fuzzy Hash: A541BDB1D003099FDB15CF9AC884ADEBFB5FF88314F24856AE819AB250D7749845CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00E954B1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 84d50ac889f32498bef7d0a0ab67275f9f0d1fd2ff2fd4ac5c0466db4837d051
                                                                                                      • Instruction ID: 5b45d8b41a40a244e319985ecc5d39318f74538451ea7aa18dc8da1d5c620af8
                                                                                                      • Opcode Fuzzy Hash: 84d50ac889f32498bef7d0a0ab67275f9f0d1fd2ff2fd4ac5c0466db4837d051
                                                                                                      • Instruction Fuzzy Hash: CD41DFB1C00618CBDB25CFA9C848BDEBBF5BF88308F64846AD419BB251DB716945CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00E954B1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 64de4086014c6684c03cc6c9604312d1357517f84c8b33a49d2e9406a1f6b391
                                                                                                      • Instruction ID: 1db9ed34b42344fa14ed2fec507113056062b706abcac32114cb047457d60276
                                                                                                      • Opcode Fuzzy Hash: 64de4086014c6684c03cc6c9604312d1357517f84c8b33a49d2e9406a1f6b391
                                                                                                      • Instruction Fuzzy Hash: 2841CDB1C00618CBDB25CFA9C849BDEBBF6BF88308F24846AD419BB251DB715945CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 02B029B1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: CallProcWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2714655100-0
                                                                                                      • Opcode ID: 4a592670ffcbe79ab913b8c842a374c610c4ec47ff39a3d5aecedfdf80eb8cb7
                                                                                                      • Instruction ID: 95cc2530e2261cae4c60ec127123a17aa7d657ea7a9b55e93365b214afc1a30c
                                                                                                      • Opcode Fuzzy Hash: 4a592670ffcbe79ab913b8c842a374c610c4ec47ff39a3d5aecedfdf80eb8cb7
                                                                                                      • Instruction Fuzzy Hash: F54118B5E002058FCB14CF99C489AAABBF5FF88314F2484A9D519AB361D334A845CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9BEFF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 98295982d913f881a6defcb55393da6232dd3e2669435c1a3642a96f1db7530e
                                                                                                      • Instruction ID: 9ebc694a4c815f9d45f35197cd7c3eb825cf5709b9252d9c1f48d13939a76a21
                                                                                                      • Opcode Fuzzy Hash: 98295982d913f881a6defcb55393da6232dd3e2669435c1a3642a96f1db7530e
                                                                                                      • Instruction Fuzzy Hash: 9021E3B5D002489FDF10CFA9D985AEEBBF4EB48324F14841AE918B7350D374A945CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9BEFF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 58e6cd2ee0ffbe6555034647cb2f6fb096dcaf5a2b19746b30f965b5ac8067d2
                                                                                                      • Instruction ID: 0f53c4d573da4ec742d5204b8cce1e3f3588fba9c7059410c75acfe4875d2326
                                                                                                      • Opcode Fuzzy Hash: 58e6cd2ee0ffbe6555034647cb2f6fb096dcaf5a2b19746b30f965b5ac8067d2
                                                                                                      • Instruction Fuzzy Hash: E721C2B5D002499FDF10CFAAD985ADEBBF8EB48324F14841AE918B3350D374A954CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E99C11,00000800,00000000,00000000), ref: 00E99E22
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: d8d38942e8ba85db44efa747c18ee8940c6f1bedcf5ac0380e54589f5579b2b2
                                                                                                      • Instruction ID: 0232f3cd5820e18d2404bb174e12430ed0297132a492a9aa192884260ce9d063
                                                                                                      • Opcode Fuzzy Hash: d8d38942e8ba85db44efa747c18ee8940c6f1bedcf5ac0380e54589f5579b2b2
                                                                                                      • Instruction Fuzzy Hash: 711103B69002498FDF10CF9AD448ADEFBF4EB88314F14842EE919B7200C374A945CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E99C11,00000800,00000000,00000000), ref: 00E99E22
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 5a377376571d458055edc6562bd6fc9374c3d803885452543f6d13a20f5aeab9
                                                                                                      • Instruction ID: e2ecf05dba80a87322ecd58adabd89723ecdcc26c55a5c91c025e785e80f0389
                                                                                                      • Opcode Fuzzy Hash: 5a377376571d458055edc6562bd6fc9374c3d803885452543f6d13a20f5aeab9
                                                                                                      • Instruction Fuzzy Hash: 7C1103B6D002098FCB10CFAAD444AEEFBF4AB98724F14852ED419B7200C374A945CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 02B005D5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: LongWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1378638983-0
                                                                                                      • Opcode ID: 6dbec6e6f9a83d5b68ec17022710986907531345d41632075deda6aa8f055908
                                                                                                      • Instruction ID: 899090b72db7f42b3276519f9943c8285dfcb7e6a5c260c16ce7142130421f3a
                                                                                                      • Opcode Fuzzy Hash: 6dbec6e6f9a83d5b68ec17022710986907531345d41632075deda6aa8f055908
                                                                                                      • Instruction Fuzzy Hash: 721155B18002488FCB20CF99C485BDEBBF4EB48324F14845AD859B7340C374A945CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00E99B96
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: c314de9658c1886753df7f4f6f9caf07da964a89a0627ff540b10beb9f90b0e6
                                                                                                      • Instruction ID: eb1d7ef418de701bbfcd0d06360be2054e1395b922116e8d4d8d8adad0f4479c
                                                                                                      • Opcode Fuzzy Hash: c314de9658c1886753df7f4f6f9caf07da964a89a0627ff540b10beb9f90b0e6
                                                                                                      • Instruction Fuzzy Hash: 0D11DFB5D006498FDB10CF9AD448ADEFBF8EB88324F14852AD429B7600D379A945CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 02B005D5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: LongWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1378638983-0
                                                                                                      • Opcode ID: fb232f5001692bba4b4b36d1bbed0fec7d4b07b948b1e851eb6fa2706fba8817
                                                                                                      • Instruction ID: b83f98bc8679acfdecc12181ecbbc3f9c431261a5627f1cf7103325c1a20bac3
                                                                                                      • Opcode Fuzzy Hash: fb232f5001692bba4b4b36d1bbed0fec7d4b07b948b1e851eb6fa2706fba8817
                                                                                                      • Instruction Fuzzy Hash: 1A1100B59002498FDB20CF9AD589BDFBBF8EB48324F14885AD919B7740C374A944CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b91876b9674d96b861a60f5222562de7614e86adc5c3deaf279749539f659e49
                                                                                                      • Instruction ID: 6296f7e4772d5f09622f8f52b2761ae2e307fa53821e0e8f3d4384c922c6f4c8
                                                                                                      • Opcode Fuzzy Hash: b91876b9674d96b861a60f5222562de7614e86adc5c3deaf279749539f659e49
                                                                                                      • Instruction Fuzzy Hash: 6E12C9F14117468BD3B8CF65E99818D3BA3B7453A8B504328D2B11BAF9D7B611CACF44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 258c1456337526aae9eca8f30b0783fb18da74e06d2b562cbc070fb90e95936a
                                                                                                      • Instruction ID: 0ce99b3d30150ff93324a1941e815b04d4316001046b3d0380d36c0573685715
                                                                                                      • Opcode Fuzzy Hash: 258c1456337526aae9eca8f30b0783fb18da74e06d2b562cbc070fb90e95936a
                                                                                                      • Instruction Fuzzy Hash: B8D12431C2075A8ACB11EBA4D954ADDF7B1EFD9304F218B9AD4093B254EF706AC5CB81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 59b67503ac25ee2ba725c0a7473dfd301271eb6d7f0e260ec3237426b8b8653d
                                                                                                      • Instruction ID: a470c4f45abe8a3b6c2bfeeb7ea551f8c1d58ea3aac18ecd7561f7dd26a51e45
                                                                                                      • Opcode Fuzzy Hash: 59b67503ac25ee2ba725c0a7473dfd301271eb6d7f0e260ec3237426b8b8653d
                                                                                                      • Instruction Fuzzy Hash: 88A16936E0021A8FCF19DFB5C8445DEBBF2BF84304B25956AE905BB261EB31A945CF40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305666466.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6455b3bbf4f17588954d8dc1b47b21aeebee6a46a92241eb3a8ccb974ed742ba
                                                                                                      • Instruction ID: 6014de78be9d9c330d62546fad3c9faee529e46e9dc9ae1e1d360941cb91a4dc
                                                                                                      • Opcode Fuzzy Hash: 6455b3bbf4f17588954d8dc1b47b21aeebee6a46a92241eb3a8ccb974ed742ba
                                                                                                      • Instruction Fuzzy Hash: A9D11431C2075A8ACB10EBA4D954ADDF7B1EFD9304F209B9AD4093B254EF706AC5CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.305345520.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: db10d20a1962fea94cb180ca5783c27727898997b164eb653b5ae878521c8609
                                                                                                      • Instruction ID: 57e1af1e9c623fbf726ec276aa747fe034ad3b42a1744f5f267a2fa65822b8e2
                                                                                                      • Opcode Fuzzy Hash: db10d20a1962fea94cb180ca5783c27727898997b164eb653b5ae878521c8609
                                                                                                      • Instruction Fuzzy Hash: EDC12BB14117468BD7B8CF65E88818D3BB3BB853A8F504728D1716BAE8D7B610CACF44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Executed Functions

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.560882360.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: \Jl
                                                                                                      • API String ID: 0-2786033746
                                                                                                      • Opcode ID: e33d1aa36cba4291150be77f87e8da59e932f3280b216a76a9cdfc1cccabf0e3
                                                                                                      • Instruction ID: b370968e6f9a36296051b08669ec68a35b3f02c25d7738257420b715a97ff57f
                                                                                                      • Opcode Fuzzy Hash: e33d1aa36cba4291150be77f87e8da59e932f3280b216a76a9cdfc1cccabf0e3
                                                                                                      • Instruction Fuzzy Hash: C232C431B042059FDB14EBB8D858BAEBBF2FF85310F15846AE506EB791DA34DC058B61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 01086BB0
                                                                                                      • GetCurrentThread.KERNEL32 ref: 01086BED
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 01086C2A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 01086C83
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: f8dc7aeaf056f5849922ca366c130708164383441f9790ef42221ebac46cd9c0
                                                                                                      • Instruction ID: 0938f13115ff1c187e6711a626bb7a9af959b18c076fc3d4b4d29dd1d8947619
                                                                                                      • Opcode Fuzzy Hash: f8dc7aeaf056f5849922ca366c130708164383441f9790ef42221ebac46cd9c0
                                                                                                      • Instruction Fuzzy Hash: 735164B09002498FDB54CFA9D548BEEBBF1EF88314F248469E549A7350DB35A844CF62
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.560882360.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: InitializeThunk
                                                                                                      • String ID:
                                                                                                      • API String ID: 2994545307-0
                                                                                                      • Opcode ID: 6d4d3d480b044333b57785812b64831f83d09b492bc9bed2f62fe014f3f20525
                                                                                                      • Instruction ID: bed32a29b54088c0cdf331efd740d28a7231819b37528d44563db3ffd4d42db9
                                                                                                      • Opcode Fuzzy Hash: 6d4d3d480b044333b57785812b64831f83d09b492bc9bed2f62fe014f3f20525
                                                                                                      • Instruction Fuzzy Hash: 3E415271A102059FCB04EFB4D858AEEB7B6FF85304F148929E516DB791EF30E9058BA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010852A2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 3c2e0f174943e1feb52027476e97a5c721c9c73f343288732c1bd288ce834255
                                                                                                      • Instruction ID: 96030e956029514a94854b881fba6bd0598415f3c5ab0941e2eab15fd0862a0b
                                                                                                      • Opcode Fuzzy Hash: 3c2e0f174943e1feb52027476e97a5c721c9c73f343288732c1bd288ce834255
                                                                                                      • Instruction Fuzzy Hash: 6151DFB1D003099FDB14CF99C884ADEBBF5FF48314F24852AE858AB250DB74A885CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010852A2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 1cc36fe51bb745b7f35649ade63e9da053105b77724bf6ea55ebfde4afa24e33
                                                                                                      • Instruction ID: 1c5d74a94e05255ff9b78bab17ea0f455a3ddcc863257d69a7e0e89ce10c99e0
                                                                                                      • Opcode Fuzzy Hash: 1cc36fe51bb745b7f35649ade63e9da053105b77724bf6ea55ebfde4afa24e33
                                                                                                      • Instruction Fuzzy Hash: 9741CEB1D003099FDB14CF99C884ADEBBF5BF88314F64852AE859AB250DB74A845CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 01087D01
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: CallProcWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2714655100-0
                                                                                                      • Opcode ID: 9aa088e64436cda3d04601f6c81545e35b938bcac506e74ae5bb115820246b6b
                                                                                                      • Instruction ID: 3d9dbf6b6efdd0f31d3701b824c55be369ba599f89d7a70de7842c07d479bc8f
                                                                                                      • Opcode Fuzzy Hash: 9aa088e64436cda3d04601f6c81545e35b938bcac506e74ae5bb115820246b6b
                                                                                                      • Instruction Fuzzy Hash: 5B415CB5900309CFDB14DF99C488AAABBF5FF88314F248459D559AB325C734A841CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01086DFF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: ecf1a7c88e0239d227ee04c262da9de8014c77a75894a2a99c4b179c45992dc6
                                                                                                      • Instruction ID: 88f15d9938c4187efc604551cb814f528887c279eccc4680e67e1d6852aed928
                                                                                                      • Opcode Fuzzy Hash: ecf1a7c88e0239d227ee04c262da9de8014c77a75894a2a99c4b179c45992dc6
                                                                                                      • Instruction Fuzzy Hash: 1621E2B5D002089FDB10CFA9D485ADEBBF8FB48324F14842AE958B7350D378A955CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01086DFF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 6ee6332bfa84d665281df0e5b84d8708e12b744e6ecac06b1c7a452e2c606fe8
                                                                                                      • Instruction ID: d17ef26fba42cba5c7d0259ec21ae0a8cca8bbf2a2f70609fa816f599742f88b
                                                                                                      • Opcode Fuzzy Hash: 6ee6332bfa84d665281df0e5b84d8708e12b744e6ecac06b1c7a452e2c606fe8
                                                                                                      • Instruction Fuzzy Hash: A821D3B5D002499FDB10CFA9D884ADEBBF8FB48324F14842AE954B7350D379A954CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 0108BE72
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: EncodePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 2118026453-0
                                                                                                      • Opcode ID: 23666204f84d620d5347755abce337af3049206e15b213879733860dd17c2461
                                                                                                      • Instruction ID: 320ac54e50d9b509d179c4f6b1ae33dfd0540107e933d64d73c7dd55870935b1
                                                                                                      • Opcode Fuzzy Hash: 23666204f84d620d5347755abce337af3049206e15b213879733860dd17c2461
                                                                                                      • Instruction Fuzzy Hash: 8E219A71D06349CFDB61DFA9D44878EBBF4FB08314F24882AD599A7641C7786508CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 0108BE72
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: EncodePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 2118026453-0
                                                                                                      • Opcode ID: 59999d120d057ebf214fbb16c99f6c8b716d5174f7185467bffc1d820ec8005b
                                                                                                      • Instruction ID: 16c8207f56cf4a53f2871753aa2b2dd5e8ac0092af8ea2141d4fc3c271e8aa5c
                                                                                                      • Opcode Fuzzy Hash: 59999d120d057ebf214fbb16c99f6c8b716d5174f7185467bffc1d820ec8005b
                                                                                                      • Instruction Fuzzy Hash: 0A116771D05349CFDB60EFA9D40879EBBF4EB48314F24882AD585A3681C7786948CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01084216
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 6e3465b166cb0a5c21873ce86a319e3443a61fea56282e5a8392ae6c22a2a78c
                                                                                                      • Instruction ID: df031c26461da85ea05e1ed59a4ef238b41d12292da8823d559158f4a2f6ef67
                                                                                                      • Opcode Fuzzy Hash: 6e3465b166cb0a5c21873ce86a319e3443a61fea56282e5a8392ae6c22a2a78c
                                                                                                      • Instruction Fuzzy Hash: 401132B1D0464A8FDB10DF9AD444BDEFBF4EB88224F14842AD969B7200C378A545CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 01084216
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.559513215.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: f83b90553ece8fcab501c96aaa69e7b6af4fe889c5311456ebf76e463627b4f9
                                                                                                      • Instruction ID: 178a153a6658989327d71185d9cb01f7ce46b50948a79ab547ca87c94fdf0556
                                                                                                      • Opcode Fuzzy Hash: f83b90553ece8fcab501c96aaa69e7b6af4fe889c5311456ebf76e463627b4f9
                                                                                                      • Instruction Fuzzy Hash: 501132B5D0060A8FDB10CFAAD444BCEFBF5EB48314F15842AC569B7600C378A546CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.558919593.0000000000D9D000.00000040.00000001.sdmp, Offset: 00D9D000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 05a5efc27fd51961b7ca65525c9a0c8929066cc6b431e8cd0d400a0a1619af39
                                                                                                      • Instruction ID: c123cec464422b665afa614d18dd39e18a711e90df6e3123c2014f341f78fd53
                                                                                                      • Opcode Fuzzy Hash: 05a5efc27fd51961b7ca65525c9a0c8929066cc6b431e8cd0d400a0a1619af39
                                                                                                      • Instruction Fuzzy Hash: 8E212271604200DFCF14CF64D8C4B26BBA6FB84324F24CA69E84E0B386C33AD846CA71
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.558919593.0000000000D9D000.00000040.00000001.sdmp, Offset: 00D9D000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e7417bc96a283ee55b02e3e6693694fa25dde02587bac4fb894063a3f3129a88
                                                                                                      • Instruction ID: ef9d1857f40b2cb42d85dbea715c44d650e04b22f5ee1f36dac7ad66c1bf6543
                                                                                                      • Opcode Fuzzy Hash: e7417bc96a283ee55b02e3e6693694fa25dde02587bac4fb894063a3f3129a88
                                                                                                      • Instruction Fuzzy Hash: E22162755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F697C33A984ACB62
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Executed Functions

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: `B^nnCO
                                                                                                      • API String ID: 0-2012114827
                                                                                                      • Opcode ID: 068f237787c04bb1f4a3003014a0dd467bd806eb0099b597645f18470ecfaf43
                                                                                                      • Instruction ID: 4700a9f21a96eed4885af5b0fd5cb3ce8ee8749678922ea3acb7da1a416ecf54
                                                                                                      • Opcode Fuzzy Hash: 068f237787c04bb1f4a3003014a0dd467bd806eb0099b597645f18470ecfaf43
                                                                                                      • Instruction Fuzzy Hash: 73226534704602CFCB65EF64E490BAA73A2FB94309F208978D4569B399DB35EC46CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: `B^nnCO
                                                                                                      • API String ID: 0-2012114827
                                                                                                      • Opcode ID: bd5c0ab6498fde913958061c4f246a951ce195e9b72daafd8c040b3dcbcb12df
                                                                                                      • Instruction ID: d420abbf3e3fd620b2c8389e0f76947db861abe28f4320ba48e3759bb4013532
                                                                                                      • Opcode Fuzzy Hash: bd5c0ab6498fde913958061c4f246a951ce195e9b72daafd8c040b3dcbcb12df
                                                                                                      • Instruction Fuzzy Hash: 37719035A006448FCF299BA0D448BDDBBF2EF88314F148629D546677A5DF75EC85CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: `B^nnCO
                                                                                                      • API String ID: 0-2012114827
                                                                                                      • Opcode ID: 4d80e4634255d7bd8f6faa547d00bd8c6f62ba35b20e748f8c44ce7835207e7d
                                                                                                      • Instruction ID: 3367a1e57332dceade3c67c8eb567581fd544f2d375ab7a305a8be083f173706
                                                                                                      • Opcode Fuzzy Hash: 4d80e4634255d7bd8f6faa547d00bd8c6f62ba35b20e748f8c44ce7835207e7d
                                                                                                      • Instruction Fuzzy Hash: 3C01D430B14105AFCB04EBB4E41469E7BB9DF86305F1040A6E205EB391DF31AD16CBA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $,Ol
                                                                                                      • API String ID: 0-212215368
                                                                                                      • Opcode ID: cc30dc046540ac31f5aab5d342d2bcf5ee9c7587de1d99eea87174b08bde5043
                                                                                                      • Instruction ID: 04bb62ad169ed07c577297200ffcce6982fd4a30bb0e8b9c16d2bc6644caff00
                                                                                                      • Opcode Fuzzy Hash: cc30dc046540ac31f5aab5d342d2bcf5ee9c7587de1d99eea87174b08bde5043
                                                                                                      • Instruction Fuzzy Hash: BEE08635A089145F8979BBA09454F9972CDDBC5A18F000938D2099F684EF241C4547D5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $,Ol
                                                                                                      • API String ID: 0-212215368
                                                                                                      • Opcode ID: 2b4243803ab31dfe35b0bcb8eb1033c37aeef391fec58a6ebf87268754737f3a
                                                                                                      • Instruction ID: 0852c9d1c1b240b8ff0a1d07ae4d41b3f897c4c83dd7efe1bb74379e0f9ab072
                                                                                                      • Opcode Fuzzy Hash: 2b4243803ab31dfe35b0bcb8eb1033c37aeef391fec58a6ebf87268754737f3a
                                                                                                      • Instruction Fuzzy Hash: DBE02635A088140FCE7AFBB0A050FED63C98BC1608F000A3CD209DF684EF200C494BD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8b52936151380facf1940e5513827fdfad7467813ac2e190ebff33a38101947a
                                                                                                      • Instruction ID: c0e4ea8fcf1a2996dd6bb8342f18847485f1bd49952e5c0b8a79c3c95a739b6d
                                                                                                      • Opcode Fuzzy Hash: 8b52936151380facf1940e5513827fdfad7467813ac2e190ebff33a38101947a
                                                                                                      • Instruction Fuzzy Hash: 5121F8757102108FCB69EB78C45895D33E1AF8961932108BCE106CF775EB32EC46CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 94e77f19a342677148340241b99f4ed04c46311689e87e4e0aa2b1624bbf474b
                                                                                                      • Instruction ID: 9085e3b17aedc25e40adda84431345cfb31031c3e514604ea9e640bb9fd1deb8
                                                                                                      • Opcode Fuzzy Hash: 94e77f19a342677148340241b99f4ed04c46311689e87e4e0aa2b1624bbf474b
                                                                                                      • Instruction Fuzzy Hash: BA21F8757512108FCB69EB78C46896D33E1AF8961932109BCE106CF775EB32DC46CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b30abb4f13c00bda2dc59a90f6ff03dfd9a787484a385366e551d645c3631876
                                                                                                      • Instruction ID: 7d56a707662cc378c74eae326d8e977a7ae68bf78b75d17b96a2d6bb06db1858
                                                                                                      • Opcode Fuzzy Hash: b30abb4f13c00bda2dc59a90f6ff03dfd9a787484a385366e551d645c3631876
                                                                                                      • Instruction Fuzzy Hash: AB015275E002059FCB50EFB4D844CDEF7F5FF893107108666E5199B221E771A915CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0a2193558a30c1014d4fcad1d31b5f097eced4de3e645b2f18f10244301143bf
                                                                                                      • Instruction ID: bec7f178ff40bb25f617e840c58ad9f17882b7eb8fa48df019e42ebf3a7692ad
                                                                                                      • Opcode Fuzzy Hash: 0a2193558a30c1014d4fcad1d31b5f097eced4de3e645b2f18f10244301143bf
                                                                                                      • Instruction Fuzzy Hash: 76018C76E002059FCB50EFB8D880CEEFBB1FF89300710866AE519AB221E7709905CF80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1b9165bea4dfa8515e4e06e3d0984b042faa2707ca3ce222335adef1e4731d0f
                                                                                                      • Instruction ID: 35e5474256136f02e0e896f03d865971b47c3ac81bd66b99bcbb418043bbffc6
                                                                                                      • Opcode Fuzzy Hash: 1b9165bea4dfa8515e4e06e3d0984b042faa2707ca3ce222335adef1e4731d0f
                                                                                                      • Instruction Fuzzy Hash: 47F01C71940305CFDF14DBA4C458BED7BF0AB48318F240859D402A77A1CB759D84CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4bec56cfddb63e07effb3879856276d772ed98fa5d35affbbce08de17e4c465d
                                                                                                      • Instruction ID: 1c6b84ce89c647b6e41dfff91b80794868f23bbd3921275c171217a9c67ce6e0
                                                                                                      • Opcode Fuzzy Hash: 4bec56cfddb63e07effb3879856276d772ed98fa5d35affbbce08de17e4c465d
                                                                                                      • Instruction Fuzzy Hash: D4E02B357041108FC720EF74F848F9A3BB4AF05701F100199E509DB2A0C772CC04CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 16bb39d3a01b8cc58847894d30512fd6c6dcaa836b43b21a1aa07cea9aeef125
                                                                                                      • Instruction ID: 929c5ad8dd23310ab2b3c6eddb2028e1d6109e7cdbe7f1eede4f633d69802a74
                                                                                                      • Opcode Fuzzy Hash: 16bb39d3a01b8cc58847894d30512fd6c6dcaa836b43b21a1aa07cea9aeef125
                                                                                                      • Instruction Fuzzy Hash: 56D067B1D04229AF8B40EFB999052DEBBF8EA08251F5045A6DA19E3201E6709A108BE1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.374195407.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f2c8f962ebfe72b6d08b9dc9e6dd52cb99b5dc409dcf42119e378e0e063042ab
                                                                                                      • Instruction ID: c3e68542fd081142402d6347db1486be63fcf64b20a70468e2d8d077bcc79ab8
                                                                                                      • Opcode Fuzzy Hash: f2c8f962ebfe72b6d08b9dc9e6dd52cb99b5dc409dcf42119e378e0e063042ab
                                                                                                      • Instruction Fuzzy Hash: E3D01271D042299F8F40DFB859051EEBFF4AE08240F1005AAD91AF3201E2704A10CFD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Executed Functions

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $,Ol
                                                                                                      • API String ID: 0-212215368
                                                                                                      • Opcode ID: 24af17cf3685306fbd50c6aaf72ba0846679875e6892871bcbbc42fe75dbd4ef
                                                                                                      • Instruction ID: ad5f08aeb9a5250d9f7970bbf176b68429a2c3284bc764957463b66c1a4a39e5
                                                                                                      • Opcode Fuzzy Hash: 24af17cf3685306fbd50c6aaf72ba0846679875e6892871bcbbc42fe75dbd4ef
                                                                                                      • Instruction Fuzzy Hash: 65E08C36A009185B8A2AF7B4E014B9972CD97C0A18F000A38C509AB786EF252C5547D6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9c397136ed591e93fd5d7bd7e0c0b3207ce794b3add2531ebc3fd45844ccc058
                                                                                                      • Instruction ID: 0116db3ab93491c7953dc210323fe19a9a4746c390ad4287004f98e4dafd8a00
                                                                                                      • Opcode Fuzzy Hash: 9c397136ed591e93fd5d7bd7e0c0b3207ce794b3add2531ebc3fd45844ccc058
                                                                                                      • Instruction Fuzzy Hash: 1571C575A002448FDB299FA5C408A9DBBF7EF88304F14892ED506677A4EF31AC95CB81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 96229ebd1a3bbbf828e0e0863fdbbd9f75bcf61de10ff2a2c40432adb4fd410a
                                                                                                      • Instruction ID: ab02bad06f8c0b8d635b7101f1c389680e3a4af2732fefeeb41521dac59a25f2
                                                                                                      • Opcode Fuzzy Hash: 96229ebd1a3bbbf828e0e0863fdbbd9f75bcf61de10ff2a2c40432adb4fd410a
                                                                                                      • Instruction Fuzzy Hash: 6F21F2757112208FC758EB78C4689AD33E6AF8961932108BCE106CF775EB36EC42CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8b72676ee701178058330bf41d4116e0c4a6da4cd3dfdd3b9e238720067053ab
                                                                                                      • Instruction ID: 26d98f98c9109ac336812d6baa4c846074a9c836add65f65e2331b501fc4cf6d
                                                                                                      • Opcode Fuzzy Hash: 8b72676ee701178058330bf41d4116e0c4a6da4cd3dfdd3b9e238720067053ab
                                                                                                      • Instruction Fuzzy Hash: 7801DE70A101049FCB04EBB4D455A9D3FBADF86200F1081A6C604EB7A0DF319D17CB95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: befe99c2994b70bd470afaf8517e38f26641d09964c08487a6ea5cab8032a0ed
                                                                                                      • Instruction ID: a6b8145fe8b75fd9120a1c0d658b0918afb015c17b2f088a2b2d16f281f4fc65
                                                                                                      • Opcode Fuzzy Hash: befe99c2994b70bd470afaf8517e38f26641d09964c08487a6ea5cab8032a0ed
                                                                                                      • Instruction Fuzzy Hash: 6C019E76E012059FCB00EFB8D840CEEFBB5FF89300710866AE51497720EB71A915CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8df3aaeaaabc9c54538a8b082e6c95c5705cc4a370fe7ee417327d974f06f350
                                                                                                      • Instruction ID: 8f3a2213406218b6aa1685d718d74bc36310efaa8facc457990a90f95adc8db1
                                                                                                      • Opcode Fuzzy Hash: 8df3aaeaaabc9c54538a8b082e6c95c5705cc4a370fe7ee417327d974f06f350
                                                                                                      • Instruction Fuzzy Hash: 90F01CB19002058FDB18DFA5C458BAD7BF4AB5C318F15095AE402A73A1CB769D84CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000008.00000002.385107696.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: dd9ba885697ba8e6e1ef5d00c0d41b898968a2f73ebec0c2262a5e59723eba45
                                                                                                      • Instruction ID: 438920f67bc65d9640f043e8a6e30347fbed36229c8d0e757e3ca5a69c3a14a8
                                                                                                      • Opcode Fuzzy Hash: dd9ba885697ba8e6e1ef5d00c0d41b898968a2f73ebec0c2262a5e59723eba45
                                                                                                      • Instruction Fuzzy Hash: A5D017B1D00229AF8B50EFB999051EEBBF8EA08250B0004A6D919E3200E3704A108BD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions