Play interactive tour

Edit tour

Analysis Report AdministratorDownloadsBL,.rar.exe

Overview

General Information

Sample Name:	AdministratorDownloadsBL,.rar.exe
Analysis ID:	326336
MD5:	6fc0b6bc27b1d5c59a1500e2aea68722
SHA1:	837917dd7748ae07bd17357fa61045a75d30358e
SHA256:	14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

AdministratorDownloadsBL,.rar.exe (PID: 5528 cmdline: 'C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe' MD5: 6FC0B6BC27B1D5C59A1500E2AEA68722)

RegSvcs.exe (PID: 5576 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

RegSvcs.exe (PID: 4576 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

RegSvcs.exe (PID: 1288 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

RegSvcs.exe (PID: 5344 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

BAVLA.exe (PID: 6188 cmdline: 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

BAVLA.exe (PID: 6708 cmdline: 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AdministratorDownloadsBL,.rar.exe PID: 5528	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5344	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4576	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4576	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: 4.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 4x nop then jmp 04EEFAD7h		0_2_04EEED62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4x nop then jmp 053FB92Dh		2_2_053FABAA

Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://tutZNp.com
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: RegSvcs.exe, 00000002.00000003.224943085.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comaU
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RegSvcs.exe, 00000002.00000003.238534926.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers&
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlm
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlZ
Source: RegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/m
Source: RegSvcs.exe, 00000002.00000003.232215331.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers3
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersJ
Source: RegSvcs.exe, 00000002.00000003.230643834.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: RegSvcs.exe, 00000002.00000003.232184269.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: RegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comC
Source: RegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.232124276.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFZ
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: RegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd
Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdik
Source: RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comk
Source: RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comldco
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicd
Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtoFC
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: RegSvcs.exe, 00000002.00000003.224412585.00000000056F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn//wr
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RegSvcs.exe, 00000002.00000003.224464538.00000000056F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/g
Source: RegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM
Source: RegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnm
Source: RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnp
Source: RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-h
Source: RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c~
Source: RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RegSvcs.exe, 00000002.00000003.233643496.0000000005717000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RegSvcs.exe, 00000002.00000003.224135139.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kg
Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krd
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.227739333.00000000056F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/1
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
Source: RegSvcs.exe, 00000002.00000003.227835031.00000000056F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k
Source: RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k
Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: RegSvcs.exe, 00000002.00000003.228913339.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.236140389.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.9
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krE
Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krn-uW
Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krtml/des
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: RegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: RegSvcs.exe, 00000002.00000003.229465784.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deC
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFg
Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dees
Source: RegSvcs.exe, 00000002.00000003.229529136.00000000056FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dewa
Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000002.00000003.224887338.00000000056F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.9
Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.223172635.0000000000DDB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 4.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b74A22274u002d68DAu002d4F27u002dB1CFu002d7A1A8B1D0E40u007d/u00379CD1FB3u002dCD92u002d48EBu002d87CDu002dF8EBA390CFF8.cs

Large array initialization: .cctor: array initializer size 11783

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_018CB0BA NtQuerySystemInformation,		4_2_018CB0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_018CB089 NtQuerySystemInformation,		4_2_018CB089

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE4C54	0_2_04EE4C54
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EEE055	0_2_04EEE055
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE6C04	0_2_04EE6C04
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE57F8	0_2_04EE57F8
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EEED62	0_2_04EEED62
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE3B30	0_2_04EE3B30
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EEE0CD	0_2_04EEE0CD
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EEE540	0_2_04EEE540
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE0100	0_2_04EE0100
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE0110	0_2_04EE0110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053F1739	2_2_053F1739
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053F9F72	2_2_053F9F72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053FABAA	2_2_053FABAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053F4E08	2_2_053F4E08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053F2ABC	2_2_053F2ABC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053F9FC3	2_2_053F9FC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_053FA465	2_2_053FA465
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031B4330	4_2_031B4330
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031B6F58	4_2_031B6F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031B8868	4_2_031B8868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031BE56C	4_2_031BE56C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_066A2FD0	4_2_066A2FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_066A94E8	4_2_066A94E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_066A78CC	4_2_066A78CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_066AC8D8	4_2_066AC8D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_066A9090	4_2_066A9090

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698

Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.228681130.0000000004F60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs AdministratorDownloadsBL,.rar.exe
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.226395396.0000000003CE8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJL vs AdministratorDownloadsBL,.rar.exe
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.226395396.0000000003CE8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs AdministratorDownloadsBL,.rar.exe
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.228856590.0000000004FC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs AdministratorDownloadsBL,.rar.exe
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.223172635.0000000000DDB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs AdministratorDownloadsBL,.rar.exe
Source: AdministratorDownloadsBL,.rar.exe	Binary or memory string: OriginalFilenameL vs AdministratorDownloadsBL,.rar.exe

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/6@0/0

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_0101BD36 AdjustTokenPrivileges,	0_2_0101BD36
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_0101BCFF AdjustTokenPrivileges,	0_2_0101BCFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_058A066E AdjustTokenPrivileges,	2_2_058A066E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 2_2_058A0637 AdjustTokenPrivileges,	2_2_058A0637
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_018CAF3E AdjustTokenPrivileges,	4_2_018CAF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_018CAF07 AdjustTokenPrivileges,	4_2_018CAF07

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdministratorDownloadsBL,.rar.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe 'C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: AdministratorDownloadsBL,.rar.exe

Static file information: File size 1313280 > 1048576

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x140000

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: AdministratorDownloadsBL,.rar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: BAVLA.exe, 00000012.00000002.297196626.00000000057C0000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: BAVLA.exe, BAVLA.exe.4.dr
Source:	Binary string: mscorrc.pdb source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.228681130.0000000004F60000.00000002.00000001.sdmp, RegSvcs.exe, 00000002.00000002.256577924.0000000008660000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.496290423.0000000006640000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: AdministratorDownloadsBL,.rar.exe, Home.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.AdministratorDownloadsBL,.rar.exe.5e0000.0.unpack, Home.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.AdministratorDownloadsBL,.rar.exe.5e0000.0.unpack, Home.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.RegSvcs.exe.400000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xA5B411DA [Mon Feb 4 09:48:10 2058 UTC]

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Code function: 0_2_04EE8462 push ds; iretd		0_2_04EE8463
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_066A0AD9 push ebp; ret		4_2_066A0AE1

Source: initial sample

Static PE information: section name: .text entropy: 7.86787399891

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BAVLA			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BAVLA			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: rar.exe

Static PE information: AdministratorDownloadsBL,.rar.exe

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AdministratorDownloadsBL,.rar.exe PID: 5528, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4576, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1AR
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR:{
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1ARV

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe TID: 5524	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe TID: 6112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe TID: 6240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp	Binary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1ar
Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: vmwareX1arg
Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9ar
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1ar0}
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: QEMUX1ar
Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmp	Binary or memory string: VMware\|9ar
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp	Binary or memory string: vmwareX1ar
Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1ar
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: ar#"SOFTWARE\VMware, Inc.\VMware ToolsX1ar
Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmp	Binary or memory string: VMware \|9ar
Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1ar
Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1ar1
Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmp	Binary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1arl
Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_031B6F58 LdrInitializeThunk,

4_2_031B6F58

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 480000	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 4B6000	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: F7C008	Jump to behavior

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_018CB61E GetUserNameW,

4_2_018CB61E

Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5344, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4576, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5344, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5344, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4576, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Masquerading11	OS Credential Dumping1	Security Software Discovery211	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Virtualization/Sandbox Evasion13	Input Capture1	Virtualization/Sandbox Evasion13	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data11	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Account Discovery1	Distributed Component Object Model	Data from Local System1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery114	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Timestomp1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.sandoll.co.krn-uW	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn//wr	0%	Avira URL Cloud	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.urwpp.deFg	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fontbureau.comlicd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/1	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.sandoll.co.krtml/des	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/g	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sandoll.co.krE	0%	Avira URL Cloud	safe
http://www.urwpp.dewa	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comC	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsd	0%	Avira URL Cloud	safe
http://www.goodfont.co.krd	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.urwpp.dees	0%	Avira URL Cloud	safe
http://www.fontbureau.comdik	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/C	0%	Avira URL Cloud	safe
http://www.carterandcone.comm	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	Avira URL Cloud	safe
http://www.fontbureau.comldco	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/k	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/k	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/k	0%	URL Reputation	safe
http://www.monotype.9	0%	Avira URL Cloud	safe
http://www.goodfont.co.kg	0%	Avira URL Cloud	safe
http://www.fontbureau.comI.TTF	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnM	0%	Avira URL Cloud	safe
http://www.fontbureau.comFZ	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnp	0%	Avira URL Cloud	safe
http://www.carterandcone.comaU	0%	Avira URL Cloud	safe
http://www.fontbureau.comB.TTF	0%	Avira URL Cloud	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.sandoll.co.krn-uW	RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn//wr	RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comessed	RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deFg	RegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comlicd	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/1	RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krtml/des	RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/g	RegSvcs.exe, 00000002.00000003.224464538.00000000056F5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krE	RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.dewa	RegSvcs.exe, 00000002.00000003.229529136.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comC	RegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsd	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.krd	RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/	RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/U	RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.htmlZ	RegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.urwpp.dees	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdik	RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/C	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comm	RegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/x	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comcomF	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comldco	RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/k	RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.9	RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kg	RegSvcs.exe, 00000002.00000003.224135139.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comI.TTF	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnM	RegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersJ	RegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comFZ	RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	RegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	RegSvcs.exe, 00000002.00000003.230643834.00000000056FA000.00000004.00000001.sdmp	false		high
https://api.ipify.orgGETMozilla/5.0	RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	RegSvcs.exe, 00000002.00000003.233643496.0000000005717000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnp	RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comaU	RegSvcs.exe, 00000002.00000003.224943085.00000000056F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnm	RegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmp	false		unknown
http://www.fontbureau.comB.TTF	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcom	RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/k	RegSvcs.exe, 00000002.00000003.227835031.00000000056F5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cno.9	RegSvcs.exe, 00000002.00000003.224887338.00000000056F7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/U	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	RegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersn	RegSvcs.exe, 00000002.00000003.232184269.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/Z	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerst	RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlm	RegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comF	RegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.232124276.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tutZNp.com	RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comion	RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.wikip	RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.c~	RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deC	RegSvcs.exe, 00000002.00000003.229465784.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers&	RegSvcs.exe, 00000002.00000003.238534926.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comk	RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	RegSvcs.exe, 00000002.00000003.224412585.00000000056F5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	RegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.monotype.	RegSvcs.exe, 00000002.00000003.228913339.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.236140389.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp	false		high
http://www.fontbureau.comm	RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.227739333.00000000056F5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.como	RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comalic	RegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comtoFC	RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/m	RegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers:	RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnu-h	RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326336
Start date:	03.12.2020
Start time:	10:03:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AdministratorDownloadsBL,.rar.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.6% (good quality ratio 10.9%) Quality average: 43.6% Quality standard deviation: 35.8%
HCA Information:	Successful, ratio: 98% Number of executed functions: 270 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:05:36	API Interceptor	1x Sleep call for process: AdministratorDownloadsBL,.rar.exe modified
10:05:46	API Interceptor	653x Sleep call for process: RegSvcs.exe modified
10:05:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BAVLA C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
10:06:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BAVLA C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe	signed_19272.zip(#U007e18 KB) (2).exe	Get hash	malicious	Browse
	TT Swift Copy..,.exe	Get hash	malicious	Browse
	Invoice-.exe	Get hash	malicious	Browse
	Invoice..,.exe	Get hash	malicious	Browse
	Bank Update Info.exe	Get hash	malicious	Browse
	eLPEEvaFgq6CHTS.exe	Get hash	malicious	Browse
	NR.13346.exe	Get hash	malicious	Browse
	Quote 571189.exe	Get hash	malicious	Browse
	WyLE6g2Vrj.exe	Get hash	malicious	Browse
	SKM_C3350191107102300.exe	Get hash	malicious	Browse
	PO#1709 SHI Pdf.exe	Get hash	malicious	Browse
	DHL SHIPPINC DOCUUMEN....exe	Get hash	malicious	Browse
	TT Swift Copy.exe	Get hash	malicious	Browse
	APLUSHPH-DKK, 3X20'DC, ETD 23 oct.exe	Get hash	malicious	Browse
	Parking List.pdf,.exe	Get hash	malicious	Browse
	P.O List.exe	Get hash	malicious	Browse
	P.O List.exe	Get hash	malicious	Browse
	Swift 5893038993.exe	Get hash	malicious	Browse
	TT Swift Copy.pdf (4).exe	Get hash	malicious	Browse
	PO 67961.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdministratorDownloadsBL,.rar.exe.log Download File
Process:	C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.271473536084351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
MD5:	C3EC08CD6BEA8576070D5A52B4B6D7D0
SHA1:	40B95253F98B3CC5953100C0E71DAC7915094A5A
SHA-256:	28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
SHA-512:	5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BAVLA.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.271473536084351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
MD5:	C3EC08CD6BEA8576070D5A52B4B6D7D0
SHA1:	40B95253F98B3CC5953100C0E71DAC7915094A5A
SHA-256:	28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
SHA-512:	5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse Filename: TT Swift Copy..,.exe, Detection: malicious, Browse Filename: Invoice-.exe, Detection: malicious, Browse Filename: Invoice..,.exe, Detection: malicious, Browse Filename: Bank Update Info.exe, Detection: malicious, Browse Filename: eLPEEvaFgq6CHTS.exe, Detection: malicious, Browse Filename: NR.13346.exe, Detection: malicious, Browse Filename: Quote 571189.exe, Detection: malicious, Browse Filename: WyLE6g2Vrj.exe, Detection: malicious, Browse Filename: SKM_C3350191107102300.exe, Detection: malicious, Browse Filename: PO#1709 SHI Pdf.exe, Detection: malicious, Browse Filename: DHL SHIPPINC DOCUUMEN....exe, Detection: malicious, Browse Filename: TT Swift Copy.exe, Detection: malicious, Browse Filename: APLUSHPH-DKK, 3X20'DC, ETD 23 oct.exe, Detection: malicious, Browse Filename: Parking List.pdf,.exe, Detection: malicious, Browse Filename: P.O List.exe, Detection: malicious, Browse Filename: P.O List.exe, Detection: malicious, Browse Filename: Swift 5893038993.exe, Detection: malicious, Browse Filename: TT Swift Copy.pdf (4).exe, Detection: malicious, Browse Filename: PO 67961.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.864015963131449
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	AdministratorDownloadsBL,.rar.exe
File size:	1313280
MD5:	6fc0b6bc27b1d5c59a1500e2aea68722
SHA1:	837917dd7748ae07bd17357fa61045a75d30358e
SHA256:	14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241
SHA512:	78a408b498ff3030e0c79c045a93ca2f8ef2555da91ed77d76d3c193cd383e8e025290d5b74459e01b01a81300d85634346c18b670bb706272d31dbe30ef3538
SSDEEP:	24576:y4EaCNT+lMnN2/n9mUyGP4mIIDzFXi6cMOiKF+5QFV6ej2Ahp:y4Xc+lCsf9QztIDFi6CiKFbFxCAr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x541fd6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xA5B411DA [Mon Feb 4 09:48:10 2058 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+00h], ch
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
in al, 03h
add byte ptr [eax], al
nop
and byte ptr [eax+eax], dl
push esp
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+eax+34h], dl
add byte ptr [eax], al
add byte ptr [esi+00h], dl
push ebx
add byte ptr [edi+00h], bl
push esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x141f84	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x142000	0x5e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x141f68	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13ffdc	0x140000	False	0.889221954346	COM executable for DOS	7.86787399891	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x142000	0x5e4	0x600	False	0.4453125	data	4.24730858984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x142090	0x354	data
RT_MANIFEST	0x1423f4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019 AbbVie Inc.
Assembly Version	5.687.0.0
InternalName	.exe
FileVersion	59.35.0.0
CompanyName	AbbVie Inc.
LegalTrademarks
Comments	Allergan
ProductName	Rasa Motors
ProductVersion	59.35.0.0
FileDescription	Rasa Motors
OriginalFilename	.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AdministratorDownloadsBL,.rar.exe PID: 5528 Parent PID: 5784

General

Start time:	10:05:36
Start date:	03/12/2020
Path:	C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe'
Imagebase:	0x7ffb73670000
File size:	1313280 bytes
MD5 hash:	6FC0B6BC27B1D5C59A1500E2AEA68722
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5576 Parent PID: 5528

General

Start time:	10:05:37
Start date:	03/12/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x310000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegSvcs.exe PID: 4576 Parent PID: 5528

General

Start time:	10:05:38
Start date:	03/12/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xc20000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: RegSvcs.exe PID: 1288 Parent PID: 4576

General

Start time:	10:05:47
Start date:	03/12/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x170000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5344 Parent PID: 4576

General

Start time:	10:05:47
Start date:	03/12/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xff0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: BAVLA.exe PID: 6188 Parent PID: 3388

General

Start time:	10:06:02
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
Imagebase:	0x270000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6200 Parent PID: 6188

General

Start time:	10:06:02
Start date:	03/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: BAVLA.exe PID: 6708 Parent PID: 3388

General

Start time:	10:06:10
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
Imagebase:	0xde0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6724 Parent PID: 6708

General

Start time:	10:06:11
Start date:	03/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AdministratorDownloadsBL,.rar.exe PID: 5528 Parent PID: 5784 AdministratorDownloadsBL,.rar.exeCOMMON

Executed Functions

Function 04EEED62, Relevance: 8.3, Strings: 6, Instructions: 785COMMON

Download Yara Rule

Strings

>_?r, xrefs: 04EEEF6C
qrw, xrefs: 04EEF52B
(, xrefs: 04EEF737
w, xrefs: 04EEEEA5
X1ar, xrefs: 04EEF029
r, xrefs: 04EEF2F5

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: ($>_?r$X1ar$qrw$r$w
API String ID: 0-859545403
Opcode ID: a52619200eb631632164d5cde62b3bfe41e466d696effcec16f957cae257ad67
Instruction ID: adf5bfaac473b950c60993224232d41c49ffcdfa21e033dbda0042f9f2a17442
Opcode Fuzzy Hash: a52619200eb631632164d5cde62b3bfe41e466d696effcec16f957cae257ad67
Instruction Fuzzy Hash: CC720070E45229DFDB64DF69C944BEDB7B1AB89304F10A1EA814DA7291EB346EC4DF00

Uniqueness

Uniqueness Score: -1.00%

Function 04EE3B30, Relevance: 5.4, Strings: 4, Instructions: 445COMMON

Download Yara Rule

Strings

:@:r, xrefs: 04EE3EA3
X$ar, xrefs: 04EE423A
:@:r, xrefs: 04EE3BDB
X$ar, xrefs: 04EE422E

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: :@:r$:@:r$X$ar$X$ar
API String ID: 0-3148980575
Opcode ID: 1f68dbb85c97c045ffbffaee60d0f935953ebe131b70b9d391e5519b1626eaea
Instruction ID: 4e22c1c916c5fa1d213e0e722f0190aab1832903a0d33cd22d50d88b530da18b
Opcode Fuzzy Hash: 1f68dbb85c97c045ffbffaee60d0f935953ebe131b70b9d391e5519b1626eaea
Instruction Fuzzy Hash: AF028170A04255CFCB14CFAAD480AFDBBF2EB84300F2595A6E816EB295D734ED42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 04EE57F8, Relevance: 4.2, Strings: 3, Instructions: 500COMMON

Download Yara Rule

Strings

X$ar, xrefs: 04EE5C16
s, xrefs: 04EE5E1B
X$ar, xrefs: 04EE5C0A

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: X$ar$X$ar$s
API String ID: 0-1229250180
Opcode ID: 1bb196499f86eaedcf4ef22646a75259b7fd0200fe89bee5a0693f6f1d5ebb76
Instruction ID: da339ac17f4acf09a36cdeb365b9ef1ced6abf675b232bd18377b825620ad5d0
Opcode Fuzzy Hash: 1bb196499f86eaedcf4ef22646a75259b7fd0200fe89bee5a0693f6f1d5ebb76
Instruction Fuzzy Hash: 34022571A08241EFDB148BA794902FABBF1EB5225CF58A467D0A6CB182D339F847C751

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4C54, Relevance: 3.1, Strings: 2, Instructions: 583COMMON

Download Yara Rule

Strings

|8ar, xrefs: 04EE5158
|8ar, xrefs: 04EE514C

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: |8ar$|8ar
API String ID: 0-815853314
Opcode ID: 738b0af6521ebf3d13330907af5f4c934da56bdc2f1b06d68c7747b0bf46154e
Instruction ID: 84f78b3a5c01978d4429154e4ba71a24456a3334ba94ef1c37daed108279fe07
Opcode Fuzzy Hash: 738b0af6521ebf3d13330907af5f4c934da56bdc2f1b06d68c7747b0bf46154e
Instruction Fuzzy Hash: 5D122870B18245DFEB04DBABC4806FEBBF2EB45348F845567E016DB286D239E942C751

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE055, Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

|, xrefs: 04EEE12B
x, xrefs: 04EEE352

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: x$|
API String ID: 0-234372171
Opcode ID: c4d8063ab24ec48028e510c1bd01b483adb71daf7d0b00eda9ee77efda1d3a73
Instruction ID: 67476c186806bf78b63712cf5e225c77e442e29c961b14ff9d763462ad9edc87
Opcode Fuzzy Hash: c4d8063ab24ec48028e510c1bd01b483adb71daf7d0b00eda9ee77efda1d3a73
Instruction Fuzzy Hash: 8DD14970E05218CFDB24CFAAD4447FDBBB1BB4A309F14A169D009A7295E7786A88DF05

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE0CD, Relevance: 2.8, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

|, xrefs: 04EEE12B
x, xrefs: 04EEE352

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: x$|
API String ID: 0-234372171
Opcode ID: b73bb1123925bbe809820fcbc151b230fa650ecdb06002395586f3a830071c51
Instruction ID: 72f3585bb5fc9ef9e34ef962109a4d137d7896ce3a7fc9828048f8ef9f2c0d17
Opcode Fuzzy Hash: b73bb1123925bbe809820fcbc151b230fa650ecdb06002395586f3a830071c51
Instruction Fuzzy Hash: 2FC15F70D05328CFDB24DFAAD8447FDBBB1BB4A305F14A1A9D049A7295E7385A84CF05

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0100, Relevance: 2.8, Instructions: 2790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bf8c1217ba3959cf44697581a7fcefac1813328eadf7f74315e45041dbb930
Instruction ID: 350789ec2a56d56042f812b7e2b1fec0dc4500fe4f21f3e94f9e741e16254ed5
Opcode Fuzzy Hash: 19bf8c1217ba3959cf44697581a7fcefac1813328eadf7f74315e45041dbb930
Instruction Fuzzy Hash: DC53D634A41619CFCB25DB24C884FE9B7B2BF89305F5590E9D509AB3A1DB35AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0110, Relevance: 2.8, Instructions: 2785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11099b0d5267737c4af8902e8679cec59b9482ee828958813f61ee89cfe54c09
Instruction ID: 7b7c6ff4ed3eb8ecee251f31a072adb8d174837a1a0495d578b3fbe469c9fa0f
Opcode Fuzzy Hash: 11099b0d5267737c4af8902e8679cec59b9482ee828958813f61ee89cfe54c09
Instruction Fuzzy Hash: F253D534A41619CFCB25DB24C884FE9B7B2BF89305F5590E9D509AB3A1DB35AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE540, Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

|, xrefs: 04EEE12B
x, xrefs: 04EEE352

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: x$|
API String ID: 0-234372171
Opcode ID: 1d6ecd3cadf57053d4fb4e7a63b68b702d18c3d33ff7ee3824026aeea2b5f741
Instruction ID: 2e2d71ff7a92db8d5023ed0eeebeb7ca2b64cbcaf7e06e45d15a242e79a83625
Opcode Fuzzy Hash: 1d6ecd3cadf57053d4fb4e7a63b68b702d18c3d33ff7ee3824026aeea2b5f741
Instruction Fuzzy Hash: 4CB14F70D05328CFDB24DFAAD4447FDBBB1BB4A309F14A1A9D009A7295E7385A84CF05

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6C04, Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

$g^r, xrefs: 04EE6C27

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: e460d0bdebc7ebd42dccc9cb609987efe33e6293d2f90ca1137ca622c9a0e337
Instruction ID: 4c88e63a200d2a2d9ece3455eaecfa8e3a48968d147565e59aba9c696731ee2b
Opcode Fuzzy Hash: e460d0bdebc7ebd42dccc9cb609987efe33e6293d2f90ca1137ca622c9a0e337
Instruction Fuzzy Hash: F922EF74A05228CFDB64CF66C848BEDBBB1BF49304F10A0E9D409A72A1DB756E85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0101BCFF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0101BD7F

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5193a3ccac75ab972d2ceab1f9c07c04db2820da091cd3fa74c7213cba2fea1a
Instruction ID: f72d495023dbe3047a9251d9cf63a4ec5b7354916a881bfd1b449eb1414b3392
Opcode Fuzzy Hash: 5193a3ccac75ab972d2ceab1f9c07c04db2820da091cd3fa74c7213cba2fea1a
Instruction Fuzzy Hash: 8621BF75509384AFEB238F25DC40B52BFF4EF06310F0885DAE9848B163E375A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101BD36, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0101BD7F

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 1d68b8f02da587f42a75b9fe032523f07796d6926f241f300a54a13e510b2309
Instruction ID: c3ea05e2d8fffa372b34c6378af5393195a5f6c0d1971f2c145ddf7b5f409ae3
Opcode Fuzzy Hash: 1d68b8f02da587f42a75b9fe032523f07796d6926f241f300a54a13e510b2309
Instruction Fuzzy Hash: AC11A071500604DFDB21DF69D884B56FFE4EF04320F08C4AAEE858B616E775E418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE834, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

s, xrefs: 04EEE73C
|, xrefs: 04EEE735

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: s$|
API String ID: 0-28169130
Opcode ID: 65523a4f9f8269e111b8c12d7711c8713e2cb56554574951ba682db8c5a37d7f
Instruction ID: 497a15d490bbd0c221b0a23e2855e01b9c6c9264f8ccbd53f7ce59aa174ce8cf
Opcode Fuzzy Hash: 65523a4f9f8269e111b8c12d7711c8713e2cb56554574951ba682db8c5a37d7f
Instruction Fuzzy Hash: 5C51D774E4920ACFDB40CFAAD4805FDBBB8FF1A310F102665D41AAB381E7746941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0101ACD1

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 01d3d8e6a62d3b82ae63c2606c6ccb0c9773aabf819ac609729bea2c3acb1625
Instruction ID: a083612714eb37cab0e1d0f60f683dfbedb18df7a2d0b03c2fa54f00e266d7d0
Opcode Fuzzy Hash: 01d3d8e6a62d3b82ae63c2606c6ccb0c9773aabf819ac609729bea2c3acb1625
Instruction Fuzzy Hash: 6B31B4B2544384AFE7228F25CC45F67BFECEF06710F0884ABED819B152D265A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,80C6B0F0,00000000,00000000,00000000,00000000), ref: 0101ADD4

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bb0a6389050f78d5c6244fdd56ae595097fd640328bd0f779d530069d68398f4
Instruction ID: d17c3fa6c269702919e629b55d581b00de52320ea10c1839e5ad7d422d1e79a0
Opcode Fuzzy Hash: bb0a6389050f78d5c6244fdd56ae595097fd640328bd0f779d530069d68398f4
Instruction Fuzzy Hash: 94319571609784AFE722CF25CC44F93BFF8EF06310F18849AE9859B153D264E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051C00EC, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,80C6B0F0,00000000,00000000,00000000,00000000), ref: 051C0180

Memory Dump Source

Source File: 00000000.00000002.228998638.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: efc03babfbb55aa7a400c2905ff20338e790f7188a34cba1bbea8d70a0d0020f
Instruction ID: e04d09ef3b507427b9285a2aebe9a2d7f754042225a9b1b5295bbf5bf9dc5cd4
Opcode Fuzzy Hash: efc03babfbb55aa7a400c2905ff20338e790f7188a34cba1bbea8d70a0d0020f
Instruction Fuzzy Hash: E821F672509380AFE7128B24DC45FA6BFB8EF47324F0884DBE984DF193C2649905C761

Uniqueness

Uniqueness Score: -1.00%

Function 0101A2AC, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0101A346

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 392e35d28fc0f44363f9935b9d2a9fbcbab66d467e3e4fdba788dd2141335937
Instruction ID: e2b51df26d7fc701b45a245e9221ca4f1927307a54e26667e7f8a9036c7973de
Opcode Fuzzy Hash: 392e35d28fc0f44363f9935b9d2a9fbcbab66d467e3e4fdba788dd2141335937
Instruction Fuzzy Hash: B731827150E3C06FD7138B259C55B62BFB8EF47620F0A40DBE884CB5A3D228A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0101ACD1

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 66f35cf89982142d39c580813155e0b66b8d8ff7d6d9c6fac1bae90a83fced4e
Instruction ID: 090c0c4b5be1d61491a390a57ebb2922e5fe1716d2d8f1b8732b0ec02a93bca5
Opcode Fuzzy Hash: 66f35cf89982142d39c580813155e0b66b8d8ff7d6d9c6fac1bae90a83fced4e
Instruction Fuzzy Hash: 8C219F72500604EFE7219F59DC85F6BFBECEF04720F14845AEE859B245D674E5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101BB83, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0101BBFE

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f64e5ee258255e5d6edf47bf6c6630a063c0585319745b3759ba2c15485a5579
Instruction ID: 789e9cf4e0332139ebd1c76b472ef60e8d1064b354e83c91b523dad767fbd0e4
Opcode Fuzzy Hash: f64e5ee258255e5d6edf47bf6c6630a063c0585319745b3759ba2c15485a5579
Instruction Fuzzy Hash: BC2195715093845FD7628F65DC95B92BFF8EF06210F0984DBD985CB263D274D908C761

Uniqueness

Uniqueness Score: -1.00%

Function 0101AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,80C6B0F0,00000000,00000000,00000000,00000000), ref: 0101ADD4

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2d82129ff9e2c90fe591a0db7642e1354a2cc160184fae52cf5fd0e7949ec17b
Instruction ID: 3b51e7a7feff275e4aee6803fd0b8c2d44762529dee07293d51727709f40ef9b
Opcode Fuzzy Hash: 2d82129ff9e2c90fe591a0db7642e1354a2cc160184fae52cf5fd0e7949ec17b
Instruction Fuzzy Hash: 82218E71601644EFE721DF29CC80FA7BBECEF04711F4485AAEE869B255D664E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0101BDCC, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0101BE38

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1ee81c0d0a82bb77d3688a0ff8670c1ba165fc80fc38db66c03b85cf1941a588
Instruction ID: 4e34db5f2991e913e53b754b8403c4e4f70d490116c4c580be33011679564fe8
Opcode Fuzzy Hash: 1ee81c0d0a82bb77d3688a0ff8670c1ba165fc80fc38db66c03b85cf1941a588
Instruction Fuzzy Hash: F5219F725093C09FDB128B25DC94792BFF4AF47324F0984DAED858F263D674A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101BE81, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,80C6B0F0,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0101BEF2

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 988693d3be9b87786f0bc35f3f6d74d15646d04d3badc60e3afe3ecdcca88a9d
Instruction ID: a3d409ca155458eae0b6f9dbee867df95ecb14d81785673c25caf389cd606876
Opcode Fuzzy Hash: 988693d3be9b87786f0bc35f3f6d74d15646d04d3badc60e3afe3ecdcca88a9d
Instruction Fuzzy Hash: 58215E755093849FD712CF25DC84B92BFF8EF06210F0984EAE985CB163D275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051C01D9, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051C024C

Memory Dump Source

Source File: 00000000.00000002.228998638.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 27a2c1a8740282610a842824b474444e876beadac3f2a7b5f5c551281f37b5d2
Instruction ID: d176886d931d0b18b9a3a5b64b5cfef7f51ee78050b90a4218cf56d2e82d0dba
Opcode Fuzzy Hash: 27a2c1a8740282610a842824b474444e876beadac3f2a7b5f5c551281f37b5d2
Instruction Fuzzy Hash: DB21AE751097849FDB228F25DC44A66FFB8EF0A210F0880DEED858B262D375A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101B3F1, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0101B46D

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 9d18a51cf928eb00b8b2f030e2d9fa352c1e5d2361a82b2473379e58a7b9b34a
Instruction ID: 09f7b7891800ca506184bc6ab8f6bd76663bcb6be6921174dc0370d446a4901c
Opcode Fuzzy Hash: 9d18a51cf928eb00b8b2f030e2d9fa352c1e5d2361a82b2473379e58a7b9b34a
Instruction Fuzzy Hash: 582193B55097849FD7228E15DC44B63BFF8EF06214F0980CAED849B253D375E508C761

Uniqueness

Uniqueness Score: -1.00%

Function 051C032D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 051C03A1

Memory Dump Source

Source File: 00000000.00000002.228998638.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef7db547d027e2c345f84372321a8a2e881830e10134f7b348fb9fff7f284e5e
Instruction ID: 32e4c0003364cb4ec2b7617f5bd446672493a3e5cdeb5e1e8049e59bebf74803
Opcode Fuzzy Hash: ef7db547d027e2c345f84372321a8a2e881830e10134f7b348fb9fff7f284e5e
Instruction Fuzzy Hash: 2A216A7140A3C0AFDB238F25CC44A52BFB4EF17210F0985DAE9848B163D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 051C012A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,80C6B0F0,00000000,00000000,00000000,00000000), ref: 051C0180

Memory Dump Source

Source File: 00000000.00000002.228998638.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a23b9319983336a5bde69205a69da34408b6d70f0d5e47e06abf96fed5bb742f
Instruction ID: 499e285687cef204289675fa20143bdcc1aa986b6433e8607878229ebe44307e
Opcode Fuzzy Hash: a23b9319983336a5bde69205a69da34408b6d70f0d5e47e06abf96fed5bb742f
Instruction Fuzzy Hash: A2118C71504204EEEB218F29DC85BAAFF98EF45320F1484ABEE459B241D6B5E8048AA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0101A666

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3fc3280e153e086a4c36e1fcc51481c8ff8a326f7f49fc069d8b5a61a7ebaf68
Instruction ID: 3d30526cc5ab28fdf44885730b7c65f5b945212f492bf9f18add7429666f523a
Opcode Fuzzy Hash: 3fc3280e153e086a4c36e1fcc51481c8ff8a326f7f49fc069d8b5a61a7ebaf68
Instruction Fuzzy Hash: 44117271409780AFDB238F55DC44B62FFF4EF4A210F0889DAEE858B162D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101BA2F, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0101BA94

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f790a53fe943c65044b7ce0133228be1b74e4d79b5bdf153a9f8c65c9ee3fd6a
Instruction ID: 56b3f0e790ea9f63c8764fe0a6b51abe2a45b6550802c1db39f1854fa0d903c9
Opcode Fuzzy Hash: f790a53fe943c65044b7ce0133228be1b74e4d79b5bdf153a9f8c65c9ee3fd6a
Instruction Fuzzy Hash: 6D11E276109780AFDB228F25DC40A52FFF4EF06320F0880DEED858B163D275A558DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101B988, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0101B9E7

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ba6805c11f54948f8cca5ce0b19a80a6b41d35bf6c6f186736fc99af53730296
Instruction ID: 065ba1723702107156423bf3353e5c67cfb2422b2691cc3efcfbc9e1d9d47604
Opcode Fuzzy Hash: ba6805c11f54948f8cca5ce0b19a80a6b41d35bf6c6f186736fc99af53730296
Instruction Fuzzy Hash: E311B2715083849FD7118F19CC84B52FFE8EF06220F0880DEED458B262D378A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101BBB6, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0101BBFE

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1d4c1fdc455f6871bec1cdcff52c14c1b0044d0b58e20f2419f9380fe4967e7d
Instruction ID: 41512913f05c41e959435d098f77ab1575bd9bb0d459cd9f2bf1737ae70f2cf8
Opcode Fuzzy Hash: 1d4c1fdc455f6871bec1cdcff52c14c1b0044d0b58e20f2419f9380fe4967e7d
Instruction Fuzzy Hash: E2118E716042049FEB60CF2AD885B56FFE8EF04220F08C4AADD49DB65AD7B8E444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0101AF50

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf55fff3308bba89804c92042a553e37c186c99bc9523e52600ffe8a0443b5c3
Instruction ID: 4b59515fd346ac93b7367cd908ce3c42b5fca3716f3640650645395cabb82e4a
Opcode Fuzzy Hash: cf55fff3308bba89804c92042a553e37c186c99bc9523e52600ffe8a0443b5c3
Instruction Fuzzy Hash: 03118C72409784AFDB228F55DC44B52FFF4EF0A220F08849EEE854B262C379A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101BEB2, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,80C6B0F0,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0101BEF2

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 4b91f5423f956832d82abd885b7a43b2868657ad212883db193f8a5aecf663ab
Instruction ID: fed6d8a99db09abdf9643f0d66fee4ab3a333051eceebe070e31539759b860f2
Opcode Fuzzy Hash: 4b91f5423f956832d82abd885b7a43b2868657ad212883db193f8a5aecf663ab
Instruction Fuzzy Hash: 44115B756002049FDB60CF6AD884B66FFE8EF04320F0884AAEE498B656D775E458CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0101A42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0101A480

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 891c550d6bce36b31000d70518d19cfb7b8432f38b67f17ec99ce92eb6e09120
Instruction ID: 15f1871800592e448210dc1da0faabf9a460436e98395a7b5e409a3c1329d0b1
Opcode Fuzzy Hash: 891c550d6bce36b31000d70518d19cfb7b8432f38b67f17ec99ce92eb6e09120
Instruction Fuzzy Hash: BF01C071549384AFD7228F15DC84B62FFA8EF46320F0880DAED855B253D279A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0101AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0101AB46

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2904d15d749c0fe9b2a786ca485aa2dd4bdcd328bf2a9b14a5ee0f1506944680
Instruction ID: 1ac74b33b92d777d5ffd04d5dc7cf71643dcf495d347d28f12b5c68b761d1474
Opcode Fuzzy Hash: 2904d15d749c0fe9b2a786ca485aa2dd4bdcd328bf2a9b14a5ee0f1506944680
Instruction Fuzzy Hash: E7117C71509784AFD7228F55DC84B52FFF4EF46220F0884DAED894B263D275A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051C0206, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051C024C

Memory Dump Source

Source File: 00000000.00000002.228998638.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a7e6eed935497bb88486faeffb5bc460f2ce06aa1b8c70f679f1855a903922f8
Instruction ID: be93148856b1e5e4e0d1dc5e920a534ead354eebea087b4d13c5979460bf2e2a
Opcode Fuzzy Hash: a7e6eed935497bb88486faeffb5bc460f2ce06aa1b8c70f679f1855a903922f8
Instruction Fuzzy Hash: BB016175500604DFDB20CF55D888B66FFE8EF18720F0880AEED4A8B651D772E458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101B422, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0101B46D

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 4d88708a54ce048d1e656e97f1c1d04b05b5cdef0f3d7232f563a0c6436bc09e
Instruction ID: a577ea44bb507322872bb119a3f55954d94575ad6603fb36a52444ceadc60f8a
Opcode Fuzzy Hash: 4d88708a54ce048d1e656e97f1c1d04b05b5cdef0f3d7232f563a0c6436bc09e
Instruction Fuzzy Hash: 880180715406049FE760CE19D884B26FFE8EF08710F08C09ADD899B216EB79E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0101A666

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 281143d475c316da0546a7e119861345e08fabc5d5598d1afed21d1304115a2b
Instruction ID: 5a219a02c4dae6838eeb141ff53daf69517a5993b49b7127f08a7398bf50df2d
Opcode Fuzzy Hash: 281143d475c316da0546a7e119861345e08fabc5d5598d1afed21d1304115a2b
Instruction Fuzzy Hash: E701C031500740EFDB228F55D844B16FFE4EF48320F08C9AADE894B616D275A418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0101B9AA, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0101B9E7

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ef5cca42d4cc9fbe7fc76cc94af97e19397d7ab7567d7ab9ce18f7bc84f2ba3e
Instruction ID: ee55583be6077b7522214027de94fa8608ef048ec14e1d3895bb9494edaa406b
Opcode Fuzzy Hash: ef5cca42d4cc9fbe7fc76cc94af97e19397d7ab7567d7ab9ce18f7bc84f2ba3e
Instruction Fuzzy Hash: D801B1756042049FDB60CF1AD884766FFE4EF04220F08C0AADD458B256D379E448CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101BE06, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0101BE38

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f51d898d88fd68d3dfede7074d919afc32b35b125fd9e987e5a3207a6a655bf0
Instruction ID: 6cc239de6874d5f3112998e56dff9cacafc19f15acd6406a3d6d8f1b5038ac98
Opcode Fuzzy Hash: f51d898d88fd68d3dfede7074d919afc32b35b125fd9e987e5a3207a6a655bf0
Instruction Fuzzy Hash: F201BC71504200DFDB608F29D884756FFE4EF40320F18C0AADE898B216D6B8A808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0101BA56, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0101BA94

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d1c25a47b755f84de16ea8cfefeb92685174b73a3ad67b7b5fc9462d943b7c9e
Instruction ID: a4a1af8ba1671fefc12a86eb729ea64c110243b9b8281e945403dd9a849ac876
Opcode Fuzzy Hash: d1c25a47b755f84de16ea8cfefeb92685174b73a3ad67b7b5fc9462d943b7c9e
Instruction Fuzzy Hash: 09019E32500600DFDB218F59D884B66FFE4EF04321F08C49EDE894B616D775A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0101A346

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4ef99374ba7fd5decc388c3f670242136f0c064647d80af00b5f7d8f4f2498a2
Instruction ID: e0cdc7882c2c580c305460eec737e14ee90f68cc294cd83d48e12f5f887731e0
Opcode Fuzzy Hash: 4ef99374ba7fd5decc388c3f670242136f0c064647d80af00b5f7d8f4f2498a2
Instruction Fuzzy Hash: B301AD72600600ABD210DF16DC82F26FBA8FB88B20F14815AED085B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0101AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0101AF50

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8863ad0de6a4271fa20c7676747952345ed76d568e7972aca2cf085c960338b6
Instruction ID: 43dbfefa1003f5149b357efd97348b106759614ab0220e01949759a02f510b9b
Opcode Fuzzy Hash: 8863ad0de6a4271fa20c7676747952345ed76d568e7972aca2cf085c960338b6
Instruction Fuzzy Hash: 16018F71500644DFDB218F95D884B66FFE0EF08320F08C49EDE890B666D7B5A458DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 051C0366, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 051C03A1

Memory Dump Source

Source File: 00000000.00000002.228998638.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b07d31a544395a6a8ac2ecd6e5ecbdbc96fbda93fcb919703d0adcc091ebbdcc
Instruction ID: cd3f3d0ab92186321e6f8fb5159bba6ec8cff36fc2d3db2d017f660b00565ca6
Opcode Fuzzy Hash: b07d31a544395a6a8ac2ecd6e5ecbdbc96fbda93fcb919703d0adcc091ebbdcc
Instruction Fuzzy Hash: 8C017C35504644DFDB20CF16D888B2AFFA4EF18320F08959EDE494A612D3B6A458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0101AB46

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 380cfdecad7f342a32bfd348cff94dc944a14003066cc555a9cb3abe2c0b7dfe
Instruction ID: 51e92de07848569ea18fd2d2c29c6c08828ab5587be072fa38224b481615a285
Opcode Fuzzy Hash: 380cfdecad7f342a32bfd348cff94dc944a14003066cc555a9cb3abe2c0b7dfe
Instruction Fuzzy Hash: FF01AD31505684DFDB208F19D884B16FFE0EF04720F08C49ADE8A4B257C2B9A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101A44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0101A480

Memory Dump Source

Source File: 00000000.00000002.223371216.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 379be922fe7e24cc461ec3f6ea18933106b604e212552c9a99f14c7641d56d0f
Instruction ID: 711421d8e4eaece390402af61f031bc01f60781948a948ca44842c68f29faabe
Opcode Fuzzy Hash: 379be922fe7e24cc461ec3f6ea18933106b604e212552c9a99f14c7641d56d0f
Instruction Fuzzy Hash: 13F0A475545684DFD7208F19D888766FFD4DF44320F18C0AADE894B216D6B9A448CE62

