Loading ...

Play interactive tourEdit tour

Analysis Report Quotation #01521.exe

Overview

General Information

Sample Name:Quotation #01521.exe
Analysis ID:336032
MD5:73619a5f7eab7a80e0fbbd5c8493c9b4
SHA1:84db67126574c21ef3233518452876ad123b4aa1
SHA256:7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
Tags:exeRATRevengeRAT

Most interesting Screenshot:

Detection

RevengeRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected RevengeRAT
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation #01521.exe (PID: 5568 cmdline: 'C:\Users\user\Desktop\Quotation #01521.exe' MD5: 73619A5F7EAB7A80E0FBBD5C8493C9B4)
    • cmd.exe (PID: 3260 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 2396 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • word.exe (PID: 6848 cmdline: 'C:\Users\user\word.exe' MD5: 73619A5F7EAB7A80E0FBBD5C8493C9B4)
      • word.exe (PID: 676 cmdline: C:\Users\user\word.exe MD5: 73619A5F7EAB7A80E0FBBD5C8493C9B4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.313804349.0000000004D79000.00000004.00000001.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
    00000000.00000002.313606727.0000000004CAE000.00000004.00000001.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
      Process Memory Space: Quotation #01521.exe PID: 5568RevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
      • 0x7a7f5:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
      • 0x88efb:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
      • 0xe16d4:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
      • 0xefdf2:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
      • 0xfe510:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
      • 0x81b36:$x5: \RevengeRAT\
      • 0x81b54:$x5: \RevengeRAT\
      • 0x9023c:$x5: \RevengeRAT\
      • 0x9025a:$x5: \RevengeRAT\
      • 0xe8a15:$x5: \RevengeRAT\
      • 0xe8a33:$x5: \RevengeRAT\
      • 0xf7133:$x5: \RevengeRAT\
      • 0xf7151:$x5: \RevengeRAT\
      • 0x105851:$x5: \RevengeRAT\
      • 0x10586f:$x5: \RevengeRAT\
      • 0x79203:$x7: Nuclear Explosion.exe
      • 0x87909:$x7: Nuclear Explosion.exe
      • 0xe00e2:$x7: Nuclear Explosion.exe
      • 0xee800:$x7: Nuclear Explosion.exe
      • 0xfcf1e:$x7: Nuclear Explosion.exe
      Process Memory Space: Quotation #01521.exe PID: 5568JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: Quotation #01521.exe PID: 5568JoeSecurity_RevengeRATYara detected RevengeRATJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\word.exeReversingLabs: Detection: 15%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quotation #01521.exeReversingLabs: Detection: 15%
          Yara detected RevengeRATShow sources
          Source: Yara matchFile source: 00000000.00000002.313804349.0000000004D79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.313606727.0000000004CAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\word.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Quotation #01521.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then jmp 0182F7B6h0_2_0182EFE0
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_059ECE38
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_059E444D
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_059EB1D0
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_059E6C84
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_059E4C50
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_059E4C50
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_059E4C45
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_059E4C45
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_059E3E94
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_059E5EE8
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_059E5E08
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_059E4930
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_059E4930
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_059E4924
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_059E4924
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then xor edx, edx0_2_059E4B88
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 4x nop then xor edx, edx0_2_059E4B7C

          Networking:

          barindex
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 37.120.208.40 ports 3,57438,4,5,7,8
          Source: global trafficTCP traffic: 192.168.2.3:49739 -> 37.120.208.40:57438
          Source: Joe Sandbox ViewASN Name: M247GB M247GB
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: Quotation #01521.exe, 00000000.00000002.313041403.0000000001AE9000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp

          E-Banking Fraud:

          barindex
          Yara detected RevengeRATShow sources
          Source: Yara matchFile source: 00000000.00000002.313804349.0000000004D79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.313606727.0000000004CAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Quotation #01521.exe
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182F8E80_2_0182F8E8
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_018248280_2_01824828
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182D8390_2_0182D839
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182AA890_2_0182AA89
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_018242000_2_01824200
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182BDB00_2_0182BDB0
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_01827D300_2_01827D30
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_01829F900_2_01829F90
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182EFE00_2_0182EFE0
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182F8D80_2_0182F8D8
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_0182D8730_2_0182D873
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059E04080_2_059E0408
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059E54080_2_059E5408
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059E53F70_2_059E53F7
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059E59B80_2_059E59B8
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059E59AA0_2_059E59AA
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059EB8800_2_059EB880
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_059EB8700_2_059EB870
          Source: Quotation #01521.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: word.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Quotation #01521.exe, 00000000.00000002.317524151.0000000008E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemkl.exeT vs Quotation #01521.exe
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Quotation #01521.exe
          Source: Quotation #01521.exe, 00000000.00000002.312898299.00000000019D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation #01521.exe
          Source: Quotation #01521.exe, 00000000.00000002.312898299.00000000019D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation #01521.exe
          Source: Quotation #01521.exe, 00000000.00000002.315624356.0000000005AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Quotation #01521.exe
          Source: Quotation #01521.exe, 00000000.00000002.312828868.0000000001970000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation #01521.exe
          Source: Quotation #01521.exeBinary or memory string: OriginalFilenamemkl.exeT vs Quotation #01521.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'
          Source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, modified = 2020-07-27
          Source: Quotation #01521.exe, Tw1/p1S.csCryptographic APIs: 'TransformFinalBlock'
          Source: Quotation #01521.exe, Ea8/We8.csCryptographic APIs: 'CreateDecryptor'
          Source: word.exe.0.dr, Tw1/p1S.csCryptographic APIs: 'TransformFinalBlock'
          Source: word.exe.0.dr, Ea8/We8.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.Quotation #01521.exe.f10000.0.unpack, Tw1/p1S.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.0.Quotation #01521.exe.f10000.0.unpack, Ea8/We8.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Quotation #01521.exe.f10000.0.unpack, Ea8/We8.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Quotation #01521.exe.f10000.0.unpack, Tw1/p1S.csCryptographic APIs: 'TransformFinalBlock'
          Source: 18.0.word.exe.fc0000.0.unpack, Tw1/p1S.csCryptographic APIs: 'TransformFinalBlock'
          Source: 18.0.word.exe.fc0000.0.unpack, Ea8/We8.csCryptographic APIs: 'CreateDecryptor'
          Source: 23.0.word.exe.610000.0.unpack, Tw1/p1S.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/3@2/1
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile created: C:\Users\user\word.exeJump to behavior
          Source: C:\Users\user\word.exeMutant created: \Sessions\1\BaseNamedObjects\RV_MUTEX-ITXZMONFueOciqX
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
          Source: Quotation #01521.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Quotation #01521.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\word.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\word.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\word.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\word.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\word.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Quotation #01521.exeReversingLabs: Detection: 15%
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile read: C:\Users\user\Desktop\Quotation #01521.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Quotation #01521.exe 'C:\Users\user\Desktop\Quotation #01521.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'
          Source: unknownProcess created: C:\Users\user\word.exe 'C:\Users\user\word.exe'
          Source: unknownProcess created: C:\Users\user\word.exe C:\Users\user\word.exe
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess created: C:\Users\user\word.exe 'C:\Users\user\word.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'Jump to behavior
          Source: C:\Users\user\word.exeProcess created: C:\Users\user\word.exe C:\Users\user\word.exeJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Quotation #01521.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Quotation #01521.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_00F17718 push cs; retf 0_2_00F17719
          Source: C:\Users\user\Desktop\Quotation #01521.exeCode function: 0_2_01825750 push eax; ret 0_2_01825751
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile created: C:\Users\user\word.exeJump to dropped file
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile created: C:\Users\user\word.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile created: C:\Users\user\word.exeJump to dropped file
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wordJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wordJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile opened: C:\Users\user\Desktop\Quotation #01521.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\word.exeFile opened: C:\Users\user\word.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORY
          Source: C:\Users\user\Desktop\Quotation #01521.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\word.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeWindow / User API: threadDelayed 710Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeWindow / User API: threadDelayed 9132Jump to behavior
          Source: C:\Users\user\word.exeWindow / User API: threadDelayed 737Jump to behavior
          Source: C:\Users\user\word.exeWindow / User API: threadDelayed 9117Jump to behavior
          Source: C:\Users\user\word.exeWindow / User API: threadDelayed 4089Jump to behavior
          Source: C:\Users\user\word.exeWindow / User API: threadDelayed 1118Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exe TID: 5340Thread sleep time: -11990383647911201s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exe TID: 5340Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exe TID: 5992Thread sleep count: 710 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exe TID: 5992Thread sleep count: 9132 > 30Jump to behavior
          Source: C:\Users\user\word.exe TID: 6980Thread sleep time: -16602069666338586s >= -30000sJump to behavior
          Source: C:\Users\user\word.exe TID: 6980Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\word.exe TID: 6984Thread sleep count: 737 > 30Jump to behavior
          Source: C:\Users\user\word.exe TID: 6984Thread sleep count: 9117 > 30Jump to behavior
          Source: C:\Users\user\word.exe TID: 6416Thread sleep count: 4089 > 30Jump to behavior
          Source: C:\Users\user\word.exe TID: 6308Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Users\user\word.exe TID: 6304Thread sleep time: -675000s >= -30000sJump to behavior
          Source: C:\Users\user\word.exe TID: 6424Thread sleep count: 1118 > 30Jump to behavior
          Source: C:\Users\user\word.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\word.exeLast function: Thread delayed
          Source: C:\Users\user\word.exeLast function: Thread delayed
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vmware svga
          Source: Quotation #01521.exe, 00000000.00000002.315624356.0000000005AD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vmusrvc
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vmsrvc
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vmtools
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
          Source: Quotation #01521.exe, 00000000.00000002.315624356.0000000005AD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: Quotation #01521.exe, 00000000.00000002.315624356.0000000005AD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Quotation #01521.exe, 00000000.00000002.313480843.000000000444C000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
          Source: Quotation #01521.exe, 00000000.00000002.315624356.0000000005AD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\word.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\word.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeProcess created: C:\Users\user\word.exe 'C:\Users\user\word.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'Jump to behavior
          Source: C:\Users\user\word.exeProcess created: C:\Users\user\word.exe C:\Users\user\word.exeJump to behavior
          Source: C:\Users\user\word.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\word.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeQueries volume information: C:\Users\user\Desktop\Quotation #01521.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Users\user\word.exe VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Users\user\word.exe VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\word.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Quotation #01521.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\word.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
          Source: C:\Users\user\word.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected RevengeRATShow sources
          Source: Yara matchFile source: 00000000.00000002.313804349.0000000004D79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.313606727.0000000004CAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected RevengeRATShow sources
          Source: Yara matchFile source: 00000000.00000002.313804349.0000000004D79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.313606727.0000000004CAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quotation #01521.exe PID: 5568, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation21Registry Run Keys / Startup Folder1Process Injection11Masquerading111OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Modify Registry1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion4Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Quotation #01521.exe15%ReversingLabs
          Quotation #01521.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\word.exe100%Joe Sandbox ML
          C:\Users\user\word.exe15%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://iptc.tc4xmp0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          chongmei33.myddns.rocks
          37.120.208.40
          truetrue
            unknown
            g.msn.com
            unknown
            unknownfalse
              high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://iptc.tc4xmpQuotation #01521.exe, 00000000.00000002.313041403.0000000001AE9000.00000004.00000040.sdmpfalse
              • Avira URL Cloud: safe
              unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              37.120.208.40
              unknownRomania
              9009M247GBtrue

              General Information

              Joe Sandbox Version:31.0.0 Red Diamond
              Analysis ID:336032
              Start date:05.01.2021
              Start time:08:37:05
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 32s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:Quotation #01521.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:37
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@10/3@2/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 0.4% (good quality ratio 0.2%)
              • Quality average: 31.7%
              • Quality standard deviation: 38.6%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 24
              • Number of non-executed functions: 19
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 40.88.32.150, 51.11.168.160, 104.79.90.110, 92.122.213.194, 92.122.213.247, 67.26.83.254, 8.253.95.249, 8.248.145.254, 8.248.117.254, 67.26.139.254, 20.54.26.129, 51.104.139.180, 52.142.114.176, 52.155.217.156
              • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              08:37:58API Interceptor195x Sleep call for process: Quotation #01521.exe modified
              08:38:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run word C:\Users\user\word.exe
              08:38:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run word C:\Users\user\word.exe
              08:38:48API Interceptor974x Sleep call for process: word.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              37.120.208.40ORDER #0421 pdf.exeGet hashmaliciousBrowse
                ORDER # 00246XF.exeGet hashmaliciousBrowse

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  M247GBORDER #0421 pdf.exeGet hashmaliciousBrowse
                  • 37.120.208.40
                  xs1ALnpMCT.exeGet hashmaliciousBrowse
                  • 194.61.53.10
                  0I2ddZZKv7.exeGet hashmaliciousBrowse
                  • 194.61.53.10
                  Q2BZ01fmwK.exeGet hashmaliciousBrowse
                  • 194.61.53.10
                  ndUmkEM8KO.exeGet hashmaliciousBrowse
                  • 194.61.53.10
                  Payment Copy.exeGet hashmaliciousBrowse
                  • 37.120.208.37
                  Pi.exeGet hashmaliciousBrowse
                  • 37.120.208.36
                  ORDER #2001228A.exe.exeGet hashmaliciousBrowse
                  • 37.120.208.37
                  ORDER #2001228A.exeGet hashmaliciousBrowse
                  • 37.120.208.36
                  http://83.97.20.25Get hashmaliciousBrowse
                  • 83.97.20.25
                  Payment Copy.doc.......exeGet hashmaliciousBrowse
                  • 37.120.208.36
                  ORDER #07443.doc............exeGet hashmaliciousBrowse
                  • 37.120.208.36
                  K8vJWv8Niw.exeGet hashmaliciousBrowse
                  • 188.72.85.70
                  T9p80DSlYx.exeGet hashmaliciousBrowse
                  • 95.174.65.224
                  Invoice #002278.exeGet hashmaliciousBrowse
                  • 37.120.208.36
                  AmLoRvhh1W.exeGet hashmaliciousBrowse
                  • 188.72.85.45
                  5F3Gel7gY8.exeGet hashmaliciousBrowse
                  • 188.72.85.45
                  ASHLEY NAIDOO CV.docGet hashmaliciousBrowse
                  • 188.72.85.45
                  SecuriteInfo.com.Trojan.DownloaderNET.105.19020.exeGet hashmaliciousBrowse
                  • 46.243.237.119
                  RFQ - 603876355.docGet hashmaliciousBrowse
                  • 46.243.237.119

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation #01521.exe.log
                  Process:C:\Users\user\Desktop\Quotation #01521.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):1451
                  Entropy (8bit):5.345862727722058
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                  MD5:06F54CDBFEF62849AF5AE052722BD7B6
                  SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                  SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                  SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                  C:\Users\user\word.exe
                  Process:C:\Users\user\Desktop\Quotation #01521.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):835584
                  Entropy (8bit):4.46467471127672
                  Encrypted:false
                  SSDEEP:6144:KS7/DxvkrhDdyquS7xY+kbB44daFa7XIEk9RC9uT0mSAQdP:b7cIqh7x78B4urLIvpT0mSAQdP
                  MD5:73619A5F7EAB7A80E0FBBD5C8493C9B4
                  SHA1:84DB67126574C21EF3233518452876AD123B4AA1
                  SHA-256:7A538B979C2A126FB287ED7BBB18AC55687273DFBAC2C09DE85F073C9BF5E3DF
                  SHA-512:B92F4239DA62411EDCBF2378E67E28A307752F1B55D5977527E83069630A5D9894BB4F7138473DA42F183B6FC5CDCB334AFF76805ACBAE6908B35ED8716940C4
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 15%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..;................. ..........N>... ...@....@.. ....................................`..................................>..K....@............................................................................... ............... ..H............text...T.... ... .................. ..`.rsrc........@......."..............@..@.reloc..............................@..B................0>......H.......X...."......6...`....5...........................................`.)..mm+F4...|.E7{..2.<*..^....[.UJ^.C.......2S.-Va.j.k.B.l.....A.i2......[e.......g.K^.L] ...9... .wbs....F'....\....S.h...Sb+ ."..n"......6>.....]......-7..8. .j.9...E|bb^...`NB.h..._UK....1.,(y.*..xP:.m./m......p'.h.w.~.,o.........1.0.p.E..Y.R...*..].A..........r.7.F...O.p;..V....`...%Z.-..hT......O.8^.\.It<..Q.U...:~.....$....9...N.ei..J..K..o....Cn6.1x...}W...?.Ya.....CUk.
                  C:\Users\user\word.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\Quotation #01521.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview: [ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):4.46467471127672
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:Quotation #01521.exe
                  File size:835584
                  MD5:73619a5f7eab7a80e0fbbd5c8493c9b4
                  SHA1:84db67126574c21ef3233518452876ad123b4aa1
                  SHA256:7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
                  SHA512:b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4
                  SSDEEP:6144:KS7/DxvkrhDdyquS7xY+kbB44daFa7XIEk9RC9uT0mSAQdP:b7cIqh7x78B4urLIvpT0mSAQdP
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..;................. ..........N>... ...@....@.. ....................................`................................

                  File Icon

                  Icon Hash:e4e0d2d6d2d2c4dc

                  Static PE Info

                  General

                  Entrypoint:0x4a3e4e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Time Stamp:0x3B950972 [Tue Sep 4 17:03:46 2001 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa3e000x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x29b96.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xa1e540xa2000False0.368860315394data4.12737708702IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xa40000x29b960x29c00False0.115708037051data4.70184642753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xce0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0xa42b00x1b2fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                  RT_ICON0xa5de00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                  RT_ICON0xb66080x94a8data
                  RT_ICON0xbfab00x5488data
                  RT_ICON0xc4f380x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294901760
                  RT_ICON0xc91600x25a8data
                  RT_ICON0xcb7080x10a8data
                  RT_ICON0xcc7b00x988data
                  RT_ICON0xcd1380x468GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0xcd5a00x84data
                  RT_VERSION0xcd6240x388data
                  RT_MANIFEST0xcd9ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright 1998 >JGJ2>:6B?FE;<?6H
                  Assembly Version1.0.0.0
                  InternalNamemkl.exe
                  FileVersion3.5.6.7
                  CompanyName>JGJ2>:6B?FE;<?6H
                  Comments9BAJGD7>EG<542F5=945AGH
                  ProductNameFA6?E>AC?<7G:I=A<@CE66HF
                  ProductVersion3.5.6.7
                  FileDescriptionFA6?E>AC?<7G:I=A<@CE66HF
                  OriginalFilenamemkl.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 5, 2021 08:39:26.027009010 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:26.264777899 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:26.265075922 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:26.504221916 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:27.155687094 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:27.600404024 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:37.130244970 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:37.178601980 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:37.886257887 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:38.135562897 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:38.158364058 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:38.611644983 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:38.611854076 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:39.049501896 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:52.132004976 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:52.139405966 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:52.380076885 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:52.391149998 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:52.840228081 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:39:52.840440989 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:39:53.271945000 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:07.183716059 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:07.193002939 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:07.432538986 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:07.477636099 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:07.479475021 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:07.913149118 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:07.913809061 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:08.356857061 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:22.188740015 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:22.194657087 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:22.427228928 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:22.438457966 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:22.937519073 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:22.937616110 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:23.380573034 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:37.182756901 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:37.190282106 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:37.445751905 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:37.456758022 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:37.895008087 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:37.896106005 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:38.356151104 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:52.191442966 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:52.196420908 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:52.448169947 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:52.458578110 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:52.909785986 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:40:52.910044909 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:40:53.361350060 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:07.187779903 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:07.190438032 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:41:07.442552090 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:07.448909044 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:41:07.908231974 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:07.908301115 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:41:08.367944956 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:22.190506935 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:22.195743084 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:41:22.439913034 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:22.465040922 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:41:22.953972101 CET574384973937.120.208.40192.168.2.3
                  Jan 5, 2021 08:41:22.954184055 CET4973957438192.168.2.337.120.208.40
                  Jan 5, 2021 08:41:23.452014923 CET574384973937.120.208.40192.168.2.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 5, 2021 08:37:49.814743042 CET5836153192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:49.862793922 CET53583618.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:50.949738026 CET6349253192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:51.000473022 CET53634928.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:52.565772057 CET6083153192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:52.616492033 CET53608318.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:53.721333027 CET6010053192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:53.772260904 CET53601008.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:54.534734011 CET5319553192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:54.590909004 CET53531958.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:55.413758039 CET5014153192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:55.464778900 CET53501418.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:56.299575090 CET5302353192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:56.347615004 CET53530238.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:57.157831907 CET4956353192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:57.214122057 CET53495638.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:58.317035913 CET5135253192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:58.364936113 CET53513528.8.8.8192.168.2.3
                  Jan 5, 2021 08:37:59.484648943 CET5934953192.168.2.38.8.8.8
                  Jan 5, 2021 08:37:59.540815115 CET53593498.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:12.420068979 CET5708453192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:12.476290941 CET53570848.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:14.892173052 CET5882353192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:14.940196037 CET53588238.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:16.745394945 CET5756853192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:16.793289900 CET53575688.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:22.021966934 CET5054053192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:22.082416058 CET53505408.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:25.692018032 CET5436653192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:25.750015974 CET53543668.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:37.473880053 CET5303453192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:37.521739960 CET53530348.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:42.183382034 CET5776253192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:42.239847898 CET53577628.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:55.060189009 CET5543553192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:55.108089924 CET53554358.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:57.921255112 CET5071353192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:57.995484114 CET53507138.8.8.8192.168.2.3
                  Jan 5, 2021 08:38:59.488545895 CET5613253192.168.2.38.8.8.8
                  Jan 5, 2021 08:38:59.547683954 CET53561328.8.8.8192.168.2.3
                  Jan 5, 2021 08:39:25.793894053 CET5898753192.168.2.38.8.8.8
                  Jan 5, 2021 08:39:26.005244970 CET53589878.8.8.8192.168.2.3
                  Jan 5, 2021 08:39:31.019515038 CET5657953192.168.2.38.8.8.8
                  Jan 5, 2021 08:39:31.067576885 CET53565798.8.8.8192.168.2.3
                  Jan 5, 2021 08:39:33.711487055 CET6063353192.168.2.38.8.8.8
                  Jan 5, 2021 08:39:33.769594908 CET53606338.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:06.953296900 CET6129253192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:07.001265049 CET53612928.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:07.455620050 CET6361953192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:07.522232056 CET53636198.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:39.599446058 CET6493853192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:39.647557020 CET53649388.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:40.331362009 CET6194653192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:40.382041931 CET53619468.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:41.424005032 CET6491053192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:41.481679916 CET53649108.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:42.125303030 CET5212353192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:42.176090956 CET53521238.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:42.918059111 CET5613053192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:42.977232933 CET53561308.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:44.984572887 CET5633853192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:45.033242941 CET53563388.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:47.337440014 CET5942053192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:47.393894911 CET53594208.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:48.567800999 CET5878453192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:48.624480963 CET53587848.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:49.813815117 CET6397853192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:49.869977951 CET53639788.8.8.8192.168.2.3
                  Jan 5, 2021 08:40:50.708894968 CET6293853192.168.2.38.8.8.8
                  Jan 5, 2021 08:40:50.768207073 CET53629388.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jan 5, 2021 08:38:57.921255112 CET192.168.2.38.8.8.80xe5ddStandard query (0)g.msn.comA (IP address)IN (0x0001)
                  Jan 5, 2021 08:39:25.793894053 CET192.168.2.38.8.8.80xfc89Standard query (0)chongmei33.myddns.rocksA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jan 5, 2021 08:38:57.995484114 CET8.8.8.8192.168.2.30xe5ddNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                  Jan 5, 2021 08:39:26.005244970 CET8.8.8.8192.168.2.30xfc89No error (0)chongmei33.myddns.rocks37.120.208.40A (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:08:37:53
                  Start date:05/01/2021
                  Path:C:\Users\user\Desktop\Quotation #01521.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Quotation #01521.exe'
                  Imagebase:0xf10000
                  File size:835584 bytes
                  MD5 hash:73619A5F7EAB7A80E0FBBD5C8493C9B4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000000.00000002.313804349.0000000004D79000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000000.00000002.313606727.0000000004CAE000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  General

                  Start time:08:37:56
                  Start date:05/01/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'
                  Imagebase:0xbd0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:08:37:56
                  Start date:05/01/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:08:37:56
                  Start date:05/01/2021
                  Path:C:\Windows\SysWOW64\reg.exe
                  Wow64 process (32bit):true
                  Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'word' /t REG_SZ /d 'C:\Users\user\word.exe'
                  Imagebase:0x1200000
                  File size:59392 bytes
                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:08:38:43
                  Start date:05/01/2021
                  Path:C:\Users\user\word.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\word.exe'
                  Imagebase:0xfc0000
                  File size:835584 bytes
                  MD5 hash:73619A5F7EAB7A80E0FBBD5C8493C9B4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 15%, ReversingLabs
                  Reputation:low

                  General

                  Start time:08:39:19
                  Start date:05/01/2021
                  Path:C:\Users\user\word.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\word.exe
                  Imagebase:0x610000
                  File size:835584 bytes
                  MD5 hash:73619A5F7EAB7A80E0FBBD5C8493C9B4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >

                    Executed Functions

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: ($<$ntin$ntin
                    • API String ID: 0-2884023141
                    • Opcode ID: 70d4590bf846b5b624f587cd6ca227875b6f4b23536b6c7145e8c4070b8ae12e
                    • Instruction ID: 06559c751e020d05df1db160200319e4f0f96059544e942710c54b12a30650e1
                    • Opcode Fuzzy Hash: 70d4590bf846b5b624f587cd6ca227875b6f4b23536b6c7145e8c4070b8ae12e
                    • Instruction Fuzzy Hash: D9A2E274E00229CFDB15CF99C981ADDBBF2BF89314F2481A9D508AB255D730AE81CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <$ntin$ntin
                    • API String ID: 0-1029651476
                    • Opcode ID: 2a7b7e4eef907a3e76f28cfc8a912e0b54cc6ee8ca2dec7cc167fa7331c6cdc3
                    • Instruction ID: fe3b13f0f408d354e57feb15a96b412d336cb94b5e6304364d33894943a9ce78
                    • Opcode Fuzzy Hash: 2a7b7e4eef907a3e76f28cfc8a912e0b54cc6ee8ca2dec7cc167fa7331c6cdc3
                    • Instruction Fuzzy Hash: E7E1B7B5E046198FDB18CFAAC985ADEBBF2BF89300F14C1A9D508AB354D7345A81CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: <$@
                    • API String ID: 0-1426351568
                    • Opcode ID: 377ac942ef759d9ecf2aa2969cba6d03abfe53216099fc6ac2d83b7e6e414b0a
                    • Instruction ID: c9caf2e63746c2b2096a5eda2d7a4f06669d41dd2b4afcd67f1171649c417e58
                    • Opcode Fuzzy Hash: 377ac942ef759d9ecf2aa2969cba6d03abfe53216099fc6ac2d83b7e6e414b0a
                    • Instruction Fuzzy Hash: 74629E74A00229CFDB64CFA9C984A9DFBF2BF48715F59C1A9D408AB621D7309E81CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: {Nwl^
                    • API String ID: 0-2924941083
                    • Opcode ID: c0d1a79ceb1d74820cf8135c670125a04b288b96b1d243774939194f237193f9
                    • Instruction ID: c95bb85ee41a944acd12abc0333801483c1818cad1269d572d2f04175d40212b
                    • Opcode Fuzzy Hash: c0d1a79ceb1d74820cf8135c670125a04b288b96b1d243774939194f237193f9
                    • Instruction Fuzzy Hash: 9032E178901228CFDB69DF65D8547ACBBB2FF4A305F1084A9D50AA7390DB359E82CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2eab3f3a5e52adee802987eb683552cc4343d7f16f7e8f46da753213d1f750a9
                    • Instruction ID: 67becfeed2f5434ab601d3bd6482ea28181ef4aa678ed65d3d5f6a0fb0b812e7
                    • Opcode Fuzzy Hash: 2eab3f3a5e52adee802987eb683552cc4343d7f16f7e8f46da753213d1f750a9
                    • Instruction Fuzzy Hash: 24825C74A00219DFCF16CF68C984AAABBF2FF89314F158559E405DB2A6D730EE91CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1c49bf655ffc5f7772cca2f557f8ea1eef8006c736934ca5a658327382d4bb92
                    • Instruction ID: 4a7346d2a14106e1ac9af7e3303de34792c11d03a795f844aefc56b9f10e34b8
                    • Opcode Fuzzy Hash: 1c49bf655ffc5f7772cca2f557f8ea1eef8006c736934ca5a658327382d4bb92
                    • Instruction Fuzzy Hash: F6426578E01229CFDB64CF99C984B9DBBB2FF48311F5481A9D809A7355D731AA81CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 983e42697efd4a4519ee08890782eb679ee0df0f636fcf07d0eed4e272b04cad
                    • Instruction ID: c63bd39718ea256d3791b149fd4f57112053f3e860307dd6b36db96ac0c4824d
                    • Opcode Fuzzy Hash: 983e42697efd4a4519ee08890782eb679ee0df0f636fcf07d0eed4e272b04cad
                    • Instruction Fuzzy Hash: 73127D70B002199FDB15DFA8C844AAEBBF6BF88304F148529E906DB755DB34DD82CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e7b85ec0c012bcada288aaacdd9ced4091ce8afcc6da7d663b38c6042e10079
                    • Instruction ID: 6941d8f4948c504e4d7d3eaa2e285d59bfd57205c1073aac9b9572b5745fba6b
                    • Opcode Fuzzy Hash: 2e7b85ec0c012bcada288aaacdd9ced4091ce8afcc6da7d663b38c6042e10079
                    • Instruction Fuzzy Hash: B332E174901229CFDB54DFA9C984A8DFBB2BF48715F59C599C408AB621CB30DE81CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eefa2b6837a3f63f3dab090021841a2d8c78146868935d36fd58e4be25381ca1
                    • Instruction ID: 3981ff9bdb6c07e3ba1a4d3ba6e8f81e7e065e433da282a97715e7a6cd9b30d0
                    • Opcode Fuzzy Hash: eefa2b6837a3f63f3dab090021841a2d8c78146868935d36fd58e4be25381ca1
                    • Instruction Fuzzy Hash: 18124E30A00129DFDB16CFA8D984AADBBF6FF88304F158569E515EB261D731DE81CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4d30c8d0270caa55716c5a6b7fedbd8609d4f76bc4f4186a2a4454a4fafb850
                    • Instruction ID: 35bc329732b6de1cb20026cda45a7a60964ba1a3910309cd308c100c4e7724cf
                    • Opcode Fuzzy Hash: b4d30c8d0270caa55716c5a6b7fedbd8609d4f76bc4f4186a2a4454a4fafb850
                    • Instruction Fuzzy Hash: 32D1DF74E00228CFDB64DFA9D984B9DBBB2BF88304F1085AAD509AB255DB305E85CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 279ea1d08dffcebc1e0e62863fd2736467a8d4ecc84e3d16709d39bb06055839
                    • Instruction ID: 18ddade3de729745ea00fee47cfc014689ee784b2d494a310b236a527b2c9863
                    • Opcode Fuzzy Hash: 279ea1d08dffcebc1e0e62863fd2736467a8d4ecc84e3d16709d39bb06055839
                    • Instruction Fuzzy Hash: 7BA1E074E00628CFDB54EFA9D984B9DBBF2FF88304F1084AAD459AB254DB305A85CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2a429822aa1ed46e8ac4130b5f4edf3ce5fb6067b0182e1c920b41c136f62812
                    • Instruction ID: 9c3439473b619d807a8ceed5464a83e6b3992e3a41deee04e74d70f1fdd4c8d3
                    • Opcode Fuzzy Hash: 2a429822aa1ed46e8ac4130b5f4edf3ce5fb6067b0182e1c920b41c136f62812
                    • Instruction Fuzzy Hash: 7D210375D012288FCB14DFA5D8187EEBBB5FB8A315F00502AD416B7290DB785946CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 059ED2C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: 795340c4e20a77b2180d058bcc95fadb8b906c7ab23cea10412b5e120fa5b251
                    • Instruction ID: 89c88b86c92027391659deea89a3d884eaf680ae9fae7de06ad78edbbbdddb46
                    • Opcode Fuzzy Hash: 795340c4e20a77b2180d058bcc95fadb8b906c7ab23cea10412b5e120fa5b251
                    • Instruction Fuzzy Hash: E7C1DF74E04218DFDB25CFA9C981B9DBBB2BF49304F2481A9E419B7351D734A985CF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 059ED2C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: 7112be438608a08cccea877bc2e6061f870421649e4e28eeb013f7acdf8c8152
                    • Instruction ID: 266fb39ea35fb12b14072b576384a0ec2a7f2895517c7a01aaf7669c2ba292a5
                    • Opcode Fuzzy Hash: 7112be438608a08cccea877bc2e6061f870421649e4e28eeb013f7acdf8c8152
                    • Instruction Fuzzy Hash: 69B1EE74E04218CFDB25CFA9C981B9EBBB2BF49304F2481A9E819B7351D734A985CF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 059ED2C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: e6e2b4ed859b145fb06be4d51f8ace6491e27503d06874191971ab7bc82e0ed1
                    • Instruction ID: b0645d52a13ab444ae648661a876634083639cd7dfef48c0e0e9456c37d31563
                    • Opcode Fuzzy Hash: e6e2b4ed859b145fb06be4d51f8ace6491e27503d06874191971ab7bc82e0ed1
                    • Instruction Fuzzy Hash: 78B1FF74E04218CFDB25CFA9C981B9EBBB2BF49304F2481A9E819B7351D734A985CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 0182EDD9
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: bb81560710c4126d63c7a65b42e4845468461163f942b9710ed86162fe80a911
                    • Instruction ID: e5eb32825b9a913fde1549c7158dc300ceddfe6e975f608dcfadaf485ddc4970
                    • Opcode Fuzzy Hash: bb81560710c4126d63c7a65b42e4845468461163f942b9710ed86162fe80a911
                    • Instruction Fuzzy Hash: 44518970C093998FDB02CFA8D8556DEBFF4EF46314F05809AD445EB262D734694ACB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0182AA2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: f3deeac65e78af23624c647f36bb6f53b795998104ad3ebd0c3aed3d7db4ffa3
                    • Instruction ID: 623c4813ef397ac052902b49d1c4c458ec95fa3b2da4bc23ac9f07f151853334
                    • Opcode Fuzzy Hash: f3deeac65e78af23624c647f36bb6f53b795998104ad3ebd0c3aed3d7db4ffa3
                    • Instruction Fuzzy Hash: BB3188B9D042589FCF14CFA9E984AEEFBB0AF59310F14902AE815B7210D774AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0182E727
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 78bee2288d1473dae10160a444d0cd57db087a299fb10dc407e319a692ca56f4
                    • Instruction ID: fa0eca72a552b820912b59e5cadbb5d56aad2aa5569cf89452a4c50fcbb542bd
                    • Opcode Fuzzy Hash: 78bee2288d1473dae10160a444d0cd57db087a299fb10dc407e319a692ca56f4
                    • Instruction Fuzzy Hash: AC31A9B9D042189FCF10CFA9D884ADEFBF0AB19310F14902AE814B7210D734AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 0182EDD9
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 4ee993417014f9f171a052beaf2d9010185a0e8965f096eaf619939bbfa43e68
                    • Instruction ID: fbaae23a3955b534290899d2904ccb8b44d156b4ba30338262503b7074e7839a
                    • Opcode Fuzzy Hash: 4ee993417014f9f171a052beaf2d9010185a0e8965f096eaf619939bbfa43e68
                    • Instruction Fuzzy Hash: C6310FB8D05228CFDF11CFA9E444BEDFBF5AB49304F14906AE418B7250D734AA86CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0182AA2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: a4ca45513d917321f156c75c89e6e9057cb433a7f1d312842fe8ccf2b868b1cb
                    • Instruction ID: 9472edd6816f5199a1c4b668c6c6b3b00918a3789c376d516065ee6dc074c966
                    • Opcode Fuzzy Hash: a4ca45513d917321f156c75c89e6e9057cb433a7f1d312842fe8ccf2b868b1cb
                    • Instruction Fuzzy Hash: D43197B9D042589FCF14CFA9E984ADEFBB0AF19310F14902AE815B7210D774AA85CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0182E727
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 85b44854bb20fba4e8986c9b5f681aa80ec3e653e5bf89577bd3db0bb261973d
                    • Instruction ID: 8193b9a4013010dd9d5d011d72627c0f75f0eddc40a636664d6498755d94d8f5
                    • Opcode Fuzzy Hash: 85b44854bb20fba4e8986c9b5f681aa80ec3e653e5bf89577bd3db0bb261973d
                    • Instruction Fuzzy Hash: 0F3199B9D042589FCF10CFA9E984ADEFBF4BB19310F14902AE814B7210D774AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 0182EDD9
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: a030825eb08ca3a7a7349df8ddd6479c321077c956e89aeba5c67be44f351532
                    • Instruction ID: db1fd189819fd24e416fd89312ffb27eae8c772ee489dd8db0998de4f61ee406
                    • Opcode Fuzzy Hash: a030825eb08ca3a7a7349df8ddd6479c321077c956e89aeba5c67be44f351532
                    • Instruction Fuzzy Hash: CF311274D0021ADFDB40EFA8E4546EDBBF0FB58304F00896AD515BB250DB396E46CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 0182EDD9
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 87c3fc0744d91942524d23f80d7625966bdc0a06c77c6d4834686532117a93a5
                    • Instruction ID: d46a05a16b5457681cf6013492a7213cf40c26b87e6150c6a58b8f98504dc804
                    • Opcode Fuzzy Hash: 87c3fc0744d91942524d23f80d7625966bdc0a06c77c6d4834686532117a93a5
                    • Instruction Fuzzy Hash: A831B9B4D05228DFCB10CFA9D884AEEFBF5AB49314F14806AE404B7350D774AA85CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 0182EDD9
                    Memory Dump Source
                    • Source File: 00000000.00000002.312745225.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: fe04511b01cb1e6552de1c310a4f410863237ce2a3673bed9f07b90a71ec26a3
                    • Instruction ID: 8f96e88354349a00a667a8c0450ec3da18df83ca2694c11d433b248d142ad7a3
                    • Opcode Fuzzy Hash: fe04511b01cb1e6552de1c310a4f410863237ce2a3673bed9f07b90a71ec26a3
                    • Instruction Fuzzy Hash: 9431B9B4D01269CFDB10CFA9D584AEDFBF1BB49314F14906AE414B7250D734AA86CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 27f0cb4d063e0526718dc9f908158494de102465d0c6a356ed33edeea962045a
                    • Instruction ID: ab6f142e999c228857c280a3d31718b32cc1a4cdce7bfb94dfa36d32a4d81ee5
                    • Opcode Fuzzy Hash: 27f0cb4d063e0526718dc9f908158494de102465d0c6a356ed33edeea962045a
                    • Instruction Fuzzy Hash: 77B1C730708216CBDB365A65840D73A76ABBFC0651F54CC2DD897CA694DFB9C842CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25a565d0f5c8a5344fc6e4950a91e0e2c2cb289aa45bfbf5abde0b087e3bcc57
                    • Instruction ID: 59bde1a265feb30b238382d02f3d2947f018b1208a2a5248e8bfed5f77159ea5
                    • Opcode Fuzzy Hash: 25a565d0f5c8a5344fc6e4950a91e0e2c2cb289aa45bfbf5abde0b087e3bcc57
                    • Instruction Fuzzy Hash: 8BD1E2B8D05218CFDB24CFA5D994BADBBF2FB89300F10816AD819A7344DB345A46CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9a63eeb06267566e23c75b82a13c8b8251e0918270edd97397185699bdc41d49
                    • Instruction ID: eb3f34784cad5496ab20182a8aa0a2519c9613ceda356ac7aab9b71361e7c1bc
                    • Opcode Fuzzy Hash: 9a63eeb06267566e23c75b82a13c8b8251e0918270edd97397185699bdc41d49
                    • Instruction Fuzzy Hash: 85D1D2B8D01218CFDB24CFA5D9987ADBBF2FB89304F10816AD819A7354DB345A86CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 43f50a1ce4f5734a88a2e3e96b2185a30e19ca37fd2ef2acd2058866c50f5dad
                    • Instruction ID: 6888bf2b26a6265e8d1f5e03384e26e52edfcea21ea47c60aa731ec9488a592d
                    • Opcode Fuzzy Hash: 43f50a1ce4f5734a88a2e3e96b2185a30e19ca37fd2ef2acd2058866c50f5dad
                    • Instruction Fuzzy Hash: 69B14770E002089FCB15DFA9D894A9EBBF5FF89314F24852DE409AB360DB31A985CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 636bff86c6b4a8e7509eee9afaee913dba9b60d01c63e97478c35e396974dc43
                    • Instruction ID: 876ed4cfd51c285f41b14d7a8b03793d5116f254782b46534a7174fb025dedf9
                    • Opcode Fuzzy Hash: 636bff86c6b4a8e7509eee9afaee913dba9b60d01c63e97478c35e396974dc43
                    • Instruction Fuzzy Hash: B4D10931C2074ADACB00EB64D958A99B3B5FF99300F619B9AD5493B210EF706EC5CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: baddb682fa10a86e2e512a75470a04ff91c6a805717263deeeb8bb08be626fe0
                    • Instruction ID: d4dca35697faf7befea09783b3a93ece5e04c254e829e3428a405f96e2a9f876
                    • Opcode Fuzzy Hash: baddb682fa10a86e2e512a75470a04ff91c6a805717263deeeb8bb08be626fe0
                    • Instruction Fuzzy Hash: 85D1F931C2074ADACB00EB64D954A9DB3B5FF99300F619B9AD5493B210EF706EC5CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 23dae854a95e67d7f09d2742f84b4bf8d82a6e60303142ab1567a92612e09970
                    • Instruction ID: af253f16ad5cede1768fdc69966c7e1f6262089eaae69e7229e006e84b4d7f80
                    • Opcode Fuzzy Hash: 23dae854a95e67d7f09d2742f84b4bf8d82a6e60303142ab1567a92612e09970
                    • Instruction Fuzzy Hash: 07B1C374E002188FDB14DFAAC844ADDBBB2BF89314F24C5AAD409BB355EB319985CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f94a10dab8a8e103b381996a3e0ad94764ebf05cd1b960339e97e2747bbff0b
                    • Instruction ID: 62fb7541a539b184c9e2e60f4971e7006e837a18a7191753d3596347d3cda853
                    • Opcode Fuzzy Hash: 3f94a10dab8a8e103b381996a3e0ad94764ebf05cd1b960339e97e2747bbff0b
                    • Instruction Fuzzy Hash: BE510174D05218DFDB19CFA5C5887EDBBB2BF89304F249029E406AB394CB799986CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9df1009d7f67fa748a64a732e30b935eb9a04aa56fdb8159b84bc98861e19261
                    • Instruction ID: 6179315259ec914d4a0d5f534877421c59bea4681c5ade79ec58ebbdabf86647
                    • Opcode Fuzzy Hash: 9df1009d7f67fa748a64a732e30b935eb9a04aa56fdb8159b84bc98861e19261
                    • Instruction Fuzzy Hash: 9041AAB4D00208DFCB10CFA9D988ADEBBF4BB09304F24952AE415BB350DB31A985CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a1d3f14407ccdd723337ddb6fc3390768e356d0d73384a62be4ad37dda6d37dd
                    • Instruction ID: eca976092dfa8b0329e5df629b6dc4cccc434050f10ed53e2375a2115b708f6b
                    • Opcode Fuzzy Hash: a1d3f14407ccdd723337ddb6fc3390768e356d0d73384a62be4ad37dda6d37dd
                    • Instruction Fuzzy Hash: 1141B8B4D00208DFCB10CFA9D984ADEBBF4BB09304F20942AE819BB350D731A988CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f81721f878b548894a43fec877333a5209f2c1d8dd3c9fb1d083ef9ab533758
                    • Instruction ID: 7254241d3cf7e65774a5abd1e21363d6e387a2949fabc80e05223591db5a2998
                    • Opcode Fuzzy Hash: 4f81721f878b548894a43fec877333a5209f2c1d8dd3c9fb1d083ef9ab533758
                    • Instruction Fuzzy Hash: ED41A7B0D052089FDF11CFA9C588B9EBBF4BB09304F24902AE409BB350DBB5A949CF55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 44aca26be53cd654f8071fa039a8b82930ffe2ebcf1becab65f2f921cccac8f5
                    • Instruction ID: 469cbd9e25af17c3a366bf955ad020068019d57ed6dd39c710da0020ff8e3e22
                    • Opcode Fuzzy Hash: 44aca26be53cd654f8071fa039a8b82930ffe2ebcf1becab65f2f921cccac8f5
                    • Instruction Fuzzy Hash: CA4198B0D04208DFDF11CFA9C584ADEBBF5BB09304F20942AE419BB250DBB5A949CF55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e846762030d42719d9b29e0a55a71032a40ec000ad115f913923bfb21e000c21
                    • Instruction ID: 2aea733ff0d237c17241717f5d4e06926d5cf94ce136e4292d5fe44dfd5311cc
                    • Opcode Fuzzy Hash: e846762030d42719d9b29e0a55a71032a40ec000ad115f913923bfb21e000c21
                    • Instruction Fuzzy Hash: 2D318D75E006188FDB18CFAAD8446DDFBF6BF89304F14C16AD818AB265EB745946CF00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3bac53420bc21183dd16c992ccac6eedac39509d08ba02dd2a29da5c9e095787
                    • Instruction ID: 7cec993b8112ee4c2a24fea391685b6111cb805a5aaf46a98f0b250bb3a8367d
                    • Opcode Fuzzy Hash: 3bac53420bc21183dd16c992ccac6eedac39509d08ba02dd2a29da5c9e095787
                    • Instruction Fuzzy Hash: 22318FB8D05208EFCB15CFA9D585AAEBBF1BB89350F249129E818B7350D3349941CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f7ef9be11dd4690ec3482e07bbafa2177351c81ca822d1175b2aa5bc1f8e925
                    • Instruction ID: 710f49a132e7b3ea40694bb7e4306a4f924387c33dd9da5bfdbc19d7bdb3c3cd
                    • Opcode Fuzzy Hash: 1f7ef9be11dd4690ec3482e07bbafa2177351c81ca822d1175b2aa5bc1f8e925
                    • Instruction Fuzzy Hash: AB315DB8D05208EFCB15CFA9D484AADBBF6BB89310F249129E818B7350D7349941CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ff7789318906075dffc02783b854990f7926b3bc2d827c1498905bf796cd184
                    • Instruction ID: c05bdc3a9fca2bbd61a609ae21452693fb4c5becffa1084af38659f77167ac37
                    • Opcode Fuzzy Hash: 1ff7789318906075dffc02783b854990f7926b3bc2d827c1498905bf796cd184
                    • Instruction Fuzzy Hash: 1A217EB8D04209AFDB15CFAAC4846EDBBB1BB4A310F24E52AE825B7350D7349945CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96a0aeb349878b469fa0c6f1ce09d817c91cbd9b7feb4513f3f63ac430d76e66
                    • Instruction ID: 4aa633378a74a0361ea758c4fcecea5a189b333bb36992e63014926a77a591e2
                    • Opcode Fuzzy Hash: 96a0aeb349878b469fa0c6f1ce09d817c91cbd9b7feb4513f3f63ac430d76e66
                    • Instruction Fuzzy Hash: 37215EB8D04208AFDF15CFAAD4446EDBBF1BB89310F10E12AE825B7250D7349945CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad81c895a13ffaa245025ccbad9465219ce1955a93659e1d579b0645b8f7db79
                    • Instruction ID: 35184627fab14b91b449599059ecdb9e476397464dd6a2bcb939ec366b40e564
                    • Opcode Fuzzy Hash: ad81c895a13ffaa245025ccbad9465219ce1955a93659e1d579b0645b8f7db79
                    • Instruction Fuzzy Hash: 3301AFB5D0520C9F8F14DFAAD9419EEFFF2AB5A310F14A16AE805B7310E23189018F68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.315580509.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                    • Instruction ID: 8b0b3318f65b91527aae45f6ae3d75461ae3c55a0ceaac79d94288327e9de6e9
                    • Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                    • Instruction Fuzzy Hash: 6FF092B8D0520C9F8F04CFA9D4408EEFBF2AB99310F10A12AE804B3310E7319901CFA8
                    Uniqueness

                    Uniqueness Score: -1.00%