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5DB9, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

s, xrefs: 04EE5E1B

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: 5d6383a52004fc33a1a3cf03d5c70382569470302832bfa62c6a482fc694f63e
Instruction ID: 9b6a9dc24453712ffda19e4c36a2cb7c7f3a1fbb8b71a33c0ac3937bc9ee074c
Opcode Fuzzy Hash: 5d6383a52004fc33a1a3cf03d5c70382569470302832bfa62c6a482fc694f63e
Instruction Fuzzy Hash: D91146B0E08349EFCB14CFAAD4442FEBBB5BB49304F20A569C459A7291E7342A01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5DC8, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

s, xrefs: 04EE5E1B

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: b430e61bca30c3ea096905c9b17a3be462107da8b97ea0d11e47fb9621c86f9b
Instruction ID: 797b499c273149d9fd98cfbdfab222c79e82da4e749cb62e14d4e0761f7e5a94
Opcode Fuzzy Hash: b430e61bca30c3ea096905c9b17a3be462107da8b97ea0d11e47fb9621c86f9b
Instruction Fuzzy Hash: 5D114870E08209EBCB14DFEAD4442FEBBB9BB49304F20A528C41AA7294EB342901DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0299025D, Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfe56d230c9c253435ae64302bd3f0f1e14676d95595399d423430a08e140ab
Instruction ID: d45b151ccaa14e4bd5a1ca49cd4714b02279120c5891953f0e92dbc670e14883
Opcode Fuzzy Hash: 3cfe56d230c9c253435ae64302bd3f0f1e14676d95595399d423430a08e140ab
Instruction Fuzzy Hash: 3521BB6558E3C14FD3034B759C611A0BFB0AE43221B1E81EBC4C4CF1A3E259599EC772

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7E43, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f425958ffa0864aac3297571f286a71b6555cb9a0ccffe0d7123028328af25e9
Instruction ID: dd9b7c8e01c5905dbf95a6951dce141d81a1e0fd1f31193e444926cd994847e1
Opcode Fuzzy Hash: f425958ffa0864aac3297571f286a71b6555cb9a0ccffe0d7123028328af25e9
Instruction Fuzzy Hash: F4C152B0901245CFEB00EF9AC584AACBBB2FF04748F55A199D418AF65AC375E885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7E95, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2665607934c594e523be35ca3a3d4856f35027d2a7c032988383ba9119fab8f9
Instruction ID: 04213731d8c0296761e92c7076f325b8d4af88ed19d2a76fbae9ea6be199ee52
Opcode Fuzzy Hash: 2665607934c594e523be35ca3a3d4856f35027d2a7c032988383ba9119fab8f9
Instruction Fuzzy Hash: C4C164B0901244CFEB00EF9AC584BADBBB2FF04349F55A195D418AF65AC375E885CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04EE62EA, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcdfbece0d5ee01a4d3f0d3cda8689103984b15a6247012fe47743c5aa5fdc7
Instruction ID: f799d12fefecb0a8350256f914a562925e13c2222901729946b0af2bad824c83
Opcode Fuzzy Hash: 6fcdfbece0d5ee01a4d3f0d3cda8689103984b15a6247012fe47743c5aa5fdc7
Instruction Fuzzy Hash: BEC149B0A05348CFCB64DFA9D654ABCBBB5FB09328F14A269D4199F2A5D730AD01CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5408, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df8b0b15e29b421175069903965eb931f28b6c0b89f34ef3ea9f33f4a809d40
Instruction ID: 70723294f256eafea02b20cef93b3b05f38f2eaaf95e8e671adaa83b40f46f79
Opcode Fuzzy Hash: 0df8b0b15e29b421175069903965eb931f28b6c0b89f34ef3ea9f33f4a809d40
Instruction Fuzzy Hash: 7C91C334B00115EBDB14DAEAC560BBD7BF2EBC8358F20546AE203AB384DE759D4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7EC4, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41067038dbe50b6f18ff39d804e4d03b761ce167f4f9f1987e10a893a29e814d
Instruction ID: af7005a1c0e3426e3f5bb561f0926b20c954aa1fc965d5e49d80eac809a26bea
Opcode Fuzzy Hash: 41067038dbe50b6f18ff39d804e4d03b761ce167f4f9f1987e10a893a29e814d
Instruction Fuzzy Hash: 01C163B0901248CFEB00EF9AC584BADBBB2FF04348F55A195D418AF65AC375E885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04EE42A0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9280db81925934c7eb83bf85cccd6e8ecb590a843d4f1dfa1d902b17b56778d
Instruction ID: 49b9c03a0be9286488eff087241a423ef53b8e5f92e106650d3b224ec7e62d3a
Opcode Fuzzy Hash: f9280db81925934c7eb83bf85cccd6e8ecb590a843d4f1dfa1d902b17b56778d
Instruction Fuzzy Hash: 8481AF34E00204DFDB10CFAAD444BBDBBF2AB88314F10812AE555AB2D5E775E996DB41

Uniqueness

Uniqueness Score: -1.00%

Function 04EE54C8, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4dd0cc8e20f0315a57da57a200a52762fa49e58387b59db16b070c3895b94e
Instruction ID: 3c85a3280ac970bfae61b13c6aeaa768e248f9a0bc488307028c1d00fbbbe3d7
Opcode Fuzzy Hash: 3d4dd0cc8e20f0315a57da57a200a52762fa49e58387b59db16b070c3895b94e
Instruction Fuzzy Hash: 9F51F834B40215EBDB648EDAC554BFD77F2EB88318F20186AE603BB380DA75AD41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9BD6, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684fe61a040c11a20ad1f6498b5d79b67b88c7faddc1e9866b02af3f86e49716
Instruction ID: 108c2883dd9cabd36ded97a8cc4f14608ffa8e9a942510d717cb98947bb5f5c5
Opcode Fuzzy Hash: 684fe61a040c11a20ad1f6498b5d79b67b88c7faddc1e9866b02af3f86e49716
Instruction Fuzzy Hash: 33618EB8A05218DFCB04CFAAD5849EDBBF5FB49300F10A595E80AAB316E735AD41DF44

Uniqueness

Uniqueness Score: -1.00%

Function 04EE765F, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b050de4bc23bb7ef9352c2e45c556dca2ac752584a7537cfa6c516bedb81019
Instruction ID: 8f764246a21a1c801ae343f3af744a51a692532b30f75040abaad87b3bafa32d
Opcode Fuzzy Hash: 9b050de4bc23bb7ef9352c2e45c556dca2ac752584a7537cfa6c516bedb81019
Instruction Fuzzy Hash: F7511570E09209EFDB00CFAAD484BFDBBB5EF59309F10A155E405A3241E334AA86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4E30, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb2e69e9eb3236f1314139cbbb44ecc235c08e5942f5e43fb7b849d2a9e2a1a
Instruction ID: d36840011ef3387dc7c04dfe48c2cef32288bd8312ef8c0fe2ce7d37708d8a71
Opcode Fuzzy Hash: 2cb2e69e9eb3236f1314139cbbb44ecc235c08e5942f5e43fb7b849d2a9e2a1a
Instruction Fuzzy Hash: 1C518C70A04214CFCB14DFAAC584AFEBBF2EB48310F109566E556EB291D779AE81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8DBA, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e03a0eef66f9cce969252f5fd0fae187ad02240bfcd189f03240a0ea2f3a20
Instruction ID: ac1b5f5bd859884fffb50e9c7ec592319b6923712e2acdd1d8140a55041ea699
Opcode Fuzzy Hash: 69e03a0eef66f9cce969252f5fd0fae187ad02240bfcd189f03240a0ea2f3a20
Instruction Fuzzy Hash: 7F410374E0521ADBCB00EF9AD880AFEF7BAFF59300F14A551E415AB261E330B946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04EE3530, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183a556c8d0576eed496338a9608cf3a595c61d9230c7c231a30af2d2c0af1a4
Instruction ID: 1aaee1b5fb5e0d4da8d7625657fe229087c43c91f351773e0da043714da83fda
Opcode Fuzzy Hash: 183a556c8d0576eed496338a9608cf3a595c61d9230c7c231a30af2d2c0af1a4
Instruction Fuzzy Hash: D1410374B04341CFE714DB7AC854BAEBFF2AB96300F20806AE545CB396DA399D068761

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA530, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17745e7636abdba924e296a6b175dde06aa7b23506c6beee5196c3133ace808
Instruction ID: 2f027c0d167d90f6d558c18c70613353306cf571d049d225d29e668cbd49220f
Opcode Fuzzy Hash: b17745e7636abdba924e296a6b175dde06aa7b23506c6beee5196c3133ace808
Instruction Fuzzy Hash: EC41E374E05209DFCB04EFA9D580AEDBBB2FF89305F20946AD805AB254DB35A942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04EE76AC, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7444ae1fba196723700500109a0a40df3830e6f64db3837811c57de34d01ec
Instruction ID: 80e885845aed411d20dfb31c285e39e54df3977e6189e7df42ee252f1c922c88
Opcode Fuzzy Hash: af7444ae1fba196723700500109a0a40df3830e6f64db3837811c57de34d01ec
Instruction Fuzzy Hash: 39417C74E09248DFDB01CFAAD484BECBFF1AF0A305F14A099E445A7252E7346A85DF44

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2FC1, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e450ee4b1681e82c3c3e3201ec67b32dd480e4346596e5cd8e2d562a902a073
Instruction ID: fe65dca9d1cd1e0ecb9e97b7ba4087d72db02a683d97141ce756c7ffc4368344
Opcode Fuzzy Hash: 4e450ee4b1681e82c3c3e3201ec67b32dd480e4346596e5cd8e2d562a902a073
Instruction Fuzzy Hash: C841C5B4E012089FDB04DFAAD990AAEFBF2FF88300F248169D904A7364DB755942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE3520, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6c4ae05e8a3f76212cd78c47907f115d8159cb894b13ebf10bbbeb25446a14
Instruction ID: b5dba778e86ba0ebbd6681245f47777e910e85341d9240443c565528b0515905
Opcode Fuzzy Hash: 9d6c4ae05e8a3f76212cd78c47907f115d8159cb894b13ebf10bbbeb25446a14
Instruction Fuzzy Hash: 1431B074B00200DFD754DBBED819B6EBBF2ABC5301F20806AE546DB395DA359D028B61

Uniqueness

Uniqueness Score: -1.00%

Function 02990738, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2f2e8fdb1485972c6d4a9b4dd1b966248858b29d8d940d487ef9e6eb6092fe
Instruction ID: d28bfa5cb58e4efb9ab956a111a7f7bbdafe9f8fbb284f55bac4dc7ba9e31770
Opcode Fuzzy Hash: de2f2e8fdb1485972c6d4a9b4dd1b966248858b29d8d940d487ef9e6eb6092fe
Instruction Fuzzy Hash: 6931B2351093809FDB12CF24D980B65BFA1EB86724F18C6AED8998F653C33A9806CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2FD0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f298f26af3842141f0ed6327b18ce74bf23e541d423b91bf545c52717e95784
Instruction ID: 1ac03ad191ee713e7eb8685ae7a36121f1070a7ce7ee5ab91cc33792b8650578
Opcode Fuzzy Hash: 8f298f26af3842141f0ed6327b18ce74bf23e541d423b91bf545c52717e95784
Instruction Fuzzy Hash: E041A4B4E00209DFDB08DFAAD980AAEFBF2BF88300F248169D904A7364DB755941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE36C1, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2134ca26e9e70436f9c1ae4cd361519aefa5e39d7ed6c246f62db46307125e1f
Instruction ID: bbff2e7af5ec1c510c8aee07623e483bd1de11e5c4cee4ec76d387540f601ffb
Opcode Fuzzy Hash: 2134ca26e9e70436f9c1ae4cd361519aefa5e39d7ed6c246f62db46307125e1f
Instruction Fuzzy Hash: 5F31E8B1A08156CFD704CB6AC5807BBBBF1BF45314F0595B3E595DB281D338E9018721

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9586, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77444760d11a4f1a4f2836b6233d0a13cf9246c080dd0316c5b48bddfc2476d8
Instruction ID: 1475be92bded1ee98297a3052006a5c0b1b5f60dbb6029f8115c6922667cea4c
Opcode Fuzzy Hash: 77444760d11a4f1a4f2836b6233d0a13cf9246c080dd0316c5b48bddfc2476d8
Instruction Fuzzy Hash: 293172B8E04209CFDB04CF95D0949EDBBF9FB59310F10A556E819AB312E734A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0006, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de39946d3615d5f474a470ec8b0d5b51a6a6069992f61062ded34ae1b07900c
Instruction ID: bba803a571e7173f1fc6fcaa5a8418230a27fd40c538de53cb7230bfefbdc815
Opcode Fuzzy Hash: 4de39946d3615d5f474a470ec8b0d5b51a6a6069992f61062ded34ae1b07900c
Instruction Fuzzy Hash: 161145A184F3C14FD707A73058A26E93F709E6321475A04CBC881CB0A3E52E4E0BDB62

Uniqueness

Uniqueness Score: -1.00%

Function 04EE640C, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343fd1dc3fad9b58b3f2e2d6c1ccb1d4ead9114fe7e609295c09e7e33b4816a2
Instruction ID: d4031a00059e7b158c748fc4ccf7a48258a19a9a22f1db19bf16ef1867bbb32c
Opcode Fuzzy Hash: 343fd1dc3fad9b58b3f2e2d6c1ccb1d4ead9114fe7e609295c09e7e33b4816a2
Instruction Fuzzy Hash: D1219F74D012098FDB04EFA9D4955EDBBF2FF89310B54816AD404E7355CB385E06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8BFA, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1262fb684ec31fb9ae664d590ddc9f5039faf832e60cd27d5f6caea364e2bcb5
Instruction ID: 28b06f5c4ef0524c6fe9b79427f517ce4ecd624ebbc257789ef1708640cd6f5b
Opcode Fuzzy Hash: 1262fb684ec31fb9ae664d590ddc9f5039faf832e60cd27d5f6caea364e2bcb5
Instruction Fuzzy Hash: 202124B1C0424A8BE700EBB4C5893CDBF72FF15304F5442AACA5593656DB3A9B0BCB81

Uniqueness

Uniqueness Score: -1.00%

Function 0299075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b89d38af97ee0a1b016447fb7e428fdc1462db348c7da9b4e131c24de4a403
Instruction ID: 1325847b4b243460aeed13c0bd1403ac3d8c18ea51c63334aa8cb701f5817cdf
Opcode Fuzzy Hash: 45b89d38af97ee0a1b016447fb7e428fdc1462db348c7da9b4e131c24de4a403
Instruction Fuzzy Hash: DA11E434204244EFDB05CB28C980B26BBE5AB88728F24C99CE9491B653C777D843CE51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6430, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8120c6d9a88aa1cce82b73c023412066a7a7812832b239fda73059637484098e
Instruction ID: 5e6c433f30fd1360442eca5976d5737d2e45c98551dce01b1f2f7fe07e65c857
Opcode Fuzzy Hash: 8120c6d9a88aa1cce82b73c023412066a7a7812832b239fda73059637484098e
Instruction Fuzzy Hash: CF212974E01209DFDB44EFA9D595AAEBBF2FF88304B508569E405A7354DB34AE02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02990638, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a1e7c802c0ba54f99801fc758318554d8a25eec863adeb20217c8bd27de2c9
Instruction ID: 98c89ccdf4e20e6ddb6a5bec540e145e09db0fb9dbc04e705a268167554a256c
Opcode Fuzzy Hash: 43a1e7c802c0ba54f99801fc758318554d8a25eec863adeb20217c8bd27de2c9
Instruction Fuzzy Hash: E901A2B25087409FD7118F1AEC40897FFA8EB46730B1885AFE859CB252E635A804CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 029905CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e88a4b0f52549c789c47741d44e2f02abc570c79d53a9bb7246a44a3ac78f4
Instruction ID: e98f88a94f2d16d16ba912fa80f685114ae8d55998fdc63d6cfc5fe8e4722c02
Opcode Fuzzy Hash: 62e88a4b0f52549c789c47741d44e2f02abc570c79d53a9bb7246a44a3ac78f4
Instruction Fuzzy Hash: 8C01D676548380AFD7128F06EC40862FFB8EE86230718C1AFED498B652D225A904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8C50, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1203b23d2fb2dd6396f686c3dba464ee1df383aa8cdb1768169d257abffe1288
Instruction ID: 777c15ba76538b2160d38fa24fdcd0ef729cc87de65f34a186c2ca467132b384
Opcode Fuzzy Hash: 1203b23d2fb2dd6396f686c3dba464ee1df383aa8cdb1768169d257abffe1288
Instruction Fuzzy Hash: DE01FB74E4020ADBCB14EFA8D4555ADFBB1FF44304F2082A9E855A7344DB75AE46CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04EE30FF, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729fb17f4a6c73dba93bc85cc354249bb6cd5b3b613dd4dc5d9f2a4758a8c05a
Instruction ID: b99f9a15c7ca229cdf2d087993c7b6e8edcc9c8308b18bb6b4fa8a84e873b059
Opcode Fuzzy Hash: 729fb17f4a6c73dba93bc85cc354249bb6cd5b3b613dd4dc5d9f2a4758a8c05a
Instruction Fuzzy Hash: 3BF06D78D08308EFCB10EFA5D8496ACBBB4EB09300F1480A9DC4583311E6756A46DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02990818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: f78cf99fbed88eaba92376bc702a9d31ee4bd3693b448e13c7dff0f782168b0a
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 4DF0FB35204644DFC605CB44D940B15FBA6EB89728F24CAA9E9590B662C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04EE00B8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7054f58f018af30620df3323e6ebce3543dbc080042919de77193a92a4bebcc9
Instruction ID: c59b2a3f04fab65097278ccb3259ee7662803899a5cbc16f71e23a40304b7b5e
Opcode Fuzzy Hash: 7054f58f018af30620df3323e6ebce3543dbc080042919de77193a92a4bebcc9
Instruction Fuzzy Hash: 31F02270C09248DFCB04CBA5C981BE8BBB0DF57318F2010E9C484AB261DA396E06EF61

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE690, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164c49df4acd49619056cb4037c5f4be16e64067ac69474d3d87f2d7c39afb5d
Instruction ID: 65e94645d494f6052028340302bc4ae7c26b1748418978aff8e89f5ce8acb581
Opcode Fuzzy Hash: 164c49df4acd49619056cb4037c5f4be16e64067ac69474d3d87f2d7c39afb5d
Instruction Fuzzy Hash: 8CF0ED30D09344DFC320AFB0D809AB9BFB0EB06706F2451E9C8846B296E7766D46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 029905F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223495503.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31a96b50b15a1682f29ac877803241cf597e891738f27bb097fdf1a4eb8ad5d
Instruction ID: 27ab7c8518301d24836f295b569ee8eb16fe2e764562990016b3e562f68d0997
Opcode Fuzzy Hash: f31a96b50b15a1682f29ac877803241cf597e891738f27bb097fdf1a4eb8ad5d
Instruction Fuzzy Hash: 66E092B66446048BD650CF0BEC81452FBD8EB88630B18C07FDC0D8B700E535B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04EEFA88, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1784ffa250275eb9a2278413544d2b2b0e42d69fc8af20ca7966fbd3b201631
Instruction ID: 55fba6940a32522daa1653e2ee0007e820c7d045f59650563d54d75c886ef9f6
Opcode Fuzzy Hash: f1784ffa250275eb9a2278413544d2b2b0e42d69fc8af20ca7966fbd3b201631
Instruction Fuzzy Hash: 12F0B775E4012ACBCB24DB69D940BEDBBB5EF44304F1090F6C219A7200EB315E85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38a17b05cc98ee0c34703835b9f6c88884223c90730e0f6c506536906e76e2f
Instruction ID: 1e2f56f0f6abc40e8b102f85de197664817332ac1a7cdabce7737b5aedbaa5e0
Opcode Fuzzy Hash: b38a17b05cc98ee0c34703835b9f6c88884223c90730e0f6c506536906e76e2f
Instruction Fuzzy Hash: 65E0CD7054320DD7C718FBB4D51267E7378DF43608F101C5CC44527240DD765E10D6A5

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE6A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3230a3880c599b1489c0bfd78931ddb48a6defbc45750a3a606b51bb66c746
Instruction ID: 6414196a114e7d33e5f81931dee2823d6fecf30405b81ec76828090db359ec54
Opcode Fuzzy Hash: df3230a3880c599b1489c0bfd78931ddb48a6defbc45750a3a606b51bb66c746
Instruction Fuzzy Hash: 31E08630941318DBC720EFB4E4096BDBB74E702705F2011A8C80527384E776AD41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2F88, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0044614751cba41b7e3678f6fa60e5328007459433780e81908f956228ac1f2a
Instruction ID: 7de26cc812fc9206f596fb8a960a1d2217144ab4ede773135bed0d23759bae57
Opcode Fuzzy Hash: 0044614751cba41b7e3678f6fa60e5328007459433780e81908f956228ac1f2a
Instruction Fuzzy Hash: 81E0C2B044A388DFC321DBA09D466A97B28CB03204F2410DDD884A7193D56A6E56D6AA

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE73E, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85092da28bbfbbb00a97d26693a8686cf503ed53f9132088c864fbc644f65870
Instruction ID: b9495a2d765627a1c96bce7044848be9bd22946b16d352c6f382ed3666b8afad
Opcode Fuzzy Hash: 85092da28bbfbbb00a97d26693a8686cf503ed53f9132088c864fbc644f65870
Instruction Fuzzy Hash: AEE01770E0D21ACBCF108FA9A0465FEBBB4AF2A709F143965D40AB7201E375A5109B99

Uniqueness

Uniqueness Score: -1.00%

Function 04EE00C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915ba517e141c1cbdb6f76e59409debae0fd76f383d33d84c861167e9e25c162
Instruction ID: a845be89555ad4b7f71d891b413d3a90bd2c157b1b755bbc769b2eda3333a9de
Opcode Fuzzy Hash: 915ba517e141c1cbdb6f76e59409debae0fd76f383d33d84c861167e9e25c162
Instruction Fuzzy Hash: 93E08C30901208DBC708DFA6C640BADF3B4DF86304F1050A8C40873220DB31AE00DF94

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEB28, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80b9ac3af4c39cf37ec6755996811686a24fba88549dcdcc2e27d85c362757e
Instruction ID: 6faf3d68254a9e980ef0b0bb79347a71327290237cfd5e5eba207cf313741c4c
Opcode Fuzzy Hash: f80b9ac3af4c39cf37ec6755996811686a24fba88549dcdcc2e27d85c362757e
Instruction Fuzzy Hash: 6BE06574C083588FCB90EFE8E8489ADBFF1BF09311B14112AD06AAB380D7354A00EF10

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2F98, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162a130b61b76b10949ee8dc336f66e62c4e21fa3ddbe07afefe0907dd1cfa76
Instruction ID: 652f31fd67b30ec981783af69cc50c72c738e92a1938f79bdef6461f0121322d
Opcode Fuzzy Hash: 162a130b61b76b10949ee8dc336f66e62c4e21fa3ddbe07afefe0907dd1cfa76
Instruction Fuzzy Hash: 30D01270842208DBD724EEA5D941B6EB36CDB02704F2011A8D40833290DA766E50DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 010123F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223365893.0000000001012000.00000040.00000001.sdmp, Offset: 01012000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac0cee8b7073e316e3ca6d6c7b8aa80aa4d9840fcac00b0b87f715b4b54776c
Instruction ID: 0552439db7ae439b9b08b5d70001937a819cb933f9999e24b8278ddc0c5c33b8
Opcode Fuzzy Hash: bac0cee8b7073e316e3ca6d6c7b8aa80aa4d9840fcac00b0b87f715b4b54776c
Instruction Fuzzy Hash: 17D05E79255A818FE3268A1CC1A8B953FE4AB51B04F5644FDE8408B667C768E9D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 010123BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.223365893.0000000001012000.00000040.00000001.sdmp, Offset: 01012000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0f4ed4f44d71b0a769fa8f406923526fc75a43232e33ccd942d024ccf1b3cd
Instruction ID: 76a63cf0fac7a452d71f26d3c8af15fcc0ff0290ace26e86f6037042f0d36d23
Opcode Fuzzy Hash: 1e0f4ed4f44d71b0a769fa8f406923526fc75a43232e33ccd942d024ccf1b3cd
Instruction Fuzzy Hash: E8D05E342002818FD715DB0CC594F593BD4AB41B00F1684E8AD408B666C3A8D881D600

Uniqueness

Uniqueness Score: -1.00%

Function 04EE61AC, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fbf7c7480781fa47b9638177e80ea7569a5f5b2606619de4f4db1b63e17461
Instruction ID: 9e334db21608e2d841fbc25fa18e0ebb952fecbd55caccbad228114b93715044
Opcode Fuzzy Hash: c9fbf7c7480781fa47b9638177e80ea7569a5f5b2606619de4f4db1b63e17461
Instruction Fuzzy Hash: 15D0A97090624CDFC720CFA4E2806ACB7B0AB04228B206208D4088B252D3302A01CB41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04EED020, Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

X1ar, xrefs: 04EED1D6
X1ar, xrefs: 04EED19D
`5ar, xrefs: 04EED175
$g^r, xrefs: 04EED145

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$`5ar
API String ID: 0-3675486359
Opcode ID: ef143ff584dc2a64015a2653b43d14dd820c70fe436532cc9e670a2c8d8b50c7
Instruction ID: 923391616f115f4f855e58bb55a739e22f647bc5d920b46645225edb9baa0120
Opcode Fuzzy Hash: ef143ff584dc2a64015a2653b43d14dd820c70fe436532cc9e670a2c8d8b50c7
Instruction Fuzzy Hash: EF61E370A005068FDB24EF69C880BEEB7B2EF96350F644159D502DB3A5DB35AC47CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04EED0A8, Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

X1ar, xrefs: 04EED1D6
X1ar, xrefs: 04EED19D
`5ar, xrefs: 04EED175
$g^r, xrefs: 04EED145

Memory Dump Source

Source File: 00000000.00000002.228413830.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$`5ar
API String ID: 0-3675486359
Opcode ID: 05e3694ba70582a0f544dd055531dd2397cf665c2a37aea7f4ee62407676544a
Instruction ID: 222c070cc9defcc954c216d558ee3498437bbbf199fe8db0e2a1eaf71148ae31
Opcode Fuzzy Hash: 05e3694ba70582a0f544dd055531dd2397cf665c2a37aea7f4ee62407676544a
Instruction Fuzzy Hash: F5514134A005069FCB14EFA9C854BAEBBF2BF88314F208259E516DB3E4DB35AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 4576 Parent PID: 5528 RegSvcs.exeCOMMON

Executed Functions

Function 053FABAA, Relevance: 8.3, Strings: 6, Instructions: 789COMMON

Download Yara Rule

Strings

X1ar, xrefs: 053FAD7E
Q, xrefs: 053FACED
>_?r, xrefs: 053FAD2D
Q, xrefs: 053FB14F
N, xrefs: 053FB356
(, xrefs: 053FB58D

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: ($>_?r$N$Q$Q$X1ar
API String ID: 0-2874809385
Opcode ID: 90645d8e9975ead32da44b79f9ecf394c33141c5d8c55fcd59a86a95392de5d6
Instruction ID: 91c4f10fb9b6272c4c3d077d22b8e1f8275142f53771089db2ddfbf6224efc08
Opcode Fuzzy Hash: 90645d8e9975ead32da44b79f9ecf394c33141c5d8c55fcd59a86a95392de5d6
Instruction Fuzzy Hash: 7E72C1B0D45229CFDB64DF68C854BEDBBB6AB89305F1091EAC21DA7690DB745AC4CF00

Uniqueness

Uniqueness Score: -1.00%

Function 053F9F72, Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

M, xrefs: 053FA02F
K, xrefs: 053FA25F

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: K$M
API String ID: 0-2047567800
Opcode ID: 3fc3223bea5540d248fc8871730beda776125a04687df751a52e77f8d85308ce
Instruction ID: 1284ac5252f77a675b5fd086c36b82ecbc34b5d4ea2a8a27fc52fcc373f73168
Opcode Fuzzy Hash: 3fc3223bea5540d248fc8871730beda776125a04687df751a52e77f8d85308ce
Instruction Fuzzy Hash: 15D15970D0A218CFDB24DFA4D4487EDBBBABB4A315F10A16AD10EA3691D7784AC4CF11

Uniqueness

Uniqueness Score: -1.00%

Function 053F9FC3, Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

M, xrefs: 053FA02F
K, xrefs: 053FA25F

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: K$M
API String ID: 0-2047567800
Opcode ID: 03c26ff587963a8d2c427e678aeb865ef8818bd06d98eed2750b347be6bb0d03
Instruction ID: 7580ec0fe502bc4f3c063b3fb1f7c381f888fb01535f2a7ef1599e8c3d81604f
Opcode Fuzzy Hash: 03c26ff587963a8d2c427e678aeb865ef8818bd06d98eed2750b347be6bb0d03
Instruction Fuzzy Hash: 37C14C70D06218CFDB24DFA5D4487EDBBBABB4A315F14A1AAD11EA3291DB744A84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 053FA465, Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

M, xrefs: 053FA02F
K, xrefs: 053FA25F

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: K$M
API String ID: 0-2047567800
Opcode ID: b5798f94ba828ef943d634ea818bdae0cebac57c9fefed8018a5cecf061b48bf
Instruction ID: 6d8e4e7648f3cbc43c11e8018399ecb378478b671d712323eb7c3997b20ea1f6
Opcode Fuzzy Hash: b5798f94ba828ef943d634ea818bdae0cebac57c9fefed8018a5cecf061b48bf
Instruction Fuzzy Hash: 01B14C74D06218CFDB24DFA5D4487FDBBBABB4A315F10A1AAD11EA3291DB744A84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 053F2ABC, Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

$g^r, xrefs: 053F2ADF

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 248f76f1ea028c4b1a3f98a2d0b21303e32c2d7d899baaa6bf0a12b65adacf98
Instruction ID: 172dc9f7f95561bd0134a835246e4e74fb58de9774249e61ebd990e721f5fb70
Opcode Fuzzy Hash: 248f76f1ea028c4b1a3f98a2d0b21303e32c2d7d899baaa6bf0a12b65adacf98
Instruction Fuzzy Hash: 3322D474905228CFDB64DF65C848BEDBBB6BF49305F1080E9E50AA7661CB705E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 058A0637, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 058A06B7

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 0923605f8932a0acd7c79877be4f11ce1304b70bd278af6e7ce59e82aad128ec
Instruction ID: dbd5b5675deeb9c8931845b1b40e1fd0cb7c82fdb66aba16bf2203059ce8eef4
Opcode Fuzzy Hash: 0923605f8932a0acd7c79877be4f11ce1304b70bd278af6e7ce59e82aad128ec
Instruction Fuzzy Hash: 9021BF76509380AFEB128F25DC44B52BFB4AF46314F08859AED85CF163D2719908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058A066E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 058A06B7

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: bb06d8f3e2472dd337614d24d0d2b75bd8deb09195b3610e7a564483822e82ad
Instruction ID: d7f0c53f0e6a2843a3b99645c123ed4360cb4ae9cda1b5bf799f0309a0ab29c3
Opcode Fuzzy Hash: bb06d8f3e2472dd337614d24d0d2b75bd8deb09195b3610e7a564483822e82ad
Instruction Fuzzy Hash: CB114C72504704DFEB20CF56D848B66FBE4EF84324F08856ADD46CB612D6B1E818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 053F4E08, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9940dc77e8784b45fb36d62e603120c5a0c5decc03f414ae978d9cb08eaa53d2
Instruction ID: 516e9d1288ac5a668761f00aaab9165b02c90d83877f5b2aeb5adeaf646a2349
Opcode Fuzzy Hash: 9940dc77e8784b45fb36d62e603120c5a0c5decc03f414ae978d9cb08eaa53d2
Instruction Fuzzy Hash: CDB1F2B4D0820ACFCF04CF99C584AEEBBFABF49314F249029D919AB255D770A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053F1739, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63770a5404a1e4d5fd31c5cf5890891d389fbcd4e7dee6c10eb9b3ab1cbc9997
Instruction ID: 8afcff854dc238ed33e94a1a5cb5bee2b33c42e6f789fd518af1dd85e5ca7ed2
Opcode Fuzzy Hash: 63770a5404a1e4d5fd31c5cf5890891d389fbcd4e7dee6c10eb9b3ab1cbc9997
Instruction Fuzzy Hash: 517124B4E05218CFDB04CFA9E584AAEFBF6FF58300F24856AD419A7245D7349985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013EAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 013EACD1

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dc1d66c9cd00c9b990dd035c25655720ee4cc7acbbcea67e2290c70ce421d0fc
Instruction ID: 7b28d419f4d0efaa90903fd5421ad3c2db580de10228a844358f2ea5e4b5b543
Opcode Fuzzy Hash: dc1d66c9cd00c9b990dd035c25655720ee4cc7acbbcea67e2290c70ce421d0fc
Instruction Fuzzy Hash: A131B472544384AFE7228B25CC45F67BFECEF06710F0885ABED819B152D265A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 013EAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0965AFF7,00000000,00000000,00000000,00000000), ref: 013EADD4

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 901d8ca87321bcad2bd8fc471880d541c77a5740b02df24b0c2179721543b35c
Instruction ID: 219ab2504acd77c66865f7efbb3524628a6d52f5c35ac674e395af1418907f67
Opcode Fuzzy Hash: 901d8ca87321bcad2bd8fc471880d541c77a5740b02df24b0c2179721543b35c
Instruction Fuzzy Hash: 4A31A4711083846FE722CB25CC84F92BFF8EF06314F08849AE9858B292D260E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A0968, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,0965AFF7,00000000,00000000,00000000,00000000), ref: 058A09FC

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 1f7a7b8445ab4bdb4f3773ef2ee3895606dbb0fa78ccd3861faed9ed7b247d4d
Instruction ID: 03f7d0fcf4d199efdaf57f739b23165472c8f238b6047ed0a3cc3a20d83fc973
Opcode Fuzzy Hash: 1f7a7b8445ab4bdb4f3773ef2ee3895606dbb0fa78ccd3861faed9ed7b247d4d
Instruction Fuzzy Hash: 1321D672549380AFE7128B24DC45FA6BFB8EF43324F0884DBE984DF193C264A945C761

Uniqueness

Uniqueness Score: -1.00%

Function 013EA2AC, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 013EA346

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 88f3eff5b8143a4fd622e26ead05f27e7a7e8ce3f4a036c1f1dc03509fe3a6de
Instruction ID: 38f688f53ae5a541cc89bd32cba8e8a59b0766487d747a8a08ed4760cf97ea52
Opcode Fuzzy Hash: 88f3eff5b8143a4fd622e26ead05f27e7a7e8ce3f4a036c1f1dc03509fe3a6de
Instruction Fuzzy Hash: 2021A77144D3C06FD7138B259C51B62BFB8EF87624F0A41DBE884CB5A3D225A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 013EAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 013EACD1

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 68550995d9352d90c664348de2c2cb2ff2ff10726f4e432642adca03d9137ccf
Instruction ID: 70b343e8b0fbcab2d69aac239b134f77643fcdac8e4b244275f218324ed52d2d
Opcode Fuzzy Hash: 68550995d9352d90c664348de2c2cb2ff2ff10726f4e432642adca03d9137ccf
Instruction Fuzzy Hash: B621CD72500704AFEB219B68CC84F6BFBECEF04710F14842AEE41DB281D661E8088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 013EBE55, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 013EBED7

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b6c5a846e0053d62d2b703e5e7d2b0403debe3d30e0e6ea51cf333fc77c613c0
Instruction ID: cce4c3dfe7bfb6ae636a3930042f0ed2f1ba9461cc8b31c14a2d619f2feb1cad
Opcode Fuzzy Hash: b6c5a846e0053d62d2b703e5e7d2b0403debe3d30e0e6ea51cf333fc77c613c0
Instruction Fuzzy Hash: B2219071505384AFDB23CF25DC44B52FFF8EF46214F08859AEA858B563D275E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A04BB, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 058A0536

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 84971ec8c3a224341d2c8e0ae15432b8dd8550d716d527dfc73e0a6647585170
Instruction ID: 2e0c5c6a909db45d9aacc162da1f108e548989e4764034067cb3f6d9f39d4c9c
Opcode Fuzzy Hash: 84971ec8c3a224341d2c8e0ae15432b8dd8550d716d527dfc73e0a6647585170
Instruction Fuzzy Hash: 6C2195765093809FE7128F65DC45B92BFE8EF06210F0984DBDD85DB263D274D908C761

Uniqueness

Uniqueness Score: -1.00%

Function 013EAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0965AFF7,00000000,00000000,00000000,00000000), ref: 013EADD4

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 31cd9665fbb28fc9a929f910f1f7e3329dc283eedb32a51516dd25243e50cbad
Instruction ID: 68067997bf4337407885b5c9ac2c241a454ecf4efd420b999b51fdb666dc3a8a
Opcode Fuzzy Hash: 31cd9665fbb28fc9a929f910f1f7e3329dc283eedb32a51516dd25243e50cbad
Instruction Fuzzy Hash: 95216D71600704AFE721CF29CC84FA7BBECEF04715F04856AEE459B691D661E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 058A07B9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,0965AFF7,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 058A082A

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: db1d9c80ec744011e7a1562da4de1004d361da2f8e53633d2f1db9bf62188be1
Instruction ID: 3070370b00612968f9a30338bd8f5f520e8891a3590e15c73e6bd4015f397da1
Opcode Fuzzy Hash: db1d9c80ec744011e7a1562da4de1004d361da2f8e53633d2f1db9bf62188be1
Instruction Fuzzy Hash: 83216F725093849FE712CF65DC85B92BFE8EF06210F0984EAED85CF163D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013EB42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 013EB4A9

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 80c1565e960834f8ee3accfe9c04177b4de2831664d86ab0be57bb8546727ca3
Instruction ID: 8bbe4838f560d9d50860f5c40ec8e87eb8d98bf5fed58dffca1d6ac252711f47
Opcode Fuzzy Hash: 80c1565e960834f8ee3accfe9c04177b4de2831664d86ab0be57bb8546727ca3
Instruction Fuzzy Hash: 252193B15093849FD7228E15DC45B62FFF8EF06614F08808AED84DB293D275A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058A0A55, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058A0AC8

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bea471d949b054a2f6a0e731cd96d49371d3618eb628304a82e07d8a54cb55f9
Instruction ID: 2a6b4080ac45047d84da0bd248ef56d5ee32164ed592535e77e7274cfe77e25c
Opcode Fuzzy Hash: bea471d949b054a2f6a0e731cd96d49371d3618eb628304a82e07d8a54cb55f9
Instruction Fuzzy Hash: 0721C0761097809FDB228F25DC44A62FFB4EF06210F0880DEED858B663D2B5E858DB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A0BA9, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 058A0C1D

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7770d6d428fe2e9ecbb63f83f577d1865dd9ed060e5d09df3f3cd3fe241a4e05
Instruction ID: 7195716862daceaa5ba26babc23793494c5f41b160856f1a4834e6ab2dee2975
Opcode Fuzzy Hash: 7770d6d428fe2e9ecbb63f83f577d1865dd9ed060e5d09df3f3cd3fe241a4e05
Instruction Fuzzy Hash: 08218E724093C09FDB138F25CC45A51FFB4EF17210F0985DAED848F563D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 013EA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013EA666

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e620c43bb3d1f92cddcd96c21671c068d25d473179c90ce7014abaebea8c7b35
Instruction ID: b2e7088bc42356af9c7b16d901a3389d8ad21470ae309d4628f24ec4f9328af6
Opcode Fuzzy Hash: e620c43bb3d1f92cddcd96c21671c068d25d473179c90ce7014abaebea8c7b35
Instruction Fuzzy Hash: 4C11B471409380AFDB238F54DC44A62FFF4EF4A220F0885DAEE858B563D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A09A6, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,0965AFF7,00000000,00000000,00000000,00000000), ref: 058A09FC

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c7a7a60555e850e04a81ed3c20aa3ec964ad81bb5dff0a9a040f3b5eb776e1f2
Instruction ID: f2df75b1c9911593aeb90fac82ae65b61c1cfbc5691de9b687bd6f212f57e182
Opcode Fuzzy Hash: c7a7a60555e850e04a81ed3c20aa3ec964ad81bb5dff0a9a040f3b5eb776e1f2
Instruction Fuzzy Hash: 9811C172600204EFEB10CF25DC85B6BFB98EF45320F1484ABEE09DB241D6B4A804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058A0367, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058A03CC

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 92f7d5951ef6ca2a3530bbf558a794ff5cc05696d2cadba01f44acd3d70b5063
Instruction ID: d32d9fd4098f7c3e2a5930d976ab6ac6eda0b89f510cb38f5cad9cc5d47b2a3d
Opcode Fuzzy Hash: 92f7d5951ef6ca2a3530bbf558a794ff5cc05696d2cadba01f44acd3d70b5063
Instruction Fuzzy Hash: 40110876009780AFDB228F25DC44E52FFB4EF06320F0880DEED858B563C275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A0F3B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 058A0FA5

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 43174d017cfd0a89ef8ee62602335f08bc5126d334f0eb7bcf39cf2eac9766da
Instruction ID: 8162170531a3eaab9631f702f53047b65c2344f3775e645b3b2282fecd506738
Opcode Fuzzy Hash: 43174d017cfd0a89ef8ee62602335f08bc5126d334f0eb7bcf39cf2eac9766da
Instruction Fuzzy Hash: 6911D072409384AFDB228F15DC45B62FFB4EF06324F08809EED858B563C275A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A02C0, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 058A031F

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8474367db2de47bf3c8dfb985af6e1ed32885755ada1b2f7ab20c9cb267fb685
Instruction ID: 900ddc93e768fe0573bd215b3805019d8c75ca67ed117a9a3baf2883ca6006f9
Opcode Fuzzy Hash: 8474367db2de47bf3c8dfb985af6e1ed32885755ada1b2f7ab20c9cb267fb685
Instruction Fuzzy Hash: 07118F765093849FE711CF15DC85E66FFE8EF06220F0980AAED45CB262D275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A04EE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 058A0536

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5bc48c4356224f4fcb5a31758502b0dc1894e9d9ddd7d37ae01f079fbd2b1585
Instruction ID: eea30f56a6f3bfdc454710449b8ed390eb02658b6b791da78f1699723bc9befe
Opcode Fuzzy Hash: 5bc48c4356224f4fcb5a31758502b0dc1894e9d9ddd7d37ae01f079fbd2b1585
Instruction Fuzzy Hash: 4811A1B2A04204DFEB10CF29D889B66FBD8EF04220F08C46ADD49DB652D670E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 013EBE86, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 013EBED7

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dd216e116dd31f27ab3f7cd47cda7e1b222189b554ff6aed0c9e601650d881c2
Instruction ID: f9f1eba1823ee34f3f87e8e23447c5639b0e62b04b615818f83d0952afcba9d0
Opcode Fuzzy Hash: dd216e116dd31f27ab3f7cd47cda7e1b222189b554ff6aed0c9e601650d881c2
Instruction Fuzzy Hash: E9115E71500744DFEB21CF69D848B62FFE8EF44614F08856AEE498B656D371E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013EAEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 013EAF50

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93b201a2bbb3e910bfd4b2011c147e49d5e7a62ac98e3b8ef3d2024f3374482a
Instruction ID: 0bef00c98b96f7c3371ce7d11d6fe8e2d93f107a50203dd5192a01ec098f0495
Opcode Fuzzy Hash: 93b201a2bbb3e910bfd4b2011c147e49d5e7a62ac98e3b8ef3d2024f3374482a
Instruction Fuzzy Hash: 76119E72409784AFDB228F55DC45E52FFF4EF0A220F08859EEE854B662C375A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058A07EA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,0965AFF7,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 058A082A

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 338d42f23efac53b261877f99753e6c59985f69968859470cf94c8ff232b7fcd
Instruction ID: dd9238e2a8e2688f32b33f27d42d737c0c32eaf67e82eef00b5aa4d280a2f8db
Opcode Fuzzy Hash: 338d42f23efac53b261877f99753e6c59985f69968859470cf94c8ff232b7fcd
Instruction Fuzzy Hash: 78118472904604DFEB10CF65DC89B66FBE4EF04720F08C4AADD49CB651D675E848CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013EA42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 013EA480

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8e71dcb79c460954e8705a3b74d2df6103227d92cd31fff7e1d0d45dda8111b5
Instruction ID: 5a54d824467438acd39c0fd2232f3e204b9eecb1a3796e3439bbffa5d095ab23
Opcode Fuzzy Hash: 8e71dcb79c460954e8705a3b74d2df6103227d92cd31fff7e1d0d45dda8111b5
Instruction Fuzzy Hash: 5301C071408384AFD7128F15DC48B62FFE8EF46624F0880DAED859B253D275A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 013EAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 013EAB46

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2f124efe5b68d998eb5f79c2416543e7e66ab09a9d7cce4933345f80df8449ac
Instruction ID: d3665b8aed0aa078e358bc90d88f1928d9ddbf00af9be053ea2388a26b2074fd
Opcode Fuzzy Hash: 2f124efe5b68d998eb5f79c2416543e7e66ab09a9d7cce4933345f80df8449ac
Instruction Fuzzy Hash: 2E11A031409784AFCB228F15DC89A52FFF4EF06220F08849AED854B262C275A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058A0A82, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058A0AC8

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e239e04a7598139679cded6b029486b1404a5a45598dc10d82ed93ea97dd9aec
Instruction ID: 0ba5448266b58f49b0cb808821d5271397190ace899a0b2510fbcacf8cb670a1
Opcode Fuzzy Hash: e239e04a7598139679cded6b029486b1404a5a45598dc10d82ed93ea97dd9aec
Instruction Fuzzy Hash: F6016176601604DFEB20CF59D888B66FBE4EF04610F08806EDD468B656D6B1E858DB61

Uniqueness

Uniqueness Score: -1.00%

Function 013EB45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 013EB4A9

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b0b873f633384354e198f72b34ce6eafcfaa9f35fe7fbd2475af33736193d0b5
Instruction ID: 212f6b2cfcee17ed8f63294dd021cb4e989afdf83d8ea818ab8e819c1ef872ff
Opcode Fuzzy Hash: b0b873f633384354e198f72b34ce6eafcfaa9f35fe7fbd2475af33736193d0b5
Instruction Fuzzy Hash: 4C0180715007049FEB21DE19D889B62FFE8EF04624F08809AED499B686D675E408CF71

Uniqueness

Uniqueness Score: -1.00%

Function 013EA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013EA666

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4bda342b82cf94b836205d96d3007d36527be6bba6c3cd063a8900badf55da48
Instruction ID: 3204fbcb2a80f9f5360d571207d12e38a682f8a12fd2bca8f07c32097d0d0e6e
Opcode Fuzzy Hash: 4bda342b82cf94b836205d96d3007d36527be6bba6c3cd063a8900badf55da48
Instruction Fuzzy Hash: 74018031404704EFDB228F55D848B56FFE4EF49720F08C9AADE494B652D275E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 058A02E2, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 058A031F

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5c58b0c32a2e85974a3cc42832201eb05f2a445a4a0f7a77de743d72f3e9b163
Instruction ID: 6405083d44572cd78c25edb76b7ddb234ed2614b74367cdf21709e40131d4ad3
Opcode Fuzzy Hash: 5c58b0c32a2e85974a3cc42832201eb05f2a445a4a0f7a77de743d72f3e9b163
Instruction Fuzzy Hash: 4001D436604644DFEB10CF19D889B66FBD4EF04220F08C0AADD4ACB652D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013EA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 013EA346

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: f057c2b7943531b27d8a637030243fbb45e655d5c4a597d17b842e992f74a2be
Instruction ID: 1b885a6ed87b08d08f7aecd994211c07902b28522055961cf921ad55feb3e627
Opcode Fuzzy Hash: f057c2b7943531b27d8a637030243fbb45e655d5c4a597d17b842e992f74a2be
Instruction Fuzzy Hash: 3F01A271500600ABD210DF16DC82F26FBA8FB88B20F14815AED084BB41E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 058A038E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058A03CC

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d656b4977df2f59d884ec3c400e72eb29cd448f96042380f1754b6aa32e14c52
Instruction ID: a6420005b05862d9b3666a730430c8d86f18ce8f920c820bbad492ef153ab915
Opcode Fuzzy Hash: d656b4977df2f59d884ec3c400e72eb29cd448f96042380f1754b6aa32e14c52
Instruction Fuzzy Hash: 5A019E36500604DFEB20CF55D848B66FFA0EF04320F08C49EDE468A621C2B6A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 058A0F6A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 058A0FA5

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1b4a557ff946280bce3de42d787f17864300eea5210f27e7e986efe87f1576dc
Instruction ID: f1b99b9355c7be2dd1cc5831dd2e97f19168eccfdf1d6d742f89579cb85e616b
Opcode Fuzzy Hash: 1b4a557ff946280bce3de42d787f17864300eea5210f27e7e986efe87f1576dc
Instruction Fuzzy Hash: A901D436500744DFEB208F55D848B66FFA0EF04320F08C09EDE459B651C2B1E958CF62

Uniqueness

Uniqueness Score: -1.00%

Function 013EAF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 013EAF50

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44c2111be83ecaf9e00ead0f70eb4ddb7c671ee86f735262d58d32edf669fbdf
Instruction ID: 1adaacb2277efcd28f6de2c3222475dbc93e8c253e383b4eab924120e5f90b63
Opcode Fuzzy Hash: 44c2111be83ecaf9e00ead0f70eb4ddb7c671ee86f735262d58d32edf669fbdf
Instruction Fuzzy Hash: EE01BC71400704DFDB218F45DC48B22FFE0EF08320F08809AEE490B6A2C2B1A419CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 058A0BE2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 058A0C1D

Memory Dump Source

Source File: 00000002.00000002.246964260.00000000058A0000.00000040.00000001.sdmp, Offset: 058A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 948c8184ddbe5baa80277d75bb5fd02ccf9fac36f3f868aaa1c76f5ce4073a9b
Instruction ID: e764fe2831ef96952de54cbfc718a50ac132aa38662b846a4d12913c73d62b99
Opcode Fuzzy Hash: 948c8184ddbe5baa80277d75bb5fd02ccf9fac36f3f868aaa1c76f5ce4073a9b
Instruction Fuzzy Hash: 83018F36400644DFEB20CF55D889B26FFE0FF08320F08C59ADE494B612D2B6A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 013EAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 013EAB46

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 418075ed94e10b15e2a58f4f3e7aac77c3afaec56b1d3fccd532712246d8505e
Instruction ID: 3218881e00b31200da8d26cbc84121cd18b9ff6e765ce979c72f2eef2a955c0e
Opcode Fuzzy Hash: 418075ed94e10b15e2a58f4f3e7aac77c3afaec56b1d3fccd532712246d8505e
Instruction Fuzzy Hash: 2F01AD31404704DFDB208F09D889B22FFE4EF04724F08C59ADE4A4B692C2B5A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 013EA44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 013EA480

Memory Dump Source

Source File: 00000002.00000002.242691909.00000000013EA000.00000040.00000001.sdmp, Offset: 013EA000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a2883facb1f8ed5b6ae3735ddf29233f878076eee12012caae953f9d8322857e
Instruction ID: 20e68fa8ce66503a4a5c88152e43da9baf5299d48ab7b4dc4ebdd7b7ac229974
Opcode Fuzzy Hash: a2883facb1f8ed5b6ae3735ddf29233f878076eee12012caae953f9d8322857e
Instruction Fuzzy Hash: B8F0DC358043449FDB108F09D889762FFE4EF04324F08C0AADE495B742E2B9A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 053F0F38, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

X1ar, xrefs: 053F103B

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: X1ar
API String ID: 0-3367582976
Opcode ID: 4d6f8bc307e66115a3e21aa824d556a69f98f6b18ec2653e988ae808a0c703ef
Instruction ID: 7ab8e74a13fa5b57e73a438e410d459c0117a3fe0f26091ce941049f77bbb3da
Opcode Fuzzy Hash: 4d6f8bc307e66115a3e21aa824d556a69f98f6b18ec2653e988ae808a0c703ef
Instruction Fuzzy Hash: 3941B3B4E01208DFDB18DFA9D558AAEBBF6FF48301F10806AD906A7364DB345941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 053F0F29, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

X1ar, xrefs: 053F103B

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: X1ar
API String ID: 0-3367582976
Opcode ID: d75ffee9d5e8f97024af1f4b639ac0872edc078ca784d0fd58ca43ae03704ca6
Instruction ID: 534028f91a86957b338a07e7c491379aa8305443d6c2e438b26c58e967b94168
Opcode Fuzzy Hash: d75ffee9d5e8f97024af1f4b639ac0872edc078ca784d0fd58ca43ae03704ca6
Instruction Fuzzy Hash: 904192B4E01208DFDB58DFA9D548AADBBF6FF48300F14806AD906A7364D7355941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 053F1CAA, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

M, xrefs: 053F1D03

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 860aa62fda94a45c14651944fd0eec24eca9fa72d03b9d8dc23c425224487cea
Instruction ID: 993464c1206d8068189e8c740d69f3636c6823cfd1045f59e346fabf613b8a57
Opcode Fuzzy Hash: 860aa62fda94a45c14651944fd0eec24eca9fa72d03b9d8dc23c425224487cea
Instruction Fuzzy Hash: E60157B4D08649DBDB04CFAAE4446BDBBFEFB49308F10E129E526A7294D7744A04CF00

Uniqueness

Uniqueness Score: -1.00%

Function 053F1CB0, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

M, xrefs: 053F1D03

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 96e85ec2e4e4e748f1eccff44ef0e0797924b9de1c81cfc8c6eac99539bc90c8
Instruction ID: 787b8afd8ff62a40a3e25ec8cc32ff31d98658e5ffa177c84407168ec1a6c444
Opcode Fuzzy Hash: 96e85ec2e4e4e748f1eccff44ef0e0797924b9de1c81cfc8c6eac99539bc90c8
Instruction Fuzzy Hash: F50165B4D08648DBDB04CFAAE4446BDBBFEFB49304F10E129E526A7298D7744A00CF00

Uniqueness

Uniqueness Score: -1.00%

Function 053F0100, Relevance: .7, Instructions: 661COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3693f760a744bc5db147acd949b14e4f8711253e1fae9ac2015c7f8c2aaf0c
Instruction ID: 18feb1519fc91f98bb0576d8f8d06e51931cdb88a1bcda8222f70bea039e892f
Opcode Fuzzy Hash: 7a3693f760a744bc5db147acd949b14e4f8711253e1fae9ac2015c7f8c2aaf0c
Instruction Fuzzy Hash: D062BF34A01219DFDB64DB64C884BD9B7B2FF8A314F5180E8D549AB360DB31AE89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 053F0110, Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8214356139ff3ed5ff5362530c9ea0554f0a9a375fe81d967020a3b685eb52
Instruction ID: 12903c72621f85f586022a4d3b3f32d993e7bfbc67f64fbedbb31b3407b6ead4
Opcode Fuzzy Hash: cf8214356139ff3ed5ff5362530c9ea0554f0a9a375fe81d967020a3b685eb52
Instruction Fuzzy Hash: 7A62BF34A01219DFDB64DB64C884BD9B7B2FF8A314F5180E8D549AB360DB31AE89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 053F5C08, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bc0f866b86fd4fcbff5242bf30932fb6ca047b5f8006198e32302d8cc1cc97
Instruction ID: c194992a845c1c01c75b00cd1b44a267eb4b6e489eedb7fff72f7aebd1c9c365
Opcode Fuzzy Hash: e7bc0f866b86fd4fcbff5242bf30932fb6ca047b5f8006198e32302d8cc1cc97
Instruction Fuzzy Hash: D9C19078E09208EFCB04CFA9D9849EDBBFAFF49310F109565E916AB315D731AA418F50

Uniqueness

Uniqueness Score: -1.00%

Function 053F3CFB, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdfec344a2188fc4b012d11a0bdfa3681de2f647c76eaf2f3847b803a26981d
Instruction ID: a400f9ad820aafbab86c9484b691d7f58cec297ddcc89dc0fcbd156592c8913a
Opcode Fuzzy Hash: 2cdfec344a2188fc4b012d11a0bdfa3681de2f647c76eaf2f3847b803a26981d
Instruction Fuzzy Hash: 88C17A70A05245CFEB10DF98D188AAEFBF6FB04358F15E155D214AB292C7B9E885CF60

Uniqueness

Uniqueness Score: -1.00%

Function 053F3D4D, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4508f773ed3dc83a3e44981f0c3f0d400a354e9046e10fdd5f6e81a1366b1b3
Instruction ID: 29cab60cfc3a7dd2f137a0bd145b9097ae0925cdff8e5ff189bdf58dde5a8d41
Opcode Fuzzy Hash: d4508f773ed3dc83a3e44981f0c3f0d400a354e9046e10fdd5f6e81a1366b1b3
Instruction Fuzzy Hash: 96C17A70A01285CFEB10DF98D188AAEFBF6FB04358F15E155D214AB292C7B9D885CF60

Uniqueness

Uniqueness Score: -1.00%

Function 053F3D7C, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b449cbc4d8a2679126946bb75da56b2de76b98558ee295c63d1013bb97274d10
Instruction ID: 1793180c9982b337bd72c03184f0bbee52438a7297b07101228a7dd4448beb83
Opcode Fuzzy Hash: b449cbc4d8a2679126946bb75da56b2de76b98558ee295c63d1013bb97274d10
Instruction Fuzzy Hash: 11C17A70A01245CFEB00DF98D188AAEF7F6FB04358F15E155D214AB292C7B9E885CF60

Uniqueness

Uniqueness Score: -1.00%

Function 053F1290, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055b135683984276879ca490cf01e3b1623b68181d9fc337e6cdfafc95df865c
Instruction ID: 08c4a83dd535e8ff36074487fa375a22f19ac41770361bad3cdee3b19cdff0ee
Opcode Fuzzy Hash: 055b135683984276879ca490cf01e3b1623b68181d9fc337e6cdfafc95df865c
Instruction Fuzzy Hash: CAA12671E05228CFDB24CFA5D844BEEBBB6FF85314F1480AAD109AB251D7709A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 053F4DF8, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92adb54df39e13b534cffe3c1826760c8b5c6ffeb172cfa8a6b2f8a6f27b145f
Instruction ID: af5225d3b26bc5db4232b182cafa1232b3df28fecac7d3dba3878c8091f70a36
Opcode Fuzzy Hash: 92adb54df39e13b534cffe3c1826760c8b5c6ffeb172cfa8a6b2f8a6f27b145f
Instruction Fuzzy Hash: 6391E0B4E08209CFDF10CFA9C484AEEBBFAFF49314F249129D919AB255D7709946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053F5A8E, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7969533b94789e2d0ecaee0b5941863feb3ee8b8d098202d011ec2efe8d2367
Instruction ID: affb08ef39a3c58b37a10b637f5c1d8297aa30a5af044b75b01b89ab352d88de
Opcode Fuzzy Hash: b7969533b94789e2d0ecaee0b5941863feb3ee8b8d098202d011ec2efe8d2367
Instruction Fuzzy Hash: B061A078A09208EFCB04CFA8D5849ADBBFAFF4A310F109165E91AAB355D731AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F3518, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d37a5c1b83c884bf5018b71e54e6de60b26f7142ca2fae451e148adf28623d
Instruction ID: 13d361b37e964cebfa973f1928c7ae6fb515be8e06c7c807074de7459b1b10f9
Opcode Fuzzy Hash: 51d37a5c1b83c884bf5018b71e54e6de60b26f7142ca2fae451e148adf28623d
Instruction Fuzzy Hash: F951F270D0A208DFDB04CFA9D584BEDBBBAFB89301F109859E519A3750D7748A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F4C72, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcaabdca3da58fb8d63a7169ceb23e5e6304b80e80e869d9bed0adc5cc3354a
Instruction ID: 442ea5c0429631ff97ee6309dc69f38ee5bf5535bbaf9c77de5d4eed4769028f
Opcode Fuzzy Hash: 4dcaabdca3da58fb8d63a7169ceb23e5e6304b80e80e869d9bed0adc5cc3354a
Instruction Fuzzy Hash: 96411474D09219EBDF00CF98C980AEEF7BAFF49304F10A161EA15AB612D770A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053F1AD8, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a703db7513cc1b0a7a453c537fb9ba62ea566becbcb74cad1f9ea2b8f0caa7
Instruction ID: 81eac5c2a21c880291d16c9ff754aefc1d0f80b8db1c3bec7c5d2d23d150afb2
Opcode Fuzzy Hash: 40a703db7513cc1b0a7a453c537fb9ba62ea566becbcb74cad1f9ea2b8f0caa7
Instruction Fuzzy Hash: B341F674E01208DBDB18DFAAD884BAEBBF6AF89304F108029D506BB354DB715946CB44

Uniqueness

Uniqueness Score: -1.00%

Function 053F3564, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b47e957f698cc5f00479952317e49846f58910c76cc160d8f821d882a8155fa
Instruction ID: 4b78d1551e4d7a89e4c6d2bd70cda870dad33281a1827cd6948238174288ee75
Opcode Fuzzy Hash: 4b47e957f698cc5f00479952317e49846f58910c76cc160d8f821d882a8155fa
Instruction Fuzzy Hash: FD410474D09248DFCB41CFA8C588BECBBB6AF0A304F14949AE545AB792C7749A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 053F63E9, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139b82e92144ce4a0a9d915ea8ac5eeb0834215b0bdded947b07e3976e0e73e0
Instruction ID: d3aa444740c62ff8bb30d86f55f715898403595d145c34d829157b156238b078
Opcode Fuzzy Hash: 139b82e92144ce4a0a9d915ea8ac5eeb0834215b0bdded947b07e3976e0e73e0
Instruction Fuzzy Hash: 3F41E674E04209DFCB09DFA9D541AAEBBB6FF89304F208069D905A7394DB35AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F0BF8, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e58ab56fb1a5de966850c096530a96e325019956d5eb21c21ea6ca92c0af01e
Instruction ID: 219ea2e83bf5db75ddc99440084dc7cd178320421bb09c2b11bdfeb8388b06b0
Opcode Fuzzy Hash: 9e58ab56fb1a5de966850c096530a96e325019956d5eb21c21ea6ca92c0af01e
Instruction Fuzzy Hash: 6341B1B4E00218DFDB48DFA9D985AAEBBF2FF88300F208169E914A7364DB755941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F0C08, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47fcf111c23a6de3c266f126810193fb74947e93402ebb066c0e93f4ccfe526
Instruction ID: 8e331fdafd34792121b0adea0ada71e699d144ae902b455548535c53e1e1c990
Opcode Fuzzy Hash: f47fcf111c23a6de3c266f126810193fb74947e93402ebb066c0e93f4ccfe526
Instruction Fuzzy Hash: FC4190B4E00219DFDB08DFA9D985AAEBBF2BF88304F208169E914A7354DB756941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F19D8, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18d103e571e55d1a3a5f305aad9e58564473dcf1318c2b661110567e2bbf5ab
Instruction ID: ee9541d86a33b7dfa26409cb6f29c205df1f34e377323eb61e8ac73633283635
Opcode Fuzzy Hash: d18d103e571e55d1a3a5f305aad9e58564473dcf1318c2b661110567e2bbf5ab
Instruction Fuzzy Hash: CA213730B04355CBDB04DBBCD810BAEBBBABFC5600F20446AD205AB395DE748E01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 053F53EA, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d688899bb51c8564b2fcd03beb3eab57a91c1fca45626fb14fdbc3ebd4b473b8
Instruction ID: f5f13a33a7e779d6b8b1f0b8f1ab8b6b9c5258f2b236d0c6c501fa970afcf8f3
Opcode Fuzzy Hash: d688899bb51c8564b2fcd03beb3eab57a91c1fca45626fb14fdbc3ebd4b473b8
Instruction Fuzzy Hash: E131A578E05208CFCB04CF98D4849ADBBBAFF4A311F119155E91AAB311D730EA42CF40

Uniqueness

Uniqueness Score: -1.00%

Function 053F543E, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6340fdaf550b0def6dacfdf322ec6255eb66a2ad3a49e912772239d7ca8216f2
Instruction ID: bbc84850f4ac5b45037adca678655bb689695eae2f2eca2e9b2e14aec4133319
Opcode Fuzzy Hash: 6340fdaf550b0def6dacfdf322ec6255eb66a2ad3a49e912772239d7ca8216f2
Instruction Fuzzy Hash: 99317278E05208CFDB04CF99D4849ADBBBAFF49311F119169E91AAB311DB30EA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F4A90, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929fd4a6788e875f1e81b85530c1f2101c40a5fc6e4c3812468377b6f5d7ad72
Instruction ID: c888b92d1d9966b505085c9274d0744676ae623cbdd4221aa67ddb341857bf1e
Opcode Fuzzy Hash: 929fd4a6788e875f1e81b85530c1f2101c40a5fc6e4c3812468377b6f5d7ad72
Instruction Fuzzy Hash: 1721CF35D0020ACBCB00EBA4E8C679EBBB1FB45301F14DBAAD91997381D771DA02CB51

Uniqueness

Uniqueness Score: -1.00%

Function 053F0006, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f635d08ee442b59eaeb147076a7bb2e24673ecf548c0a5d8f063cf790c830ee
Instruction ID: 64bc172fd377991bc1b2057ca03e8ae23f00f003e15a7e1bc1952003bb06a0e0
Opcode Fuzzy Hash: 1f635d08ee442b59eaeb147076a7bb2e24673ecf548c0a5d8f063cf790c830ee
Instruction Fuzzy Hash: DE117C6144E3C29FC307AB748CA66657FB4AF03101B0A48DBC081DB2A3D5699909D772

Uniqueness

Uniqueness Score: -1.00%

Function 053FA6AA, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e690f72ecb50aee905833e0212882166d9b9b11901049bee824d35f50af7e65b
Instruction ID: 664bd75e3cb2a4924db59cbf7d9f6998dd284dfb865f7de2073964a341874e7f
Opcode Fuzzy Hash: e690f72ecb50aee905833e0212882166d9b9b11901049bee824d35f50af7e65b
Instruction Fuzzy Hash: 56219EB4E152088FCB40DFE8D494AEDBBBAFF89300F10A42AD519AB754DB315845CF40

Uniqueness

Uniqueness Score: -1.00%

Function 053F22C4, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a49190d8b0e3cf2ed1831aa928924e38b53e5b7a46310459af7fad6719fd9a
Instruction ID: 999df5789fee196be1ed2b0e5d5016c44b1067469ca60de52410e7efe4bc040f
Opcode Fuzzy Hash: b3a49190d8b0e3cf2ed1831aa928924e38b53e5b7a46310459af7fad6719fd9a
Instruction Fuzzy Hash: C4212A74E01209DFDB44EFA8D884AAEBBB2FF88305F148169D905E7395DB349D05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D5075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242815651.0000000002D50000.00000040.00000040.sdmp, Offset: 02D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8049f94835600b5b36868fae3f821c2671fbf9fd61075ba61e8faeeee1758044
Instruction ID: 3ac87c9ce54ea842d866b029042fbfe1abfe5f44f31691869f141da511090fb0
Opcode Fuzzy Hash: 8049f94835600b5b36868fae3f821c2671fbf9fd61075ba61e8faeeee1758044
Instruction Fuzzy Hash: A211E434204644EFDB05CB20C980B26BB91AB8C709F24C59CED491B743C7BBD803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 053F1147, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d5099e961741a3c8718e98c40d179ee10bebf8bb2c5a20be1f1be51285392
Instruction ID: fcda27d6cef7cfdbd52a313f0687d024c91c25fd6dddf2a1541051fa65fcd76b
Opcode Fuzzy Hash: 4d4d5099e961741a3c8718e98c40d179ee10bebf8bb2c5a20be1f1be51285392
Instruction Fuzzy Hash: B921D674E04219DBCF18DFE9D9446EEBBB6FB88300F10916AD911A7350D7389A41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D50726, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242815651.0000000002D50000.00000040.00000040.sdmp, Offset: 02D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12649c9c1173b596e825d770e2e7fb0cc60198ebcbe0d211cd912b0b203e6fd
Instruction ID: 009d84b0f5856fad6bfb6c410c087a8f014d04eee3fc70b016052bd36ba531a7
Opcode Fuzzy Hash: f12649c9c1173b596e825d770e2e7fb0cc60198ebcbe0d211cd912b0b203e6fd
Instruction Fuzzy Hash: 812190351097C49FD7138B24C850B15BFB1AF4B714F2986DAD8888B7A3C3769C16CB52

Uniqueness

Uniqueness Score: -1.00%

Function 053F22E8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d454cc64d0c9709172e0220d416e1e7165728e0de6b7fb067a06d9de82b35e1
Instruction ID: 6d6642f533e4951b7fc3abe3534ab4581d8a166cb19bff7a6d8907b53dc7dcee
Opcode Fuzzy Hash: 1d454cc64d0c9709172e0220d416e1e7165728e0de6b7fb067a06d9de82b35e1
Instruction Fuzzy Hash: 6521F474E01209DFDB44EFA8D8849AEBBF6FF88304F108169D805A7394DB749D05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D505CF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242815651.0000000002D50000.00000040.00000040.sdmp, Offset: 02D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71003a8ad1cb42a7cba4f9131ee7327ab5b92b92758314b5207abab12b736aa1
Instruction ID: 64fb41c2e21aba20f395382172f3316b44f97f1cbb5f7f29245c6779e5344f94
Opcode Fuzzy Hash: 71003a8ad1cb42a7cba4f9131ee7327ab5b92b92758314b5207abab12b736aa1
Instruction Fuzzy Hash: 1FF0F9B55097805FC7018F16EC41893FFE8DF86630B0984AFED89CB612D165B948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 053FA4D8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e599f51a57714ff5362ee0b503453942b0a91ec56ce599d8905532440eae10
Instruction ID: a49dc767f3e2615c25ad1217c4595df107345093ffbc3afd1251fecd89e8e6ed
Opcode Fuzzy Hash: 90e599f51a57714ff5362ee0b503453942b0a91ec56ce599d8905532440eae10
Instruction Fuzzy Hash: 51F0B475A49304DFD700DF64E4857A9BF74EB42306F14969AE549A3282D3364D11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 053F4B08, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688d159863fcce3b884260bb3dffc49694a50e0da6f424ee22e2450d809d9b2e
Instruction ID: 9a52f571f740dca40e4ca3f6a5da8f566fbc62ab128249460feeb8714ca5e783
Opcode Fuzzy Hash: 688d159863fcce3b884260bb3dffc49694a50e0da6f424ee22e2450d809d9b2e
Instruction Fuzzy Hash: 0B019674E0020ADBCB04EFA8D54869EFBB5FF44304F1092A9D915A7395DBB0AE45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D50818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242815651.0000000002D50000.00000040.00000040.sdmp, Offset: 02D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 08ce83347792cff70da9520e267923518745e50564143169e61d2067c138b611
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 94F0FB35104644DFC605DB40D940B15FBA2EB89718F24C6A9E9490B752C777D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 053F0D39, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af465df3c9bdd060eb52b5563c45015ac78ce1cabc28efa95c59ca3ed3fe3419
Instruction ID: bf4adabcb21ead5b2ca57f5a184ee93d818a1408bd79f9af6ae67305c37cec88
Opcode Fuzzy Hash: af465df3c9bdd060eb52b5563c45015ac78ce1cabc28efa95c59ca3ed3fe3419
Instruction Fuzzy Hash: A3F05E78904308EFCB04DFA8E48AAACBBB5FB18340F1081A9EC0593324D735AA14DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02D505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242815651.0000000002D50000.00000040.00000040.sdmp, Offset: 02D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec1ef82579daf2b8c9cc38537c1cfac77f42fc709b88337f3192c8724776a5c
Instruction ID: c53bb12bfc82ba11a236d87c96f1279621e119da1e0384379a7a9b309a00d888
Opcode Fuzzy Hash: fec1ef82579daf2b8c9cc38537c1cfac77f42fc709b88337f3192c8724776a5c
Instruction Fuzzy Hash: 88E092B66446008BD650CF0BEC41462F7D8EB88630B18C07FDC0D8BB00E575B504CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053F00B9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d4383c84877ea9263bf8781e4d81c525b1aa4adf8dacf6c77ccfa3bf39aea4
Instruction ID: bbb3a83b852a28e1d90345cb3b59f6288dfd56bf3033789b5e85d0ee3f6b32ec
Opcode Fuzzy Hash: 93d4383c84877ea9263bf8781e4d81c525b1aa4adf8dacf6c77ccfa3bf39aea4
Instruction Fuzzy Hash: CCE01A7194210CABCB08DBA9C941BADB7A5EB56304F5465A8940973350EA70AE04AE54

Uniqueness

Uniqueness Score: -1.00%

Function 053FB8DE, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fd800b643f7ffd58f803c10c0b941be3eccf2461b5a1e32a2e65c2ddd1657c
Instruction ID: 3896b000c902168b41cfa25f26244fb0203daeb3ccafe99799c777be75cc4080
Opcode Fuzzy Hash: 20fd800b643f7ffd58f803c10c0b941be3eccf2461b5a1e32a2e65c2ddd1657c
Instruction Fuzzy Hash: B4F0B275E4022ACBDB24DB68D950BEDBBB5EB84304F0090EAC21DA7210DB315E85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 053F0070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d405bfb9889bde752f8fcbde16fc0dff8397725939da6b4790644a8dfcef0267
Instruction ID: 028a35684f76c8bed5e2af5470e1720d34ded962a278361cdf1640cbdcdec4c9
Opcode Fuzzy Hash: d405bfb9889bde752f8fcbde16fc0dff8397725939da6b4790644a8dfcef0267
Instruction Fuzzy Hash: BDE0C27098230AD7CB1CFBB8D916A3EB378EF43A08F101C6C850627241DE769E14EB65

Uniqueness

Uniqueness Score: -1.00%

Function 053F1A98, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b9d45ae4c5885d0175bd75983eb90ef346b55490a77990ebcc2824b36a994d
Instruction ID: 33c385e2edf3401115d54c8f5be5270ebfb3b03adf9561a880dd68f82f11e140
Opcode Fuzzy Hash: e6b9d45ae4c5885d0175bd75983eb90ef346b55490a77990ebcc2824b36a994d
Instruction Fuzzy Hash: 31E0C234945308EBCB08DBA8F4053DC7BBCEB44311F1405AE8A04A3B40D6399D51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053FA500, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d6c60eec0c0253c04013778927c0ee3a223ef2f61b3ef542219ecb4c133051
Instruction ID: 692954de8260b465eaab75b3429c5669360009fa629c037678ea4defbf36ef8d
Opcode Fuzzy Hash: d2d6c60eec0c0253c04013778927c0ee3a223ef2f61b3ef542219ecb4c133051
Instruction Fuzzy Hash: 09E04F70906208DBC710EFA4E44977DBB38FB41305F101169E90923285D7715D40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 053F00C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7fd222e0b493beaa6d1a089170e61184fd4fdcfb6aeec0e3f2ecebeccc5578
Instruction ID: 0a941b666e90d7cd6ae5689150498e4878662b2a36f4c78584bf24e64839d1f2
Opcode Fuzzy Hash: ab7fd222e0b493beaa6d1a089170e61184fd4fdcfb6aeec0e3f2ecebeccc5578
Instruction Fuzzy Hash: ADE08C3090120CDBC708DFA9C900FAEF3B8EF86300F5090A8840873220DA30AE04DF94

Uniqueness

Uniqueness Score: -1.00%

Function 053F0BB9, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf1115bd206a60388966ac8290f5eb50f50aebdd73ae97cfe5a452d0e22a405
Instruction ID: acdc630311e0ddff8e57b4110879781e122b50aaeedf61ff8cb368bcb6f13cc0
Opcode Fuzzy Hash: dbf1115bd206a60388966ac8290f5eb50f50aebdd73ae97cfe5a452d0e22a405
Instruction Fuzzy Hash: CCE0C23188520C97C708AFA8D805B5DBB74AB12304F20106CC50423341D670AA588BA5

Uniqueness

Uniqueness Score: -1.00%

Function 053FA984, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dfac25b4290dd824662f3d0a38d305041120f8d2ee78f199cb2db58bc0a301
Instruction ID: 7fe0ee0abb4cc4a6f7426198c1e376d8bba0b69f1a1355b2ddad5b01b7cb41ef
Opcode Fuzzy Hash: e2dfac25b4290dd824662f3d0a38d305041120f8d2ee78f199cb2db58bc0a301
Instruction Fuzzy Hash: C2E08C7480934D8FCB519FA8D8485DDBFB5BF0A210F100149E0A9AB291C7301900CF80

Uniqueness

Uniqueness Score: -1.00%

Function 053F0BC8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4755f14267637f4dc301378ca9b0f14dd8d9d5367a8f735d735a6e0742aeb655
Instruction ID: 7bff691a8392828a76b7cca8dbbc45f1d70cdbbcde6213b0985987ede4ef24eb
Opcode Fuzzy Hash: 4755f14267637f4dc301378ca9b0f14dd8d9d5367a8f735d735a6e0742aeb655
Instruction Fuzzy Hash: 80D0A730C8520C97C708AFA89804A6EBB78AB02304F1011ACC40423341CA709A58CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 013E23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242685192.00000000013E2000.00000040.00000001.sdmp, Offset: 013E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002b67f8b2fc539ca6ace82ab9349465bdf0b50b13ccc0e131c98554d96ee3c3
Instruction ID: f5aa8cf8e5bdaca4cc8f79bb4802e42e59cbe747cee41b795a2f2887347280a0
Opcode Fuzzy Hash: 002b67f8b2fc539ca6ace82ab9349465bdf0b50b13ccc0e131c98554d96ee3c3
Instruction Fuzzy Hash: C4D05E79215B918FE3268B1CC1A8B963FE8AB51B08F4644FDE8008B6A3C368D981D600

Uniqueness

Uniqueness Score: -1.00%

Function 013E23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.242685192.00000000013E2000.00000040.00000001.sdmp, Offset: 013E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90af7832fd8db9dff60069b0ca451f94d7d5c269656d8a3b2962e43992e5a7a6
Instruction ID: 1261f02c4e4d5d316ea024993e952b47ed04bdaa40ac0917df739f76f8a75fb5
Opcode Fuzzy Hash: 90af7832fd8db9dff60069b0ca451f94d7d5c269656d8a3b2962e43992e5a7a6
Instruction Fuzzy Hash: 81D05E342003818BD715DB0CC598F5A3BD8AB41B04F1644E8AD008B6A2C3A4D881CA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 053F8F20, Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

`5ar, xrefs: 053F9075
$g^r, xrefs: 053F9045
X1ar, xrefs: 053F90D6
X1ar, xrefs: 053F909D

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$`5ar
API String ID: 0-3675486359
Opcode ID: 8be151f15f8dab708f850e740a02ba8db94868b4826e37badcc6e862e157de09
Instruction ID: a1e90807359e3078e353b18291e2d2e9cfa33e326092bd8a64d6c8b47c5003c0
Opcode Fuzzy Hash: 8be151f15f8dab708f850e740a02ba8db94868b4826e37badcc6e862e157de09
Instruction Fuzzy Hash: 9071C136A006029FCB14DB78CC86BAEBBB2FF85314F248559E606DB3A1DB749841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 053F8FA8, Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

`5ar, xrefs: 053F9075
$g^r, xrefs: 053F9045
X1ar, xrefs: 053F90D6
X1ar, xrefs: 053F909D

Memory Dump Source

Source File: 00000002.00000002.246461237.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$`5ar
API String ID: 0-3675486359
Opcode ID: d109732536f7e359c319fd583166f1b4125df7de093491511763f6b9d0c4f1d8
Instruction ID: 12c7a9b869e221265104e1170f8caf3772dc35e7e703ff07afb4700f262d802c
Opcode Fuzzy Hash: d109732536f7e359c319fd583166f1b4125df7de093491511763f6b9d0c4f1d8
Instruction Fuzzy Hash: 74513D35B005169FCB14DF69C858BAEBBF2BF88314F208169E616AB3E0DB359C40CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5344 Parent PID: 4576 RegSvcs.exeCOMMON

Executed Functions

Function 031B6F58, Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 031B76AD

Strings

X1ar, xrefs: 031B7599
X1ar, xrefs: 031B7767
X1ar, xrefs: 031B7036
X1ar, xrefs: 031B75F6
X1ar, xrefs: 031B7791
X1ar, xrefs: 031B757A
X1ar, xrefs: 031B75D0
X1ar, xrefs: 031B706E
X1ar, xrefs: 031B7800
X1ar, xrefs: 031B70DA
X1ar, xrefs: 031B78B2
X1ar, xrefs: 031B782F

Memory Dump Source

Source File: 00000004.00000002.491030362.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar
API String ID: 2994545307-51262497
Opcode ID: 9e141c7d9ea028b0ebc8bb766818eab90c113cfbda516915b9c8a391c9f6f412
Instruction ID: ea6ae78af06ef3ba4860edda56c5f71ea6ab06c47376126d596632d0709304ab
Opcode Fuzzy Hash: 9e141c7d9ea028b0ebc8bb766818eab90c113cfbda516915b9c8a391c9f6f412
Instruction Fuzzy Hash: C4625131E00619CFDB65DF68C844BDEBBF2AF89300F1585A9D909AB291DB71AE45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018CAF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 018CAF87

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7af98b975b7f5136062a0138b985e15e13ab4722fff5a77cc7abcce0004d4b3a
Instruction ID: c454741360adb5c0f674b2e8c274670e4b32433cecc379ed9ad1b8bfe24c5e40
Opcode Fuzzy Hash: 7af98b975b7f5136062a0138b985e15e13ab4722fff5a77cc7abcce0004d4b3a
Instruction Fuzzy Hash: 6A219175509784AFDB278F25DC40B52BFB4EF06310F08859AE985CF163E271D908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 018CB089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 018CB0F5

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5576919014540d17920c07166d13c235864faba9319269f500312e7146ba09a6
Instruction ID: b4cabbc0d933fd375c074f0f8af403881b4f4ac0bcde538feaa98e36c54a8bd3
Opcode Fuzzy Hash: 5576919014540d17920c07166d13c235864faba9319269f500312e7146ba09a6
Instruction Fuzzy Hash: 4A11BE724097C0AFDB228F24DC41A52FFB4EF46320F0980DAE9848B163D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018CAF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 018CAF87

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 2a1dc8ee1fa593c3ac45885f05f022c4e392619aa1071d253e33156532efc37e
Instruction ID: c45c002ea0d054cbec319593100abf81680a6d0be74db7c18cbb68b5da7754a8
Opcode Fuzzy Hash: 2a1dc8ee1fa593c3ac45885f05f022c4e392619aa1071d253e33156532efc37e
Instruction Fuzzy Hash: 1411BC715006089FDB20CF69D880B56FBE4EF04720F08C46AEE49CB652E271E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 018CB61E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 018CB66E

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cd7b69b5f8e9e7173ab9234f382f78b31aac692ba999f29ee926ae4427d643ed
Instruction ID: 756bf4b8db4fab05ec92908b8643955f95fefd49e760031a0ccf44c648237770
Opcode Fuzzy Hash: cd7b69b5f8e9e7173ab9234f382f78b31aac692ba999f29ee926ae4427d643ed
Instruction Fuzzy Hash: 8B01A271500600ABD210DF16DC86F26FBA8FBC8B20F14815AED085B741E331F515CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 018CB0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 018CB0F5

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 587deb89377dbc29867dea48b1ec55b0de3183c7cf5cf17e4b1cd6fb7dc3ec9b
Instruction ID: 85421f6e7d2dd1e6ee13bc2d9a71bdc5820d29d233e165b1e73afd071feaf973
Opcode Fuzzy Hash: 587deb89377dbc29867dea48b1ec55b0de3183c7cf5cf17e4b1cd6fb7dc3ec9b
Instruction Fuzzy Hash: 3B017C31400A449FDB218F59D885B62FFA0EF44760F08C09ADE894B212D275E518CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031B3080, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 802COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 031B3128

Strings

:@:r, xrefs: 031B3B23
:@:r, xrefs: 031B3F4B

Memory Dump Source

Source File: 00000004.00000002.491030362.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: :@:r$:@:r
API String ID: 6842923-2124224625
Opcode ID: b680ebde5686946323c524bb4283d35c5129aaa949365b2d2b300b733f33ba3b
Instruction ID: 8ea47c7c642295ecb6fc1fa3db245442a025b7c83a6a4aef50ff987beb8a5117
Opcode Fuzzy Hash: b680ebde5686946323c524bb4283d35c5129aaa949365b2d2b300b733f33ba3b
Instruction Fuzzy Hash: 6682B774A112298FDB65DF68D894A99BBF6EF88301F1090E6E80DE7354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 031B30B0, Relevance: 1.8, APIs: 1, Instructions: 342COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 031B3128

Memory Dump Source

Source File: 00000004.00000002.491030362.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 01999d07e264506efaa0092c6b00fbe9f62288e2767a254c93836d14a301bd71
Instruction ID: 114dbbd0b848f7e1022cdaaf6aeaddbc2467d4644e1db7ee440ea89a11364edf
Opcode Fuzzy Hash: 01999d07e264506efaa0092c6b00fbe9f62288e2767a254c93836d14a301bd71
Instruction Fuzzy Hash: 1402A678A212298FDB66DF68D884A99BBF5FB48310F1191E6D80DE3350DB319E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 031B3104, Relevance: 1.8, APIs: 1, Instructions: 332COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 031B3128

Memory Dump Source

Source File: 00000004.00000002.491030362.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ebbdd890ecfffd3a797cff972e80e3c77e46767c15a491afb2f8d7f8a8bbf745
Instruction ID: 1bfa5b314a7c132340295b5ef2bde06f37b8ed2003f084e4eb8c4e389cb1c585
Opcode Fuzzy Hash: ebbdd890ecfffd3a797cff972e80e3c77e46767c15a491afb2f8d7f8a8bbf745
Instruction Fuzzy Hash: 4102A578A212298FDB66DF68D884A99BBF5FB48310F1190E6E80DE7350DB315E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 066AAEFF, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 066AAFC5

Memory Dump Source

Source File: 00000004.00000002.496449632.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc4d2991b2de82a311dd44b9946ef2a0f1e37d0186d1af988d68fc3e0c46b4b2
Instruction ID: 3fb62d33934f50e45a615e50327a5b6db0f05182e797442a6297d11f030e526d
Opcode Fuzzy Hash: dc4d2991b2de82a311dd44b9946ef2a0f1e37d0186d1af988d68fc3e0c46b4b2
Instruction Fuzzy Hash: 57516070A003459FDB14DBB8D944AAEBBB6FF88304F14856AE505DB285EB34DD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 066AAF60, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 066AAFC5

Memory Dump Source

Source File: 00000004.00000002.496449632.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 204a61d83d34339a7a50108262ac8843f24092365eb999bf608bbd8af3628ab9
Instruction ID: 517ff8ef2ef85fe7272755b6d0a9392d43f7a2e52a778e275ba0ba3e102dc71b
Opcode Fuzzy Hash: 204a61d83d34339a7a50108262ac8843f24092365eb999bf608bbd8af3628ab9
Instruction Fuzzy Hash: 63512E70B003059FCB54EBB8D854AAEB7B6FB88304F148569E516DB284EF70DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 060911CE, Relevance: 1.6, APIs: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 060912A5

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 71caa61f63398a8e7a168be650ee1413b91a9c707da3aa46e78e7ec6e7c24d3c
Instruction ID: 4de6a4414d260e45bc541ebfb85b1a9793b3e7d1aef74448f5ab67dfa81536fe
Opcode Fuzzy Hash: 71caa61f63398a8e7a168be650ee1413b91a9c707da3aa46e78e7ec6e7c24d3c
Instruction Fuzzy Hash: 1E41B1715493806FE7138B25DC44BA6BFB4EF47210F0884DBED84CB263D225A809DB72

Uniqueness

Uniqueness Score: -1.00%

Function 018C2477, Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

>r0., xrefs: 018C2511

Memory Dump Source

Source File: 00000004.00000002.490520560.00000000018C2000.00000040.00000001.sdmp, Offset: 018C2000, based on PE: false

Similarity

API ID:
String ID: >r0.
API String ID: 0-1700124556
Opcode ID: aa9f6943ad2db63b6d8c32fd1d40278a3a681921a394e261e72200f62394f948
Instruction ID: c66b72043a3219c1bca135cc31d5829e94155c31752de62455d4883e0b107774
Opcode Fuzzy Hash: aa9f6943ad2db63b6d8c32fd1d40278a3a681921a394e261e72200f62394f948
Instruction Fuzzy Hash: 00C1A0A291E3D18FC7174B348868555BF735E27B2471D04CFE582CA1E3E239CA06E76A

Uniqueness

Uniqueness Score: -1.00%

Function 018CA8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 018CA989

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fc411ca0a7358ab139b705a9f8f407c681f1000758804de62108fe24cece76c0
Instruction ID: 330955034a1ad95c1322677c95c6846eebc80dbeaac2e51c1f872a39b9c8e1da
Opcode Fuzzy Hash: fc411ca0a7358ab139b705a9f8f407c681f1000758804de62108fe24cece76c0
Instruction Fuzzy Hash: FE318272404784AFE7228B25CC85FA7FFBCEF46710F08859BE985DB152D264A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 018CA9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 018CAA8C

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 92c71f70e95e7727a1a210230e4e646e5c3f9bd9d097dfd9f2fb48074ccec009
Instruction ID: 08d39047b08dad0c93f21932d8c0e6e2c3712adb577f27819601336b9a98196f
Opcode Fuzzy Hash: 92c71f70e95e7727a1a210230e4e646e5c3f9bd9d097dfd9f2fb48074ccec009
Instruction Fuzzy Hash: 0031B371105784AFE722CF25CC44F92BFE8EF06710F08849AE985DB253D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 018CB21C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 018CB2B0

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 6672f6ff1d9b74536e7023f4ff950cb98b068064d5879bf939d293fd9b8d42b5
Instruction ID: c866b72dd97fbd3c340a0792bc7e01113bb4ddcf4d08804c6fb6870e0654e53b
Opcode Fuzzy Hash: 6672f6ff1d9b74536e7023f4ff950cb98b068064d5879bf939d293fd9b8d42b5
Instruction Fuzzy Hash: A721F372509380AFEB128B25DC45F96BFB8EF43324F0880EBE984DF193D2649905C761

Uniqueness

Uniqueness Score: -1.00%

Function 018CB309, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 018CB3B6

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: b1a87dde4eb8702eb00c6b659316bcd0cebdb339f2cb3512148b01ee05d66a04
Instruction ID: 3eaa654ee1b8bdec4748482e19a94ff0bc580830b6a7d5c5eb05b359b44d47a5
Opcode Fuzzy Hash: b1a87dde4eb8702eb00c6b659316bcd0cebdb339f2cb3512148b01ee05d66a04
Instruction Fuzzy Hash: 6A31937154D3C05FD7038B218C55B66BFB4EF87610F0980CBD984CF2A3E6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 018CA120, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 018CA1C2

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 6b38778799aaaea7cde0210dd00ad4013a9ad1edce766d7dcf1e24ea2c0abe73
Instruction ID: 865ebeed19e2c4579a8376254f67b9afbc138d4eb9a12f584c62029bebff09e9
Opcode Fuzzy Hash: 6b38778799aaaea7cde0210dd00ad4013a9ad1edce766d7dcf1e24ea2c0abe73
Instruction Fuzzy Hash: 4B21D67140D3C06FD3128B358C51BA2BFB4EF87610F1981DBDD848F193D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06090B18, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 06090BB8

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7b0f60646c7481412deda550667d21abaa38095eeb4a4a30446c6732fcdff84d
Instruction ID: 0af1127c43ad70877c2e79ddef149ff0bb197a7b495ed686857dfdd27380efde
Opcode Fuzzy Hash: 7b0f60646c7481412deda550667d21abaa38095eeb4a4a30446c6732fcdff84d
Instruction Fuzzy Hash: 8721B172548380AFDB228B25CC40F97BFF8EF46314F08849AEA859B252D365E449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 060912FC, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 06091391

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 22bc9752f7b25f86fd4ebd6306f7d1b6a62364b922df03724d89f082828ff707
Instruction ID: a293b5023e24379bb3b2e323b399e1b5e19064eabb97eee9e8f9e3e0e02d652b
Opcode Fuzzy Hash: 22bc9752f7b25f86fd4ebd6306f7d1b6a62364b922df03724d89f082828ff707
Instruction Fuzzy Hash: 7421D6B65087806FE7128B25DC40BA6BFB8EF47720F1880DBED949B153D264A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 06091226, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 060912A5

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a16745a8b032478661374affbb629131cf1fe69f8f4e6afe27af1db4c22d499b
Instruction ID: f9188a32c895bc8b74bc0f00d17b5824738cf138e2b59041cd77cb6e1c8c9aa4
Opcode Fuzzy Hash: a16745a8b032478661374affbb629131cf1fe69f8f4e6afe27af1db4c22d499b
Instruction Fuzzy Hash: 79219C71A00640AFEB61DF65CD44F6AFFE8EF05610F1484AAEA85CB251D371E814DB71

Uniqueness

Uniqueness Score: -1.00%

Function 06090354, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 060903EF

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c76f0e5e558b12e78bdfaefe1d7fbc4d533f55e5645bed9cbf78dc8afbf65c83
Instruction ID: 1f3d8f1458d1993479bd94aa9b89cdb6eab99672bde4721f5ca8924cbf2a7e5d
Opcode Fuzzy Hash: c76f0e5e558b12e78bdfaefe1d7fbc4d533f55e5645bed9cbf78dc8afbf65c83
Instruction Fuzzy Hash: 3B210771048380AFE722CB24CC45F92FFB8EF46720F1880DAED855F192D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06090A39, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 06090AD0

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8ca9c5bcad357314e1e8c659f75c174e1e0f506ce3b8ff1459b80682744f8aad
Instruction ID: 9790bb2750b7522294af5f7477855c3c63625b72853f5e9599f11757db295511
Opcode Fuzzy Hash: 8ca9c5bcad357314e1e8c659f75c174e1e0f506ce3b8ff1459b80682744f8aad
Instruction Fuzzy Hash: BF216072544740AFEB218F15DC85F57BFF8EF46710F08859AE9859B252D364E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 018CA90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 018CA989

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3a40c8d347b83895c2e1ea6e107373992e56f477efee257522f6f2e092595fc2
Instruction ID: 66e09ac7b9112dffa3342d49a91baca8734feb709203bb6e43669f766925d9d3
Opcode Fuzzy Hash: 3a40c8d347b83895c2e1ea6e107373992e56f477efee257522f6f2e092595fc2
Instruction Fuzzy Hash: 7C21A172500608AFE7219B59CC45FABFBECEF04710F14855BEE45DB641E670E5088B71

Uniqueness

Uniqueness Score: -1.00%

Function 018CACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 018CAD6A

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9fa5368a469b429295af4cad67697342c87eb3a78ad32bd54a4027ec48564552
Instruction ID: e409606ba508b525b0e30ddd42beeaebab381209739da7ac481c93219d7df09e
Opcode Fuzzy Hash: 9fa5368a469b429295af4cad67697342c87eb3a78ad32bd54a4027ec48564552
Instruction Fuzzy Hash: CC21B3B15093845FD7128B65DC45B92BFF8EF42610F0980DAD984CF263E234D908C761

Uniqueness

Uniqueness Score: -1.00%

Function 060914AE, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 0609152D

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b110bde6baa3a7c096a1721807556d57c99a5d0aa7b3b6dc2cae34f782216d8d
Instruction ID: b04fa21966ccd8564840f7dd5c3e496095522f90d865fb6d9383035b73767442
Opcode Fuzzy Hash: b110bde6baa3a7c096a1721807556d57c99a5d0aa7b3b6dc2cae34f782216d8d
Instruction Fuzzy Hash: 88219F72505380AFEB22CF65DC44F97FFB8EF46710F08849BEA859B152D264A548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 018CAA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 018CAA8C

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: afc8187d1789e09127203a20952945be2ec85ab49382ebd9fc1416651aaee5b9
Instruction ID: fe877117f6524763913febcb83a5daccd3409b7c5011ec66efa7f539a0776e5a
Opcode Fuzzy Hash: afc8187d1789e09127203a20952945be2ec85ab49382ebd9fc1416651aaee5b9
Instruction Fuzzy Hash: C2218E71600608AFE721CF19DD84FA7BBECEF04B10F08846AEA45DB251E770E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 018CAFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 018CB040

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7944ca22d68a3ce0b913d1272fd54fd18dcd9a7249eded68c3a504367778e7d6
Instruction ID: e43a50bdaac3d7f6550bd3972152ef5a361db0bf5b604dec556924518a3d44af
Opcode Fuzzy Hash: 7944ca22d68a3ce0b913d1272fd54fd18dcd9a7249eded68c3a504367778e7d6
Instruction Fuzzy Hash: B421D1724093C05FDB138B25DC50A92BFA4AF43724F0880DAED858F263D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018CAAFB, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 018CAB7E

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 68d6887632aa4975dbaccab7bf9143cb7473a3df9225689414a4e5afadb234a2
Instruction ID: 222928f022b141a7a02a15e1942a5791b23780a0ec255504a3347a7402b5b841
Opcode Fuzzy Hash: 68d6887632aa4975dbaccab7bf9143cb7473a3df9225689414a4e5afadb234a2
Instruction Fuzzy Hash: BF21A8715493806FD3128B25DC41F72BFB8EF87610F0981DBED848B653D225A915CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 06090C00, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 06090C6C

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b74f180dfdd4512c1e544ebc00f841a460ca6a34698505bf0a496602e2261e5d
Instruction ID: 6b9404de2dcde9fded68a725467df88e69c353918d632e4e0d2e3e709f35e775
Opcode Fuzzy Hash: b74f180dfdd4512c1e544ebc00f841a460ca6a34698505bf0a496602e2261e5d
Instruction Fuzzy Hash: E6218E716093C49FDB128B25DC54B52BFA89F47210F0C84EAED898F253D275A848DB72

Uniqueness

Uniqueness Score: -1.00%

Function 018CAC3B, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 018CACA8

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: eee41b702a0a8b4b3f45a3dbdc3233a19d860876f5e4e2c205eea0b26c7dce91
Instruction ID: f7ab5c3db8fd81e28c659f72cca798e22cdb630568f2562726a67de6ad8e6b7d
Opcode Fuzzy Hash: eee41b702a0a8b4b3f45a3dbdc3233a19d860876f5e4e2c205eea0b26c7dce91
Instruction Fuzzy Hash: D0219D714093C09FDB128B25DC95A92BFB4EF47220F0984DBDD858F163D274A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06090970, Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 060909DE

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 44d41169ee8d7da1bee2deb55325ef7a2f8222f1b8a4e95c4e4e1fd79693bbc6
Instruction ID: 4c8ceac23c2645580cf5f5852b3739d800169be5081b3cbe23b9feaca4b85275
Opcode Fuzzy Hash: 44d41169ee8d7da1bee2deb55325ef7a2f8222f1b8a4e95c4e4e1fd79693bbc6
Instruction Fuzzy Hash: 8F2181719053809FDB61CF65DC45B52BFE8EF46210F0884AAE989DB253D224E844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 060908AA, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0609091B

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: dd829e6395d99246f8883ce0b282fd427a84fbe2342e2ad5cff87e0ee1f99a5f
Instruction ID: c746ab1731f637e4cc19518b57b9ce7a742e3c31b234f5c6268afb9f22ff8ae6
Opcode Fuzzy Hash: dd829e6395d99246f8883ce0b282fd427a84fbe2342e2ad5cff87e0ee1f99a5f
Instruction Fuzzy Hash: E321A4715483809FEB51CB29DC44B56BFE8EF46210F0980AAED49CB152D225D844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06090B46, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 06090BB8

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 29ff4c5ca70b9fc6b032099841bf93c2d016e3f25d6fd8b5f178b9b12a40eddb
Instruction ID: f7e3dd1224d60ccd3b3ce05a85cbbb6bb8f1ba4c2e788e59bf2289a4642d7156
Opcode Fuzzy Hash: 29ff4c5ca70b9fc6b032099841bf93c2d016e3f25d6fd8b5f178b9b12a40eddb
Instruction Fuzzy Hash: 1911AC72540604AFEB60CF15CC80FABFFECEF04714F04846AEE4A9B251D660E448DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 06090A5E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 06090AD0

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3ebaa6b248e47ad9dd437947f0c77f21042c8f8b64099cb07dd3d451d7722d5e
Instruction ID: 942a04bc74761644e9e305b6be0fa208b75154925cfcdf90c7bc8418d83adfe5
Opcode Fuzzy Hash: 3ebaa6b248e47ad9dd437947f0c77f21042c8f8b64099cb07dd3d451d7722d5e
Instruction Fuzzy Hash: C5119072940600AFEB609F15DC81F67FFECEF05710F14855AEE469B241D660E448DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 018CA836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 018CA8A8

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 62122c3b2662996c8ddd78f19ac47062c8adb9738e77eed196d4214986de0bab
Instruction ID: 9e9928090bf0ee4f5b5cb6355171f7bac69d836ecd765714a466bcd29b2af2d1
Opcode Fuzzy Hash: 62122c3b2662996c8ddd78f19ac47062c8adb9738e77eed196d4214986de0bab
Instruction Fuzzy Hash: AE216A714093C4AFD7138B258C54652BFB4DF47624F0980DBDD859F1A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 018CA78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018CA7F6

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c3f4e1d96c6ae29a18b17f98896323c327d4bc767e02aca9fa3ed3b9cfc92e26
Instruction ID: c236269631de3219cf52d03716adf924a2886e5fc7c6ecb728347eb9392f5c06
Opcode Fuzzy Hash: c3f4e1d96c6ae29a18b17f98896323c327d4bc767e02aca9fa3ed3b9cfc92e26
Instruction Fuzzy Hash: 8811A271409380AFDB228F55DC44A62FFF4EF4A710F08859AEE898B162D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 018CB25A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 018CB2B0

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 3fe0badefe6c5d65c3ba3223f7472b91edeff88f81c39b7cb98f3097bdc7c8e9
Instruction ID: 76f1170822c2291171bf05db8982526315642982b4daa7ef69bab3951d36c80b
Opcode Fuzzy Hash: 3fe0badefe6c5d65c3ba3223f7472b91edeff88f81c39b7cb98f3097bdc7c8e9
Instruction Fuzzy Hash: FD11A371500604AFEB11CF29DC85BABBB98EF45720F14C46BEE49DB241D674E9048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 018CB5F6, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 018CB66E

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ce63ecb9dd2737ecc14c5bfd756635b159a08a200e809ef4d91f208b228b4cdd
Instruction ID: 669035cebd54eeb999681e8340a2bcd56e9f26d4f1cc63f837281e99ee8d7318
Opcode Fuzzy Hash: ce63ecb9dd2737ecc14c5bfd756635b159a08a200e809ef4d91f208b228b4cdd
Instruction Fuzzy Hash: 0F119171504380BFD311CB16DC45F72BFB8EFC6A20F19819AED489B652E321B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 060914CE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 0609152D

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cf0b8ae2b2c1bf1a68494431b5854d3858028557c8d0ac17d38e8c4c19c85d8a
Instruction ID: d3c942999c37724da54db2f1baedadcb9836b62822a02c8abd532f8a7d7274c8
Opcode Fuzzy Hash: cf0b8ae2b2c1bf1a68494431b5854d3858028557c8d0ac17d38e8c4c19c85d8a
Instruction Fuzzy Hash: 5111BF72900200EFEB21CF55DC41FAAFFE8EF45720F1484ABEE499B251D674A4488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06090386, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 060903EF

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d670ce81d6203ed171c5b24d1a2fc47d030d36a3a778f0ea14d29cf1c3e605d0
Instruction ID: 827871165e2010355bc3fc56ff0e390b6216d529662802f0c63b92eb0fe36f47
Opcode Fuzzy Hash: d670ce81d6203ed171c5b24d1a2fc47d030d36a3a778f0ea14d29cf1c3e605d0
Instruction Fuzzy Hash: BA11E571540204EFFB60DB15DC85FAAFF98DF45720F14C45AEE455B281D2B4A5488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 018CAD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 018CAD6A

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0d0ad4b26e1744b95b4d947743f1a7d89717c5c136ee7399d15d456bc09933b9
Instruction ID: 08ea887c3f37f77c291fb8207e02b9b27612189dbf7aeb007834561e937c284a
Opcode Fuzzy Hash: 0d0ad4b26e1744b95b4d947743f1a7d89717c5c136ee7399d15d456bc09933b9
Instruction Fuzzy Hash: C51182B1A002049FE764CF29D844756FFE8EF44B21F08C46EEE49DB242E675D504CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06090996, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 060909DE

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c3c5e4e737cfd2b8ed431bbf3c202ef8a2410b1afaedeb1e5f1e3a32e1a55452
Instruction ID: c9856adf455bfb1e626f5d88dc0a8c732d24870f83e301e74f3ad2b1241ac546
Opcode Fuzzy Hash: c3c5e4e737cfd2b8ed431bbf3c202ef8a2410b1afaedeb1e5f1e3a32e1a55452
Instruction Fuzzy Hash: 1A1161B1A402409FEBA0CF6AD885B56FFD8EF44620F08C4AEDD4ADB242D674E444DB71

Uniqueness

Uniqueness Score: -1.00%

Function 018CA44B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 018CA4AC

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 93bb39b709edf6fa1408b95d516d23c5d823639c36b388a0433b163f05db56c7
Instruction ID: b3373a84b95d4f3ae1527b0e82c25622291a1a7070d241f458d8683d8c601bff
Opcode Fuzzy Hash: 93bb39b709edf6fa1408b95d516d23c5d823639c36b388a0433b163f05db56c7
Instruction Fuzzy Hash: 501182714493849FD712CF25DC44B52FFA4EF42220F0984DBDD499F253D279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0609133E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,419CA0F6,00000000,00000000,00000000,00000000), ref: 06091391

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e2fefb1a7731d24609cc4d9fe904031a18896c17a52259233a2edf52f4cc31a8
Instruction ID: 97e28d9e1c641b50f83afed57d9aeb3ffa983a5caa1ff4e50e0609bf1e88ff5b
Opcode Fuzzy Hash: e2fefb1a7731d24609cc4d9fe904031a18896c17a52259233a2edf52f4cc31a8
Instruction Fuzzy Hash: 1701D671644604EEEB60CB25DC45F6BFFE8DF45720F14C097EE489B641D674A4448AB1

Uniqueness

Uniqueness Score: -1.00%

Function 06091140, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 06091194

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 2c9ae7e754af46f4fc2252d1cfa1ab4dacc8fa660132eb66dbe24e8218e27b16
Instruction ID: 143e0431aaf946873e7ea2a9e8d3e6cb995ac45782449ab694cf834eda974a32
Opcode Fuzzy Hash: 2c9ae7e754af46f4fc2252d1cfa1ab4dacc8fa660132eb66dbe24e8218e27b16
Instruction Fuzzy Hash: B011C2755093C0AFDB128F25DC84B52FFE4DF47220F0880DAED858B252D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 060908D6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0609091B

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 750f70f1efce4c401446f650d11c99f93f6c4a8496a173d652dbb007bf09ce48
Instruction ID: 7dfbbaf48e872859cca677e3306c4710c85134f31ce90628f95c64bdeeddfe1f
Opcode Fuzzy Hash: 750f70f1efce4c401446f650d11c99f93f6c4a8496a173d652dbb007bf09ce48
Instruction Fuzzy Hash: 26115271A442459FEB90CF2AD884766FFD8EF44610F08C4AEDD4ACB242E674E444DB71

Uniqueness

Uniqueness Score: -1.00%

Function 018CB366, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 018CB3B6

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 536561ea3955748d23109cdad06e9c38dd660d28ef6e7a19183e353b2903c6e7
Instruction ID: 28f46be5bd04e74c00cd552a8022c38ca08a0e84ce47aecd6615d3494ba573aa
Opcode Fuzzy Hash: 536561ea3955748d23109cdad06e9c38dd660d28ef6e7a19183e353b2903c6e7
Instruction Fuzzy Hash: 62017172900600ABD710DF16DC85F66FBA8EBC8B20F14C56AED089B741E331B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 018CA172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 018CA1C2

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 65009bd3843614530c8b81b4ac95f9c3590c35989fabd13d87cc0cb6df886063
Instruction ID: dd88a4bcca62b9db300c6187a94444383c8d6bff680b2072f53a2056cde06f81
Opcode Fuzzy Hash: 65009bd3843614530c8b81b4ac95f9c3590c35989fabd13d87cc0cb6df886063
Instruction Fuzzy Hash: BA017171900600ABD710DF16DC85B66FBA8EBC8A20F14856AED089B741E335B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06090C32, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 06090C6C

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fa303333c00aea97931999d1baf5a863459b494c0d7a3de21fa37bcf0c7871f3
Instruction ID: 02f75df66a37c258519a2cdd8f99dcea44d28eb6d6ae15626d48a48c17089cf7
Opcode Fuzzy Hash: fa303333c00aea97931999d1baf5a863459b494c0d7a3de21fa37bcf0c7871f3
Instruction Fuzzy Hash: 2001B1B1A042449FEB90CF29D884766FFD8DF40620F08C4AEDD4ADB242E675E448DB71

Uniqueness

Uniqueness Score: -1.00%

Function 018CA7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018CA7F6

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ceb2ab4e69d375c45101f2ba2f3a83bd4b3b86bbb8c225b62e412fc606ac4f36
Instruction ID: a9bf983921a44829e5d290f0baaa77e96e26a4c0d0c0c631807811da9caa90c7
Opcode Fuzzy Hash: ceb2ab4e69d375c45101f2ba2f3a83bd4b3b86bbb8c225b62e412fc606ac4f36
Instruction Fuzzy Hash: DA018B31800604AFDB218F55D844B66FFE0EF48720F08C9AADE898B612E371E519DF62

Uniqueness

Uniqueness Score: -1.00%

Function 018CB00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 018CB040

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c3420e1fe52fe9634e1daa418c6d1e3dd3ee2566633eb73223612024a81f76f1
Instruction ID: 5d91e2453b03ca7a7d06ea9b4e24b922750ae1dd29c71418a0c34c69f6406446
Opcode Fuzzy Hash: c3420e1fe52fe9634e1daa418c6d1e3dd3ee2566633eb73223612024a81f76f1
Instruction Fuzzy Hash: 2D01BC71500A449FDB20CF29D885756FFA4EF40760F08C0ABDD49DB612D675E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018CAB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 018CAB7E

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: a966434eb58d08640dd1b97ff533bae38feb2880ae320baa8012bc807c593b92
Instruction ID: c757c40732e222a25a92a321d0c6dde6322d3421a44a689b02fcd589842f5563
Opcode Fuzzy Hash: a966434eb58d08640dd1b97ff533bae38feb2880ae320baa8012bc807c593b92
Instruction Fuzzy Hash: 10018F72500600ABD210DF16DC86F26FBA8FBC8B20F14811AED085B741E331B515CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 018CAC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 018CACA8

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 74ce20d8bf757b45a5e070d69f2abb36f9d05c0716ea00f43f3e218adefa71b5
Instruction ID: 69e5ac9cb68116534b54be6f769ca0b8e79df3e0e42b1bb92e5ae04e7a15bf3f
Opcode Fuzzy Hash: 74ce20d8bf757b45a5e070d69f2abb36f9d05c0716ea00f43f3e218adefa71b5
Instruction Fuzzy Hash: 02018F719002489FDB14CF29D884766FF94EF44720F18C4AFDD49DB252E679E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018CA47A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 018CA4AC

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a06df0294ce437423ccaa1dfc822fcf5891290cd10b7415ab6a8a6d2c41a61f7
Instruction ID: 983a4b9d1b3a44c02f3a6fe220c13ed048ca51fa55c0d50aee4a1ef2e4b548b0
Opcode Fuzzy Hash: a06df0294ce437423ccaa1dfc822fcf5891290cd10b7415ab6a8a6d2c41a61f7
Instruction Fuzzy Hash: B001A2708002489FDB21CF19D888766FF94EF44720F18C4AADD489F202E675E544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06091162, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 06091194

Memory Dump Source

Source File: 00000004.00000002.495910525.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: fc3e5904f282f5f3906af40003ab2639652a724bfab2001e4922c2a3f1d39ca8
Instruction ID: 81b27481a5463862df0a118c5617caa9da4256522f8d390f8b1eb680b0484571
Opcode Fuzzy Hash: fc3e5904f282f5f3906af40003ab2639652a724bfab2001e4922c2a3f1d39ca8
Instruction Fuzzy Hash: 8B01D135A40641AFEB608F19D884766FFD4EF06220F08C0EADD498B252D6B5A448DEB2

Uniqueness

Uniqueness Score: -1.00%

Function 018CA876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 018CA8A8

Memory Dump Source

Source File: 00000004.00000002.490549095.00000000018CA000.00000040.00000001.sdmp, Offset: 018CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d0aec0b96f8febe5e19bbc0f6d106e3e3aefe12eae79ac5e7268b86f86d49b0b
Instruction ID: 92e2fe0f0d29af9201c65e6b7d70f399b65c626c1ff22a8d634492a3de3a2647
Opcode Fuzzy Hash: d0aec0b96f8febe5e19bbc0f6d106e3e3aefe12eae79ac5e7268b86f86d49b0b
Instruction Fuzzy Hash: 15F0A434900648DFDB20CF19D884762FF94DF44B24F18C09ADD495B212E7B5E549CF62

Uniqueness

Uniqueness Score: -1.00%

Function 061F37EB, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.495948503.00000000061F0000.00000040.00000001.sdmp, Offset: 061F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76524264c836c835bf1fcd7f266276a5fb7a3fd6e5a8500b9129fbe292cdd744
Instruction ID: 3a89c55f5ba9f073ae353ec7f5d5850161fde1602c92723a1c3f274149a9c2a6
Opcode Fuzzy Hash: 76524264c836c835bf1fcd7f266276a5fb7a3fd6e5a8500b9129fbe292cdd744
Instruction Fuzzy Hash: EE31FBB6508341AFD340CF19DC41A5BFBE4FB89660F14896EF998D7311E375A9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 061F2E02, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.495948503.00000000061F0000.00000040.00000001.sdmp, Offset: 061F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e864e7b5f47d09ceb39aefd2a39e72875bb8af582903797924fbda50f544b0e
Instruction ID: 6fc9dfe654ae38ce2f08a2ef7549eae8edbc86140f99d33994ca5e6098dc4cc9
Opcode Fuzzy Hash: 9e864e7b5f47d09ceb39aefd2a39e72875bb8af582903797924fbda50f544b0e
Instruction Fuzzy Hash: 4721B7B5608341AFD350CF19D840A5BFBE4EB89660F14896EF98897311E375EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 031C075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.491046354.00000000031C0000.00000040.00000040.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5d2563b7f1ca0419965e42405158f3d11b27c69df2ec7cbe474517529cec03
Instruction ID: f61a30de8fb02533273a739b84fb39e517830a3548a05b28991d0b6498099204
Opcode Fuzzy Hash: 5f5d2563b7f1ca0419965e42405158f3d11b27c69df2ec7cbe474517529cec03
Instruction Fuzzy Hash: 4E11E434204384EFD709CB24C980B26BB95AB9CB08F28C59CE9891B643C77BD803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 031C0726, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.491046354.00000000031C0000.00000040.00000040.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59abe88d11ff8bcc8f37688412110ef71c53f8fb9140771b80767fa1f23cd68c
Instruction ID: 465e3a569bf47dea95e496dc7f9a4fe3b361cfecfbb33c6fa845c306f038918d
Opcode Fuzzy Hash: 59abe88d11ff8bcc8f37688412110ef71c53f8fb9140771b80767fa1f23cd68c
Instruction Fuzzy Hash: 0D215B3550D3C09FC707CB20C850B55BF71AB5B608F2D85EED8849B6A3C32A8806CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031C05CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.491046354.00000000031C0000.00000040.00000040.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b46618b4696a410dabffcb843bff273a424b31339ca36aa003ccab479a76d11
Instruction ID: 8c09aec05a9394e8962bc71a96f8a9c4d0c8101d5c47d92cbc8fe2ba973f21d8
Opcode Fuzzy Hash: 3b46618b4696a410dabffcb843bff273a424b31339ca36aa003ccab479a76d11
Instruction Fuzzy Hash: 2D01DB715097805FD7128F16EC40862FFB8DF86660708C09FED498B612D2257904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 031C0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.491046354.00000000031C0000.00000040.00000040.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: a09d9d252a707b144f35a587719272abbb459d17b8548e33c9d4f173064d67f4
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 54F0FB35104684DFC606CB40D940B15FBA6EB8D718F24C6ADE9890B652C337D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 031C05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.491046354.00000000031C0000.00000040.00000040.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ca9a6e796f7856031550ea523d365e82ed550dd878fe1914a4380e1ad117c8
Instruction ID: f71cebeba5214232b0d2a622ad910e3dab1f27ed6ef32da51db458252c98145c
Opcode Fuzzy Hash: 24ca9a6e796f7856031550ea523d365e82ed550dd878fe1914a4380e1ad117c8
Instruction Fuzzy Hash: 39E09276A006008BD650CF0BEC41452F7D8EB88630B18C07FDD0D8B700E635B504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 061F2E77, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.495948503.00000000061F0000.00000040.00000001.sdmp, Offset: 061F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdf85cc851625e3cd70f1a1400b5560c5e7443830178a89842ca8a91c19a902
Instruction ID: 18ef98e30dbdf8463d4468b49b8bd9374871ce0b97b826d01f01177a7b985e69
Opcode Fuzzy Hash: 6cdf85cc851625e3cd70f1a1400b5560c5e7443830178a89842ca8a91c19a902
Instruction Fuzzy Hash: ABE0D872A0030067D2608F069C41B63FB58DB80A70F14C457EE0C2B302E571B6148AE2

Uniqueness

Uniqueness Score: -1.00%

Function 061F38DF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.495948503.00000000061F0000.00000040.00000001.sdmp, Offset: 061F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9d46e3e11dc4be82f61d9157d7922da8ef29362dba2c42b7010661ad170d77
Instruction ID: 0c319b1e7e477ef620425fb3d30c6302d5ddd8023472b64ac4ef4dad1ecef5b6
Opcode Fuzzy Hash: cf9d46e3e11dc4be82f61d9157d7922da8ef29362dba2c42b7010661ad170d77
Instruction Fuzzy Hash: A2E0D8B29403006BD2608F069C41B63FB98DB84A70F14C467EE0C6B302E571B6148AE2

Uniqueness

Uniqueness Score: -1.00%

Function 018C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.490520560.00000000018C2000.00000040.00000001.sdmp, Offset: 018C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdf61805b63d0fb346d6e9121b1d468ce0c2547cc629245f822fb78e0e23c81
Instruction ID: 8c5a2fdcff02a797bcaef7baca31cdd5c17e9a8cc1f361058567be021f4a55a4
Opcode Fuzzy Hash: 0fdf61805b63d0fb346d6e9121b1d468ce0c2547cc629245f822fb78e0e23c81
Instruction Fuzzy Hash: 1AD05E79215A818FE326CA1CC1A8B957FA5BB51F04F4644FDE800CB6A3C378DA81D200

Uniqueness

Uniqueness Score: -1.00%

Function 018C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.490520560.00000000018C2000.00000040.00000001.sdmp, Offset: 018C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67397e6de3e55cc564b8daff5d2c49245647409ae32b981a4a14db2aa31cf89
Instruction ID: 91ffaee2c0b1494cdfe06efb49f0e441b5edc0f0f3ec43efa8a9dd9d80b1ec83
Opcode Fuzzy Hash: a67397e6de3e55cc564b8daff5d2c49245647409ae32b981a4a14db2aa31cf89
Instruction Fuzzy Hash: 75D05E343002818BD715DB1CC594F593BD5AB41B00F0645ECAD00CB6B2C3B4D981C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: BAVLA.exe PID: 6188 Parent PID: 3388 BAVLA.exeCOMMON

Executed Functions

Function 00A7A4BE, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,835B9875,00000000,00000000,00000000,00000000), ref: 00A7A53D

Memory Dump Source

Source File: 00000008.00000002.275422119.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 92d77cf2f3786a8d5052915c73213a191cdedece30f97f7a17c6f531fbde727b
Instruction ID: 10c7d054e7f5e930b17ed6016f2675df5d0d7cc4a8219592ff6d766efdd4f534
Opcode Fuzzy Hash: 92d77cf2f3786a8d5052915c73213a191cdedece30f97f7a17c6f531fbde727b
Instruction Fuzzy Hash: 61219272405340AFD7228F65DC44F57FFB8EF46310F08849BEA459B152D274A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00A7A269

Memory Dump Source

Source File: 00000008.00000002.275422119.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 049f03e647aafc6223d3a40f4a1b57987f83baa16630270c5eabc8d6d6389621
Instruction ID: 82c1901efb4ee4e85ebb03ac2740d3a0c1bc59ec37d43f8023968071bd7be200
Opcode Fuzzy Hash: 049f03e647aafc6223d3a40f4a1b57987f83baa16630270c5eabc8d6d6389621
Instruction Fuzzy Hash: 5F21603540D7C4AFD7138B259C95692BFB4EF53220F0E80DBD9848F163D2699909C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,835B9875,00000000,00000000,00000000,00000000), ref: 00A7A53D

Memory Dump Source

Source File: 00000008.00000002.275422119.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: dc59b65e923ad412327b3f9cfd747fe857f0e84fd969e1cdf9dd47a5fdfef9c0
Instruction ID: 6a8f563f8e90c83cd39fecfe83ae8eea6e8223c5940ec19ea564a574e947b418
Opcode Fuzzy Hash: dc59b65e923ad412327b3f9cfd747fe857f0e84fd969e1cdf9dd47a5fdfef9c0
Instruction Fuzzy Hash: 08119D71400600EEEB218F65DC44F6AFBA8EF55320F14C46BEA499A251D275A4088B72

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00A7A269

Memory Dump Source

Source File: 00000008.00000002.275422119.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 5d0ab15b3220744c37f11b56bcb1a3c4ca16e96a933697b9d48f73c43e50c786
Instruction ID: 5acc4b01714b3630e054e2bfbe883cf5f43598f7247bd3278ad8d619b25344af
Opcode Fuzzy Hash: 5d0ab15b3220744c37f11b56bcb1a3c4ca16e96a933697b9d48f73c43e50c786
Instruction Fuzzy Hash: D7F0A434904644EFD7108F15D884755FFA0DF54721F18C09ADD0D5B222D6B9A444CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 025400C0, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 025400EC

Memory Dump Source

Source File: 00000008.00000002.275576619.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 7316a7c7f1c70a8917337a181640acb3310293073f418a66cfda8220513fe72e
Instruction ID: ded491602d4713b070d3b9a619f3f2b3237dea457b14557182dc7dcee060b455
Opcode Fuzzy Hash: 7316a7c7f1c70a8917337a181640acb3310293073f418a66cfda8220513fe72e
Instruction Fuzzy Hash: 25F03771D451499FCF40DFB89C599EFBFF8EA49260B1044AAD944E7111E3341606CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 025400D0, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 025400EC

Memory Dump Source

Source File: 00000008.00000002.275576619.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: ece84780070b80260827cd1e38a4a1e21e32e5733d29a659751b6d5365f7b47a
Instruction ID: 9f658eaf1f3535ec922c6d3edb3fcfca1c48c5fb90e3f0dafa3ff9a8c268059c
Opcode Fuzzy Hash: ece84780070b80260827cd1e38a4a1e21e32e5733d29a659751b6d5365f7b47a
Instruction Fuzzy Hash: 8BE07EB1E0521A9F8F40EFB999496DEBFF8EA48654B20056AD608E3200E2315A118BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A72477, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.275413168.0000000000A72000.00000040.00000001.sdmp, Offset: 00A72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091c03a428b2e481804f15a3e1b2b19cf64723a9605d5cf3e8ff45a23055dd3a
Instruction ID: 6a06514a5205d4e23f7a85050a9ed2b72772987eeb29587ff3593d01ec6e7c92
Opcode Fuzzy Hash: 091c03a428b2e481804f15a3e1b2b19cf64723a9605d5cf3e8ff45a23055dd3a
Instruction Fuzzy Hash: B751ABA290E3D14FDF134B365C34298BFB25EA731071EC4DBD4C98A0A3E12D484A876A

Uniqueness

Uniqueness Score: -1.00%

Function 00A723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.275413168.0000000000A72000.00000040.00000001.sdmp, Offset: 00A72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c21de1bfc56245bef9330125aa276e7bc3d229dafb5a0a7ee2154cdcadde8f
Instruction ID: f84abda413c7cbc90cd2a30c54010843ed8aaa0f0ffd5ee2f9e4244326635c2b
Opcode Fuzzy Hash: 99c21de1bfc56245bef9330125aa276e7bc3d229dafb5a0a7ee2154cdcadde8f
Instruction Fuzzy Hash: 4ED05E79255A818FD3268B1CC5A8B953B94AB51B04F46C4FDE8008B663C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 00A723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.275413168.0000000000A72000.00000040.00000001.sdmp, Offset: 00A72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8c105f02dc032b87a537e2c0a97a2f7017604da3b1b5fda34d977333aa4555
Instruction ID: 269fdd19778dfed34967149e1bd37fbfc6c1aaa9074de1a5d9df00bf265d617f
Opcode Fuzzy Hash: dd8c105f02dc032b87a537e2c0a97a2f7017604da3b1b5fda34d977333aa4555
Instruction Fuzzy Hash: FFD05E342006818BD715DB0CC994F5937D4AB41B00F0684ECAC008F662C3A8DC81C700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: BAVLA.exe PID: 6708 Parent PID: 3388 BAVLA.exeCOMMON

Executed Functions

Function 014AA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,4CDE4DAB,00000000,00000000,00000000,00000000), ref: 014AA53D

Memory Dump Source

Source File: 00000012.00000002.296337861.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: db74e22c44a924fb5469644079671744552f13a87ace8a6de8600021c033fbbd
Instruction ID: d937a9856fec355df4213be7781a2bb33ab0fbcde956299b8fadf80247794b09
Opcode Fuzzy Hash: db74e22c44a924fb5469644079671744552f13a87ace8a6de8600021c033fbbd
Instruction Fuzzy Hash: 7221A371409380AFE7128B65DC54F96BFB8EF46310F1884DBEA849F163C265A509C772

Uniqueness

Uniqueness Score: -1.00%

Function 014AA336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 014AA39C

Memory Dump Source

Source File: 00000012.00000002.296337861.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 990442936fbe826745a025be382027801bf91d0674b06f2b286ff12ae3d13a36
Instruction ID: 45b2147d7219f62cb1a9c2ae7a87d6190ba367585857dca652b6b13154b7c301
Opcode Fuzzy Hash: 990442936fbe826745a025be382027801bf91d0674b06f2b286ff12ae3d13a36
Instruction Fuzzy Hash: 0E219D7140A3C09FD7128B24DC44A52BFB4EF42220F0984EBDD85CF263C278A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 014AA269

Memory Dump Source

Source File: 00000012.00000002.296337861.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 186052386965f7f299a39c7fd51c4b15a67a6ce36bf6a82eddff943c68e42e2f
Instruction ID: 923b39f38fa4043ad443f2b6c03bf30f8b55086d77bd6beff931a63583394d34
Opcode Fuzzy Hash: 186052386965f7f299a39c7fd51c4b15a67a6ce36bf6a82eddff943c68e42e2f
Instruction Fuzzy Hash: 3121903540D7C05FD7138B258C95652BFB4EF43220F0E80DBD9848F263C2699909C762

Uniqueness

Uniqueness Score: -1.00%

Function 014AA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,4CDE4DAB,00000000,00000000,00000000,00000000), ref: 014AA53D

Memory Dump Source

Source File: 00000012.00000002.296337861.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a271ecc4fb3b9218834d35663a06e48ce9415a6bf0d3028fa95552946b5dcb25
Instruction ID: a0193885b221e20802b32388c538565f5db8d813750392a99bbc8136b4c8b540
Opcode Fuzzy Hash: a271ecc4fb3b9218834d35663a06e48ce9415a6bf0d3028fa95552946b5dcb25
Instruction Fuzzy Hash: 24119D71400600EEEB21CF59DC40FAAFBA8EF54320F14886BEA859B261C275A409CB76

Uniqueness

Uniqueness Score: -1.00%

Function 014AA36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 014AA39C

Memory Dump Source

Source File: 00000012.00000002.296337861.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7cb5a63adae5d810537afea09dadf9fbc33288d15fb644838f00bc0a1ff65d4c
Instruction ID: 0852f34fb834facdbe654280a5718c5bcaf866e5ea216150d19ece46efe9dce9
Opcode Fuzzy Hash: 7cb5a63adae5d810537afea09dadf9fbc33288d15fb644838f00bc0a1ff65d4c
Instruction Fuzzy Hash: FB01F271500640DFDB11CF29D884766FF94DF40220F18C4ABDD09CF322D6B4A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 014AA269

Memory Dump Source

Source File: 00000012.00000002.296337861.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: db0a492c12693e7d6593341ca96af104d35dd0ed9ec8f93bbd763731f3d3414c
Instruction ID: ef5fc98bfc0a8fac7947da5e50fbc54bef4e25d3fdb2eb86a12d75ef83e708a4
Opcode Fuzzy Hash: db0a492c12693e7d6593341ca96af104d35dd0ed9ec8f93bbd763731f3d3414c
Instruction Fuzzy Hash: FEF0C831804644DFD711CF19D884762FF90DF54620F58C09BDD094F316D2B5A459CB62

Uniqueness

Uniqueness Score: -1.00%

Function 030105CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.296571542.0000000003010000.00000040.00000040.sdmp, Offset: 03010000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fa1df56c184290c3798e70b254b4b0842a134662554e8a674fc4e837bcd425
Instruction ID: a32257401cdd8f458d4358f825711d5da8efcb137becdb9739be4f94b06a918a
Opcode Fuzzy Hash: 08fa1df56c184290c3798e70b254b4b0842a134662554e8a674fc4e837bcd425
Instruction Fuzzy Hash: D301DB725097905FD712CB16EC40863FFB8EA86670749C49FED4987612D225B505CB71

Uniqueness

Uniqueness Score: -1.00%

Function 030105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.296571542.0000000003010000.00000040.00000040.sdmp, Offset: 03010000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234d187893252d7336b572a0aab97de35e4ce718cf58c939f92b9de05b781668
Instruction ID: 294e5120ed993c6849b50ac93cfae56bd8bb5cb974a83518bb66060824c00c76
Opcode Fuzzy Hash: 234d187893252d7336b572a0aab97de35e4ce718cf58c939f92b9de05b781668
Instruction Fuzzy Hash: 6BE09276600A008BD650CF0BEC41452F7D8EB88630B18C47FDD0D8B710E235B509CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 014A23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.296330757.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1331a61d7f08964582b287ff36f0b270a215d988ae42e4b8af3daa33dc6f674
Instruction ID: 2f14424419e70d519b09ee59c6076f40f474a5a33a69cd5c3aa551e59d25a1e5
Opcode Fuzzy Hash: a1331a61d7f08964582b287ff36f0b270a215d988ae42e4b8af3daa33dc6f674
Instruction Fuzzy Hash: AFD05B752156914FD3168A1CC164F553FA4AB51B04F4744FEE8008B773C364D581E100

Uniqueness

Uniqueness Score: -1.00%

Function 014A23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.296330757.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141ad2d1bcac98dbed014390f0189a6e45a668e1cd09955941aba1dd86ed8052
Instruction ID: dff44694de2c03a3cc6ff52564664cc81cd7eee730fc4cf2d94eda0df7207521
Opcode Fuzzy Hash: 141ad2d1bcac98dbed014390f0189a6e45a668e1cd09955941aba1dd86ed8052
Instruction Fuzzy Hash: D4D05E342002818BDB15DB1DC594F5A3BD4AB52B00F0644E9AD00CB772C3B8D881D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AdministratorDownloadsBL,.rar.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: AdministratorDownloadsBL,.rar.exe PID: 5528 Parent PID: 5784

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre