Play interactive tour

Edit tour

Analysis Report POinv00393.exe

Overview

General Information

Sample Name:	POinv00393.exe
Analysis ID:	346695
MD5:	e0db9d12220a5099bd1ebfefc0ccdcfe
SHA1:	b0af96f187273082687f2c58faca71b837876429
SHA256:	09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
Tags:	exeHawkEye
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell adding suspicious path to exclusion list

Yara detected AntiVM_3

Yara detected HawkEye Keylogger

Yara detected MailPassView

Adds a directory exclusion to Windows Defender

Changes the view of files in windows explorer (hidden files and folders)

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Yara detected WebBrowserPassView password recovery tool

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w10x64

POinv00393.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

powershell.exe (PID: 6892 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6916 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6980 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7080 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

POinv00393.exe (PID: 2100 cmdline: C:\Users\user\Desktop\POinv00393.exe MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

POinv00393.exe (PID: 6464 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 5436 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 2296 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 1784 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 5404 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x12ce0:$key: HawkEyeKeylogger 0x14f2c:$salt: 099u787978786 0x13347:$string1: HawkEye_Keylogger 0x1419a:$string1: HawkEye_Keylogger 0x14e8c:$string1: HawkEye_Keylogger 0x13730:$string2: holdermail.txt 0x13750:$string2: holdermail.txt 0x13672:$string3: wallet.dat 0x1368a:$string3: wallet.dat 0x136a0:$string3: wallet.dat 0x14a6e:$string4: Keylog Records 0x14d86:$string4: Keylog Records 0x14f84:$string5: do not script --> 0x12cc8:$string6: \pidloc.txt 0x12d3e:$string7: BSPLIT 0x12d4e:$string7: BSPLIT
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1339f:$hawkstr1: HawkEye Keylogger 0x141e0:$hawkstr1: HawkEye Keylogger 0x1450f:$hawkstr1: HawkEye Keylogger 0x1466a:$hawkstr1: HawkEye Keylogger 0x147cd:$hawkstr1: HawkEye Keylogger 0x14a46:$hawkstr1: HawkEye Keylogger 0x12f11:$hawkstr2: Dear HawkEye Customers! 0x14562:$hawkstr2: Dear HawkEye Customers! 0x146b9:$hawkstr2: Dear HawkEye Customers! 0x14820:$hawkstr2: Dear HawkEye Customers! 0x13032:$hawkstr3: HawkEye Logger Details:
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7be38:$key: HawkEyeKeylogger 0xfe258:$key: HawkEyeKeylogger 0x180478:$key: HawkEyeKeylogger 0x7e084:$salt: 099u787978786 0x1004a4:$salt: 099u787978786 0x1826c4:$salt: 099u787978786 0x7c49f:$string1: HawkEye_Keylogger 0x7d2f2:$string1: HawkEye_Keylogger 0x7dfe4:$string1: HawkEye_Keylogger 0xfe8bf:$string1: HawkEye_Keylogger 0xff712:$string1: HawkEye_Keylogger 0x100404:$string1: HawkEye_Keylogger 0x180adf:$string1: HawkEye_Keylogger 0x181932:$string1: HawkEye_Keylogger 0x182624:$string1: HawkEye_Keylogger 0x7c888:$string2: holdermail.txt 0x7c8a8:$string2: holdermail.txt 0xfeca8:$string2: holdermail.txt 0xfecc8:$string2: holdermail.txt 0x180ec8:$string2: holdermail.txt 0x180ee8:$string2: holdermail.txt
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c4f7:$hawkstr1: HawkEye Keylogger 0x7d338:$hawkstr1: HawkEye Keylogger 0x7d667:$hawkstr1: HawkEye Keylogger 0x7d7c2:$hawkstr1: HawkEye Keylogger 0x7d925:$hawkstr1: HawkEye Keylogger 0x7db9e:$hawkstr1: HawkEye Keylogger 0xfe917:$hawkstr1: HawkEye Keylogger 0xff758:$hawkstr1: HawkEye Keylogger 0xffa87:$hawkstr1: HawkEye Keylogger 0xffbe2:$hawkstr1: HawkEye Keylogger 0xffd45:$hawkstr1: HawkEye Keylogger 0xfffbe:$hawkstr1: HawkEye Keylogger 0x180b37:$hawkstr1: HawkEye Keylogger 0x181978:$hawkstr1: HawkEye Keylogger 0x181ca7:$hawkstr1: HawkEye Keylogger 0x181e02:$hawkstr1: HawkEye Keylogger 0x181f65:$hawkstr1: HawkEye Keylogger 0x1821de:$hawkstr1: HawkEye Keylogger 0x7c069:$hawkstr2: Dear HawkEye Customers! 0x7d6ba:$hawkstr2: Dear HawkEye Customers! 0x7d811:$hawkstr2: Dear HawkEye Customers!
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WerFault.exe PID: 5556	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Powershell adding suspicious path to exclusion list

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\POinv00393.exe' , ParentImage: C:\Users\user\Desktop\POinv00393.exe, ParentProcessId: 6708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, ProcessId: 6892

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: WerFault.exe.5556.34.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Show sources

Source: POinv00393.exe	Virustotal: Detection: 34%			Perma Link
Source: POinv00393.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: POinv00393.exe

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: POinv00393.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp

Spreading:

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	Binary or memory string: [autorun]

Networking:

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587

Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: pastebin.com

Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: powershell.exe, 00000001.00000002.498956817.00000000031E6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: POinv00393.exe, 00000009.00000003.264750218.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: POinv00393.exe, 00000009.00000003.261997834.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikipedia
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.598548034.0000000003377000.00000004.00000020.sdmp	String found in binary or memory: http://schemas.micr
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: powershell.exe, 00000001.00000002.515543086.0000000004D91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.575272180.0000000004541000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.266225699.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: POinv00393.exe, 00000009.00000003.266098249.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comnxa
Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com(
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF:
Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.292180727.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289173192.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: POinv00393.exe, 00000009.00000003.291476719.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: POinv00393.exe, 00000009.00000003.291895161.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/o
Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0
Source: POinv00393.exe, 00000009.00000003.287216804.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: POinv00393.exe, 00000009.00000003.286463158.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers=
Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersr
Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comednxn
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgritaU
Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu:
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueed
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comy
Source: POinv00393.exe, 00000009.00000003.264142006.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: POinv00393.exe, 00000009.00000003.264396432.00000000060A5000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: POinv00393.exe, 00000009.00000003.264516630.00000000060A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: POinv00393.exe, 00000009.00000003.263686147.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnOx
Source: POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-nO
Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/2
Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/:
Source: POinv00393.exe, 00000009.00000003.314035977.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmWQ
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krF4
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krK
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: POinv00393.exe, 00000009.00000003.276537694.00000000060A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: POinv00393.exe, 00000009.00000003.300240186.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.X
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: POinv00393.exe, 00000009.00000003.281094175.00000000060A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: POinv00393.exe, 00000009.00000003.263201663.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.cQ
Source: POinv00393.exe, 00000009.00000003.262220149.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krW
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: POinv00393.exe, 00000009.00000003.269856466.00000000060A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: POinv00393.exe, 00000009.00000003.284582010.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.del
Source: POinv00393.exe, 00000009.00000003.265749682.00000000060A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\POinv00393.exe

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C88251	0_2_01C88251
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C87AEB	0_2_01C87AEB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAA3D8	1_2_02DAA3D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAF3D7	1_2_02DAF3D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAE66B	1_2_02DAE66B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAA960	1_2_02DAA960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA7FE0	1_2_02DA7FE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA6C30	1_2_02DA6C30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA51C8	1_2_02DA51C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA51B7	1_2_02DA51B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAA3D8	1_2_02DAA3D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAF3D7	1_2_02DAF3D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAC560	1_2_02DAC560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA8810	1_2_02DA8810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DC0040	1_2_02DC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D2B48	1_2_032D2B48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DDEB8	1_2_032DDEB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D5ED0	1_2_032D5ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DA320	1_2_032DA320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D1A50	1_2_032D1A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D9818	1_2_032D9818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D0040	1_2_032D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D67E8	1_2_032D67E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DA618	1_2_032DA618
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DD420	1_2_032DD420
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DC865B	1_2_02DC865B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03111B78	3_2_03111B78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03113AD0	3_2_03113AD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0316A358	3_2_0316A358
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0316B750	3_2_0316B750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03160EB8	3_2_03160EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03167EB8	3_2_03167EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03160040	3_2_03160040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03167EB8	3_2_03167EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03167EB8	3_2_03167EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0316AE20	3_2_0316AE20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03160EB8	3_2_03160EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03166C68	3_2_03166C68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0095A048	5_2_0095A048
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0095AD89	5_2_0095AD89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009505D8	5_2_009505D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956E28	5_2_00956E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00959A58	5_2_00959A58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009505D8	5_2_009505D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956E28	5_2_00956E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956E28	5_2_00956E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0095A740	5_2_0095A740
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956748	5_2_00956748
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009619E8	5_2_009619E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00963938	5_2_00963938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009883E0	5_2_009883E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098F528	5_2_0098F528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098C610	5_2_0098C610
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098A7D8	5_2_0098A7D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00986738	5_2_00986738
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098E810	5_2_0098E810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098AD60	5_2_0098AD60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009870A0	5_2_009870A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009851C8	5_2_009851C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009851C7	5_2_009851C7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098F528	5_2_0098F528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098A7D8	5_2_0098A7D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00988C10	5_2_00988C10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00986C30	5_2_00986C30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009E0040	5_2_009E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0438CE38	5_2_0438CE38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_043825D5	5_2_043825D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04384008	5_2_04384008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009E8ADB	5_2_009E8ADB
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 11_2_03518108	11_2_03518108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 11_2_03517AE8	11_2_03517AE8
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 14_2_01598108	14_2_01598108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 14_2_01597AE8	14_2_01597AE8
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 21_2_00F28108	21_2_00F28108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 21_2_00F27AF0	21_2_00F27AF0
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 31_2_01518108	31_2_01518108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 31_2_01517AF0	31_2_01517AF0

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940

Source: POinv00393.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: POinv00393.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.335186152.0000000006D20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000000.206073920.0000000000E72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedbdc ddb.exe2 vs POinv00393.exe
Source: POinv00393.exe, 00000009.00000000.243465863.0000000000802000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000000B.00000000.251187170.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000000E.00000000.268933713.0000000000782000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 00000015.00000002.560738791.0000000000112000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000001A.00000002.409137032.00000000053A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
Source: POinv00393.exe, 0000001A.00000002.343340975.000000000186A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe
Source: POinv00393.exe, 0000001A.00000000.306230207.0000000000CC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000001F.00000000.325285879.0000000000742000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe, 0000001F.00000002.611727506.00000000012BA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe

Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@30/27@7/5

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Local\Temp\16654f11-3a02-4cab-b1ad-a4500300c0c5

Jump to behavior

Source: POinv00393.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\POinv00393.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\POinv00393.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: POinv00393.exe	Virustotal: Detection: 34%
Source: POinv00393.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\POinv00393.exe

File read: C:\Users\user\Desktop\POinv00393.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\POinv00393.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\POinv00393.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: POinv00393.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: POinv00393.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: POinv00393.exe

Static file information: File size 4552704 > 1048576

Source: POinv00393.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x43dc00

Source: POinv00393.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C829C9 pushfd ; retf	0_2_01C829CA
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C829CB pushfd ; retf	0_2_01C829E2
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C829E9 pushfd ; retf	0_2_01C829EA
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C8298B pushfd ; retf	0_2_01C829A2
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C829A9 pushfd ; retf	0_2_01C829AA
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C829AB pushfd ; retf	0_2_01C829C2
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82968 pushfd ; retf	0_2_01C82982
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C808FD push eax; mov dword ptr [esp], ecx	0_2_01C85251
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C80897 push eax; mov dword ptr [esp], ecx	0_2_01C85251
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82B88 pushfd ; retf	0_2_01C82B8A
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82B49 pushfd ; retf	0_2_01C82B4A
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82B4D pushfd ; retf	0_2_01C82B62
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82B08 pushfd ; retf	0_2_01C82B22
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82B28 pushfd ; retf	0_2_01C82B42
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82A8D pushfd ; retf	0_2_01C82B02
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82A48 pushfd ; retf	0_2_01C82A4A
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82A09 pushfd ; retf	0_2_01C82A0A
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82A28 pushfd ; retf	0_2_01C82A2A
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C82A2B pushfd ; retf	0_2_01C82A42
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_06DA6E55 push ebp; ret	0_2_06DA6E58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D42F0 push eax; mov dword ptr [esp], edx	1_2_032D4304
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D7988 push eax; mov dword ptr [esp], edx	1_2_032D7A0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D79E0 push eax; mov dword ptr [esp], edx	1_2_032D7A0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D76AA pushad ; ret	1_2_032D76B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D769A push esp; ret	1_2_032D76A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D8401 push FFFFFF8Bh; retf	1_2_032D8486
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0311CA98 push eax; mov dword ptr [esp], edx	3_2_0311CB94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0311C818 push eax; mov dword ptr [esp], edx	3_2_0311C824
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03117E07 push eax; mov dword ptr [esp], ecx	3_2_03117E1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009524BF push F0007067h; iretd	5_2_009524CD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0096B208 push eax; mov dword ptr [esp], edx	5_2_0096B21C

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell

Jump to behavior

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>			Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe			Jump to behavior

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Jump to dropped file

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe			Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\POinv00393.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY

Source: C:\Users\user\Desktop\POinv00393.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\POinv00393.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\POinv00393.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\POinv00393.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\POinv00393.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\POinv00393.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4048	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3355	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3828	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3055	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4401	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2511	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4178
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2748
Source: C:\Users\user\Desktop\POinv00393.exe	Window / User API: threadDelayed 651

Source: C:\Users\user\Desktop\POinv00393.exe TID: 6780	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe TID: 6728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5460	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4788	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5528	Thread sleep count: 4401 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2052	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep count: 2511 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep count: 4178 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6248	Thread sleep count: 2748 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560	Thread sleep count: 51 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 6536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 2288	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 64	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 3216	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99844s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99719s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99391s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99266s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99141s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -99031s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -98844s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -97891s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 5024	Thread sleep time: -97297s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 6216	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\POinv00393.exe TID: 6336	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\POinv00393.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\POinv00393.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WerFault.exe	Last function: Thread delayed

Source: powershell.exe, 00000007.00000003.529306066.0000000005773000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: POinv00393.exe, 0000000E.00000002.600693562.00000000011DD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDea
Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: POinv00393.exe, 00000000.00000002.336114660.0000000006E51000.00000004.00000001.sdmp	Binary or memory string: SC:\WINDOWS\system32\drivers\VBoxMouse.sysESOFTWARE\VMware, Inc.\VMware Tools
Source: POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: POinv00393.exe, 0000001F.00000002.613897002.000000000134E000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: POinv00393.exe, 00000000.00000002.336114660.0000000006E51000.00000004.00000001.sdmp	Binary or memory string: KC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: WerFault.exe, 00000022.00000002.621186623.0000000004A87000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0_
Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: POinv00393.exe, 0000000B.00000002.596909677.00000000018C3000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.614447206.000000000139F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.529306066.0000000005773000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: WerFault.exe, 00000022.00000002.621977733.0000000005090000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\POinv00393.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\POinv00393.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\POinv00393.exe

Code function: 26_2_058853D0 LdrInitializeThunk,

26_2_058853D0

Source: C:\Users\user\Desktop\POinv00393.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\POinv00393.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\POinv00393.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\POinv00393.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\POinv00393.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

Memory written: C:\Users\user\Desktop\POinv00393.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Users\user\Desktop\POinv00393.exe VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\POinv00393.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\POinv00393.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\Desktop\POinv00393.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\POinv00393.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY

Yara detected MailPassView

Show sources

Source: Yara match	File source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation21	Startup Items1	Startup Items1	Disable or Modify Tools11	Input Capture11	Peripheral Device Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder421	Process Injection111	Obfuscated Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder421	Masquerading1	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion5	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection111	LSA Secrets	Security Software Discovery141	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Virtualization/Sandbox Evasion5	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
POinv00393.exe	34%	Virustotal		Browse
POinv00393.exe	18%	ReversingLabs	Win32.Trojan.Wacatac
POinv00393.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe	18%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
84.102.13.0.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.comI.TTF	0%	Avira URL Cloud	safe
http://www.fontbureau.comgritaU	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.monotype.X	0%	Avira URL Cloud	safe
http://www.fontbureau.comednxn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnOx	0%	Avira URL Cloud	safe
http://www.sandoll.co.krW	0%	Avira URL Cloud	safe
http://www.fontbureau.com(	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.comueed	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.founder.com.c	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/sl-s	0%	Avira URL Cloud	safe
http://www.goodfont.co.krF4	0%	Avira URL Cloud	safe
http://www.goodfont.co.krK	0%	Avira URL Cloud	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://en.wikipedia	0%	URL Reputation	safe
http://en.wikipedia	0%	URL Reputation	safe
http://en.wikipedia	0%	URL Reputation	safe
http://schemas.micr	0%	URL Reputation	safe
http://schemas.micr	0%	URL Reputation	safe
http://schemas.micr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.sandoll.cQ	0%	Avira URL Cloud	safe
http://en.wikip	0%	Avira URL Cloud	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.founder.com.cn/cnl-nO	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/y	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.galapagosdesign.com/2	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.fontbureau.comoitu:	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com.TTF:	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/:	0%	Avira URL Cloud	safe
http://www.sandoll.co.krim	0%	Avira URL Cloud	safe
http://www.fontbureau.comy	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.urwpp.del	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.60	true	false		high
pastebin.com	104.23.98.190	true	false		high
84.102.13.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comI.TTF	POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comgritaU	POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	POinv00393.exe, 00000009.00000003.269856466.00000000060A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers	POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.292180727.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289173192.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comessed	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.266225699.00000000060A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.monotype.X	POinv00393.exe, 00000009.00000003.300240186.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comednxn	POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnOx	POinv00393.exe, 00000009.00000003.263686147.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krW	POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com(	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://whatismyipaddress.com/-	POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/	POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	POinv00393.exe, 00000009.00000003.262220149.00000000060AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nirsoft.net/	POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	false		high
http://www.urwpp.de	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	POinv00393.exe, 00000009.00000003.265749682.00000000060A7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.515543086.0000000004D91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.575272180.0000000004541000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	POinv00393.exe, 00000009.00000003.281094175.00000000060A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comueed	POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerss	POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersr	POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comF	POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/U	POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	false		high
http://www.founder.com.c	POinv00393.exe, 00000009.00000003.264142006.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/sl-s	POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.krF4	POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.krK	POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comion	POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.wikipedia	POinv00393.exe, 00000009.00000003.261997834.00000000060AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.micr	powershell.exe, 00000003.00000002.598548034.0000000003377000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.cQ	POinv00393.exe, 00000009.00000003.263201663.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.wikip	POinv00393.exe, 00000009.00000003.264750218.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnl-nO	POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	POinv00393.exe, 00000009.00000003.266098249.00000000060A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	POinv00393.exe, 00000009.00000003.264516630.00000000060A5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/y	POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	POinv00393.exe, 00000009.00000003.264396432.00000000060A5000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	POinv00393.exe, 00000009.00000003.291895161.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/2	POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	POinv00393.exe, 00000009.00000003.291476719.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.monotype.	POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comoitu:	POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com.TTF:	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/:	POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krim	POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	POinv00393.exe, 00000009.00000003.287216804.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comy	POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/h	POinv00393.exe, 00000009.00000003.276537694.00000000060A5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers=	POinv00393.exe, 00000009.00000003.286463158.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.urwpp.del	POinv00393.exe, 00000009.00000003.284582010.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/o	POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers0	POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comnxa	POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comitud	POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmWQ	POinv00393.exe, 00000009.00000003.314035977.00000000060AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.23.99.190	unknown	United States	13335	CLOUDFLARENETUS	false
104.23.98.190	unknown	United States	13335	CLOUDFLARENETUS	false
198.54.122.60	unknown	United States	22612	NAMECHEAP-NETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346695
Start date:	01.02.2021
Start time:	13:28:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	POinv00393.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@30/27@7/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 435 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 40.88.32.150, 104.43.139.144, 51.11.168.160, 92.122.144.200, 2.20.143.16, 2.20.142.210, 92.122.213.247, 92.122.213.194, 20.54.26.129, 51.104.144.132, 20.190.159.132, 40.126.31.6, 40.126.31.1, 40.126.31.137, 20.190.159.136, 40.126.31.141, 20.190.159.138, 40.126.31.135, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:29:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\POinv00393.exe
13:29:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
13:29:27	API Interceptor	21x Sleep call for process: POinv00393.exe modified
13:29:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\POinv00393.exe
13:29:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
13:29:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe
13:30:13	API Interceptor	208x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.23.99.190	7fYoHeaCBG.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	r0QRptqiCl.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	JDgYMW0LHW.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	kigAlmMyB1.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	5T4Ykc0VSK.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	afvhKak0Ir.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	1KITgJnGbI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	DovV3LuJ6I.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	66f8F6WvC1.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PxwWcmbMC5.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	XnAJZR4NcN.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	uqXsQvWMnL.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	I8r7e1pqac.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VrR9J0FnSG.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	dEpoPWHmoI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	zZp3oXclum.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	aTZQZVVriQ.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	U23peRXm5Z.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	eXP2pYucWu.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	L6UBlWyCpV.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
104.23.98.190	b095b966805abb7df4ffddf183def880.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	E1Q0TjeN32.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	6YCl3ATKJw.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	Hjnb15Nuc3.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	JDgYMW0LHW.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	4av8Sn32by.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	5T4Ykc0VSK.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	afvhKak0Ir.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	T6OcyQsUsY.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	1KITgJnGbI.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PxwWcmbMC5.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	XnAJZR4NcN.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	PbTwrajNMX.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	22NO7gVJ7r.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	rE7DwszvrX.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VjPHSJkwr6.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	wf86K0dpOP.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	VrR9J0FnSG.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	6C1MYmrVl1.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0
	aTZQZVVriQ.exe	Get hash	malicious	Browse	pastebin.com/raw/XMKKNkb0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pastebin.com	QuotationCVXpo00029392.exe	Get hash	malicious	Browse	104.23.98.190
	cbUJVTVJ.exe	Get hash	malicious	Browse	104.23.99.190
	SecuriteInfo.com.Trojan.Packed2.42783.20578.exe	Get hash	malicious	Browse	104.23.98.190
	INWARD-OUTWARD ANALYSIS.xlsx	Get hash	malicious	Browse	104.23.98.190
	svchost.exe	Get hash	malicious	Browse	104.23.98.190
	0238-35-pdf.scr.exe	Get hash	malicious	Browse	104.23.99.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exe	Get hash	malicious	Browse	104.23.99.190
	fod1jZt8yK.exe	Get hash	malicious	Browse	104.23.98.190
	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	Get hash	malicious	Browse	104.23.99.190
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	104.23.99.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.mm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	104.23.99.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	104.23.98.190
	Design Specification_A2000006.doc	Get hash	malicious	Browse	104.23.99.190
mail.privateemail.com	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	Pending Orders Statement -40064778.doc	Get hash	malicious	Browse	198.54.122.60
	documenting.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	198.54.122.60
	pickup receipt,DOC.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	Pi_74725794.exe	Get hash	malicious	Browse	198.54.122.60
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	New FedEx paper work review.exe	Get hash	malicious	Browse	198.54.122.60
	New paper work document attached.exe	Get hash	malicious	Browse	198.54.122.60
	DHL_AWB_1928493383.exe	Get hash	malicious	Browse	198.54.122.60
	PGXPHWCclJQdkUDcrlQETWlRbmXQw.exe	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	MIR-CAR_MRC2021751030XMY,pdf.exe	Get hash	malicious	Browse	162.159.129.233
	FACTURA.xlsx	Get hash	malicious	Browse	104.22.1.232
	PO 642021.exe	Get hash	malicious	Browse	104.21.19.200
	00000000000000000090.exe	Get hash	malicious	Browse	172.67.188.154
	sample20210201-01.xlsm	Get hash	malicious	Browse	172.67.189.234
	NsNu725j8o.exe	Get hash	malicious	Browse	172.67.129.48
	FPZaxqP7uB.exe	Get hash	malicious	Browse	23.227.38.74
	AWB_SHIPPING_DOCUMENT_pdf.exe	Get hash	malicious	Browse	66.235.200.146
	DebitNote11_Owners Invoices.exe	Get hash	malicious	Browse	104.21.5.94
	HwL7D1UcZG.exe	Get hash	malicious	Browse	104.21.27.226
	New Order.exe	Get hash	malicious	Browse	172.67.188.154
	IMG_1660392.exe	Get hash	malicious	Browse	172.67.188.154
	IMG_1660392.doc	Get hash	malicious	Browse	172.67.188.154
	Bp93hBPMoi.exe	Get hash	malicious	Browse	104.21.86.207
	mEPx5H8svq.exe	Get hash	malicious	Browse	104.21.45.223
	HoFD3n7z6A.exe	Get hash	malicious	Browse	23.227.38.74
	BLWnF55j6W.exe	Get hash	malicious	Browse	104.21.45.223
	2Debit Note_OwnersInvoices.exe	Get hash	malicious	Browse	172.67.142.171
	20082020141903,pdf.exe	Get hash	malicious	Browse	162.159.129.233
	PROFORMA INVOICE # ID40,pdf.exe	Get hash	malicious	Browse	162.159.135.233
NAMECHEAP-NETUS	Swift MT 199_Pdf.exe	Get hash	malicious	Browse	198.54.116.236
	Inquiry.exe	Get hash	malicious	Browse	198.54.126.106
	AWB_SHIPPING_DOCUMENT_pdf.exe	Get hash	malicious	Browse	198.54.117.217
	imTmqTngvS.exe	Get hash	malicious	Browse	198.54.117.216
	DHL Details.exe	Get hash	malicious	Browse	198.54.114.191
	REMITTANCE ADVICE REF0000360261_PDF.xlsx	Get hash	malicious	Browse	198.54.117.215
	Swift copy.xls	Get hash	malicious	Browse	199.188.200.124
	Orders.exe	Get hash	malicious	Browse	199.193.7.228
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	DHL Details.exe	Get hash	malicious	Browse	198.54.126.165
	order.doc	Get hash	malicious	Browse	199.188.201.34
	aOn5CfTiwS.exe	Get hash	malicious	Browse	198.54.117.244
	PO_55004.exe	Get hash	malicious	Browse	68.65.122.156
	SecuriteInfo.com.Trojan.MulDrop16.10041.23448.exe	Get hash	malicious	Browse	185.61.153.111
	SecuriteInfo.com.Trojan.Inject4.6821.6799.exe	Get hash	malicious	Browse	199.188.200.150
	DCAjXz5y4I.exe	Get hash	malicious	Browse	162.213.255.196
	NEW ORDER.xlsm	Get hash	malicious	Browse	104.219.248.89
	Claim_250196008_01282021.xls	Get hash	malicious	Browse	162.0.226.110
	Claim_250196008_01282021.xls	Get hash	malicious	Browse	162.0.226.110
	lbqFKoALqe.exe	Get hash	malicious	Browse	198.54.117.215
CLOUDFLARENETUS	MIR-CAR_MRC2021751030XMY,pdf.exe	Get hash	malicious	Browse	162.159.129.233
	FACTURA.xlsx	Get hash	malicious	Browse	104.22.1.232
	PO 642021.exe	Get hash	malicious	Browse	104.21.19.200
	00000000000000000090.exe	Get hash	malicious	Browse	172.67.188.154
	sample20210201-01.xlsm	Get hash	malicious	Browse	172.67.189.234
	NsNu725j8o.exe	Get hash	malicious	Browse	172.67.129.48
	FPZaxqP7uB.exe	Get hash	malicious	Browse	23.227.38.74
	AWB_SHIPPING_DOCUMENT_pdf.exe	Get hash	malicious	Browse	66.235.200.146
	DebitNote11_Owners Invoices.exe	Get hash	malicious	Browse	104.21.5.94
	HwL7D1UcZG.exe	Get hash	malicious	Browse	104.21.27.226
	New Order.exe	Get hash	malicious	Browse	172.67.188.154
	IMG_1660392.exe	Get hash	malicious	Browse	172.67.188.154
	IMG_1660392.doc	Get hash	malicious	Browse	172.67.188.154
	Bp93hBPMoi.exe	Get hash	malicious	Browse	104.21.86.207
	mEPx5H8svq.exe	Get hash	malicious	Browse	104.21.45.223
	HoFD3n7z6A.exe	Get hash	malicious	Browse	23.227.38.74
	BLWnF55j6W.exe	Get hash	malicious	Browse	104.21.45.223
	2Debit Note_OwnersInvoices.exe	Get hash	malicious	Browse	172.67.142.171
	20082020141903,pdf.exe	Get hash	malicious	Browse	162.159.129.233
	PROFORMA INVOICE # ID40,pdf.exe	Get hash	malicious	Browse	162.159.135.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PO 642021.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	00000000000000000090.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	New Order.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	IMG_1660392.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	mEPx5H8svq.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	NS_PO_86655443.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	INV#1191189.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	NEW PURCHASE#U00c3#U00bf #U00c3#U00bfORDER.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	CITI SOLUTION COMPANY PROFILE.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	QuotationCVXpo00029392.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Orders.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	DOCUMENT.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Hydro-463459.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	Payment Document.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	CHIKWA (2).exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	gGQWGJWR4jzvzse.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	cbUJVTVJ.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	SecuriteInfo.com.Trojan.Packed2.42783.20578.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	file.exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190
	PURCHASE ORDER..exe	Get hash	malicious	Browse	104.23.98.190 104.23.99.190

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AF9.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 1 21:30:59 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	537274
Entropy (8bit):	3.9310595429624575
Encrypted:	false
SSDEEP:	3072:L++noJgF6OH6CvXiyek0sjd+ptBiDNuk0rbA9gIOgF5iRRgsb0OPvyJSUCgUrwZ9:L+iLUvCvlV0dpbDrbA9RpD6bNTjk1N
MD5:	4170235DECFA153A91261EE362565641
SHA1:	C4F7ABBF1F75FA08B540E2C09A3DC6447CE53518
SHA-256:	C4061794E5D6A7C38311A28EE04AB4707AEAB633E5DF323F968E884BB608E9B3
SHA-512:	88722DAD35F603F6BAB9BEC992262A94F2021FA3F5327FAB2638AB155D4F85A18ECA5772F26CC74C74E4729CAACECFAD91EE6ABF2E63AA4FAAE024D298201A78
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........s.`...................U...........B......\/......GenuineIntelW...........T.......4....r.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC13.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.690213391871293
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiFjp6x06Yrm6OgmfZeex8S4CprX89bgksf0amAm:RrlsNi5p6C6YK6OgmffWSIgXfXI
MD5:	80D4AD7A73773992C856046E6E725643
SHA1:	34C802EE7CCAB28F42FCC49B7A53CF1D6F93B370
SHA-256:	8357FAE75D84A0AD351DCB4F4D995F15DB75066FD25E637CBD0CEF03997ABE63
SHA-512:	AB0925156DB78C8275AE77EB57AC1ACAABB20E85C051F7578915C18F60ED9258383C07E7E3AECE77623C58EBD75B998D0624FEDB189F917474057BA67E302CF1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC7D.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4732
Entropy (8bit):	4.463218689409153
Encrypted:	false
SSDEEP:	48:cvIwSD8zspNJgtWI9cqWSC8Bhs8fm8M4JwquFB+q8v2/JhDg+oIrd:uITfJzLSN7RJwnKuJhDg+xrd
MD5:	3DAC03AA4D4A5D77A84C1C14B8B998CB
SHA1:	1E66988AAD28CCAF1995F35C7BFECE34FB604467
SHA-256:	D559D3756FCDBB5F2D9D0D66674D21DC27AFD5C4BEDDA0BD785DAEB464C30C7E
SHA-512:	FD75BFAE58A93889EB78FE1AF54DD69E4857A28731D1AB834FA3EB27851F906A2468BCCA8DA470F9BD42D5536E9A70CA1B1ADAC6473CF90815240599CBC8BE05
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842801" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POinv00393.exe.log Download File
Process:	C:\Users\user\Desktop\POinv00393.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1039
Entropy (8bit):	5.365622957937216
Encrypted:	false
SSDEEP:	24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhIE4KnKIE4oKFKHKoZAE4Kzr7a:Mgv2HKXwYHKhQnoIHKntHoxHhAHKzva
MD5:	2AAAF19599DBB7B2B9269F77209C4FBA
SHA1:	17286C6FB357C72FFC81EE46EF05575A1AE134FD
SHA-256:	5B8D713F6F10790AF314D4AD256EB7A6BB156912034148D50955AF724FD0F2A4
SHA-512:	8C2E41464E18768F1ABA2CEC8DBBC8C234F538AB01F381ECCF22F865E2624EEFC362E6099C94C1603359FB42C55D2E8F142E44A7DA2B746DFE858811BDFDEBBF
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20608
Entropy (8bit):	5.577957281049141
Encrypted:	false
SSDEEP:	384:2t9D+w+8aWA0kzKJwSBKniultIo3D7Y9gxSJUeRe1qMymF+ZSRx1ldM:yjA+w4Kiultp33xXe+N+9
MD5:	19620665888D6D08F76E36D7436A40C8
SHA1:	04DC1F73E61645D46EA229427E62BADF8DD1D42C
SHA-256:	9CD284466BA35D94F39FFCB8513B387F24F8B3A4F23B46FEBC2600D0985878B8
SHA-512:	D281644896FDDC7BDCF0E602B1FAC36CB4E7BC9107C1E3AB5017F071F743C3689BF4BAE452D9456A8F24160AFF97B28BFA07AA2F00AA5892EF5D518D5AE12614
Malicious:	false
Preview:	@...e.......................R.B.........<............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)q.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jbb1rur.kxs.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gd4shtk.lf5.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ap14tuqv.fkf.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btp5zmxs.mrt.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igqs5mg1.0fv.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ita4axrx.vfc.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0eyjx0q.um5.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrwl3rrp.fl5.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe Download File
Process:	C:\Users\user\Desktop\POinv00393.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4552704
Entropy (8bit):	2.8112977525077643
Encrypted:	false
SSDEEP:	6144:45eP+kQFHJWrhOJUFCfAYes4yP5GgU6NbimHWMJ97/1W3lTYSKVSIrSFoiGPciaW:45eP+kOnEC
MD5:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
SHA1:	B0AF96F187273082687F2C58FACA71B837876429
SHA-256:	09969E8D7AF6E0C3EF34C344FE378DD23B6F93ABCDA793C052E36D1777C35CE7
SHA-512:	297E6B7A0A22BDD42572C761894826131EB18986A8D0CCD0F092FF21249FA38F1911CBEB14E29571843F2A3D5C0FEBE50D1859757B35A52F952D54521BC2A286
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sU.`.........."...P...C...........C.. ....D...@.. ........................E...........@.................................`.C.K.....D. .....................E...................................................... ............... ..H............text.....C.. ....C................. ..`.rsrc... .....D.......C.............@..@.reloc........E......vE.............@..B..................C.....H........8....C.....$....................................................*....(....~~g...:....(2...s.....g...~g.... .........90...((...9........r.FCp....(....(............(........2rtGCp.()...2r.GCp.()...2r.GCp.()...2r.HCp.().........(......0..........(#...("...(!...( ...(....(....(....(....(....(....(...........d...(....(....(...........c...(....(....(...........b...(....(....(...........a...(....(....(...........`...(....(....(..........._...(....(....(.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\POinv00393.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\Desktop\POinv00393.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:E:E
MD5:	2CAD8FA47BBEF282BADBB8DE5374B894
SHA1:	89B98F7BE8AFC23EBEFC3E02F86EBB89CBE74176
SHA-256:	4F5131EA0C5A3E7F4C5F86029AE1BE2A60E67F023073BBB074A3A929089E5BC1
SHA-512:	149D27069D40BCB60EA6A635B8E34E8B31FAD19D388C36B3FC8D6DF21F84D4A8DBC8BD05B127102960C9060771C76A8CC836F14B23D1EEA2B0D6CFA5C2B0BCBB
Malicious:	false
Preview:	2100

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\Desktop\POinv00393.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.486348298002912
Encrypted:	false
SSDEEP:	3:oNWXp5v1qKrWcBC:oNWXpFgKrY
MD5:	41637FB0193F907F1ABEB6F39EEA4577
SHA1:	4CEED84E860A6DE18CBD6E9DF4FE86B698B25D0B
SHA-256:	FDB0215F49C0EE51BC759CDA39669B5220FCF7591B3F22A22B06E372697B4B2F
SHA-512:	0B7627D614BF73329BF223A9DD2692241E63D8707377DF86F4CD7D244C4E872BE4E2FA417D5DE939325E7F95B9D4DA6FD6AD4B7BC22A7D8E06AF3A56BD0B4C0B
Malicious:	false
Preview:	C:\Users\user\Desktop\POinv00393.exe

C:\Users\user\Documents\20210201\PowerShell_transcript.878164.GqBDotby.20210201132918.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3809
Entropy (8bit):	5.339806385613069
Encrypted:	false
SSDEEP:	96:BZ+haNn2qDo1ZpO1ZIhaNn2qDo1ZmqTp0cp0cp07TZpq:Mlly/q
MD5:	5A3DCAAE0A180D627E433BF5B402255C
SHA1:	C32CA03F2A01A4865B4A4140EA32A019152B3079
SHA-256:	CBA172347D512F02BD657F1FA1861B7DA7F0221D23D9614195ADC9A7674FD386
SHA-512:	BBC8450AAA16B0A3D3BE97845A8B6AA1664970FA9369BAEA9146A8FCD47A4ACB925E69DAC1C363D4C7CA0A6F7D19E62C4503DBDFA0D32BA5840ED13DA206BAF7
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210201132952..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..Process ID: 6980..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210201132953..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..********************..Command start time: 2021

C:\Users\user\Documents\20210201\PowerShell_transcript.878164.RDa_5qiQ.20210201132920.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5127
Entropy (8bit):	5.417997189198616
Encrypted:	false
SSDEEP:	96:BZchaNkqDo1ZqZphaNkqDo1ZZqUSjZ+haNkqDo1Zs3C9:3
MD5:	6F5B038D676CABE9FE4AF2C24545A590
SHA1:	02B83A0FB6706B92BF51AACAECA5C00BC7DD7490
SHA-256:	DDED7AD2F51FCCF981F5BFDC8312247CC671FF02A871EC733870F3FDE4C1F6E1
SHA-512:	7D37E4B98E05AB946FD7F3AE82D4FB232F49C64265F80FFD33EE156BCDE68FF7A7DE85814A2C0780C3106690D6E9F0D41C29FF2B3F15C012A21ECA83CD6B99C0
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210201132954..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\POinv00393.exe -Force..Process ID: 7080..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210201132955..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\POinv00393.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210201133945..Username: computer\user..RunAs User: computer\user.

C:\Users\user\Documents\20210201\PowerShell_transcript.878164.RU3nUHy1.20210201132916.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3809
Entropy (8bit):	5.340275685599787
Encrypted:	false
SSDEEP:	96:BZOhaNneqDo1ZvZ1ZehaNneqDo1Z8qTp0cp0cp02ZF:Nll9
MD5:	714E2032E0E9D32A72BEBE0E8CCBF0BD
SHA1:	0A99BF1E3D745DE47BAD3AA441075A7EE13D1685
SHA-256:	7FC0B1528ED7ACB4E1D1228FCE35B417158D06057B4CC521314674BE59AF5DD0
SHA-512:	C74A391C87C9D4003F3EFC503166746986066B1AF09CB2938DA60A3C09AEBB552E0796DA53764169BF6CE889145F61C37B0BF1699E6F705FE00E3E35EA7B07A8
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210201132945..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..Process ID: 6892..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210201132946..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..********************..Command start time: 2021

C:\Users\user\Documents\20210201\PowerShell_transcript.878164.c22VO1SZ.20210201132917.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3809
Entropy (8bit):	5.339367409959746
Encrypted:	false
SSDEEP:	96:BZ/haNnzqDo1ZpO1ZjhaNnzqDo1ZXqTp0cp0cp04ZI:NllC
MD5:	A803ABA6CCBBBD437B5FEDB28EF7551E
SHA1:	1A2EF0D582DC12737036765A9CFF386F8C718891
SHA-256:	B24F498A88C1404D59DF3CD42346D6DF6FF809F970E8A4EC0813F104000E1F14
SHA-512:	77B79CE756D75E5B725F191198736AAE3D6854177286C634E33BEC483E8EF2C3305499716F8C431FCB34C55319B3591FDF95300FE544144D086467C283737F33
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210201132953..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878164 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..Process ID: 6916..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210201132953..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe -Force..********************..Command start time: 2021

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.8112977525077643
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	POinv00393.exe
File size:	4552704
MD5:	e0db9d12220a5099bd1ebfefc0ccdcfe
SHA1:	b0af96f187273082687f2c58faca71b837876429
SHA256:	09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
SHA512:	297e6b7a0a22bdd42572c761894826131eb18986a8d0ccd0f092ff21249fa38f1911cbeb14e29571843f2a3d5c0febe50d1859757b35a52f952d54521bc2a286
SSDEEP:	6144:45eP+kQFHJWrhOJUFCfAYes4yP5GgU6NbimHWMJ97/1W3lTYSKVSIrSFoiGPciaW:45eP+kOnEC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sU.`.........."...P...C...........C.. ....D...@.. ........................E...........@................................

File Icon


Icon Hash:	1731ec421a143187

Static PE Info

General
Entrypoint:	0x83fbae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60175573 [Mon Feb 1 01:12:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43fb60	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x440000	0x19720	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x45a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x43dbb4	0x43dc00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x440000	0x19720	0x19800	False	0.400821461397	data	4.61510693339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x45a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4401f0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x440658	0x10a8	data
RT_ICON	0x441700	0x25a8	data
RT_ICON	0x443ca8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x447ed0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 33554431, next used block 33554431
RT_GROUP_ICON	0x4586f8	0x4c	data
RT_VERSION	0x458744	0x324	data
RT_MANIFEST	0x458a68	0xcb8	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	RunFirst.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	WindowsApp4
ProductVersion	1.0.0.0
FileDescription	WindowsApp4
OriginalFilename	RunFirst.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2021 13:29:16.513447046 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.553508997 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.553692102 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.601013899 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.641140938 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.645549059 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.645612955 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.645644903 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.645734072 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.650084972 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.690104961 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.690501928 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.732094049 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.771965027 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.814507008 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.861993074 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.862031937 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.862070084 CET	443	49713	104.23.98.190	192.168.2.3
Feb 1, 2021 13:29:16.862097025 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:16.903844118 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:29:27.112786055 CET	49713	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:30:24.753370047 CET	49733	587	192.168.2.3	198.54.122.60
Feb 1, 2021 13:30:24.947505951 CET	587	49733	198.54.122.60	192.168.2.3
Feb 1, 2021 13:30:24.947632074 CET	49733	587	192.168.2.3	198.54.122.60
Feb 1, 2021 13:30:25.142040968 CET	587	49733	198.54.122.60	192.168.2.3
Feb 1, 2021 13:30:25.150007010 CET	49733	587	192.168.2.3	198.54.122.60
Feb 1, 2021 13:30:25.345731974 CET	587	49733	198.54.122.60	192.168.2.3
Feb 1, 2021 13:30:25.345933914 CET	587	49733	198.54.122.60	192.168.2.3
Feb 1, 2021 13:30:25.387917042 CET	49733	587	192.168.2.3	198.54.122.60
Feb 1, 2021 13:30:25.581036091 CET	587	49733	198.54.122.60	192.168.2.3
Feb 1, 2021 13:30:25.626442909 CET	49733	587	192.168.2.3	198.54.122.60
Feb 1, 2021 13:30:35.580713034 CET	587	49733	198.54.122.60	192.168.2.3
Feb 1, 2021 13:31:18.384181976 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:18.424554110 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.424674034 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:18.659849882 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:18.699973106 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.708345890 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.708395958 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.708425999 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.708525896 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:18.712896109 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:18.752990961 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.757481098 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.844849110 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:18.886878014 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.906265974 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.906311989 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.906337976 CET	443	49742	104.23.99.190	192.168.2.3
Feb 1, 2021 13:31:18.906949043 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:29.612466097 CET	49742	443	192.168.2.3	104.23.99.190
Feb 1, 2021 13:31:42.450350046 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:42.490411043 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.491337061 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:42.494322062 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:42.534347057 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.537802935 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.537851095 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.537899971 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.537921906 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:42.539942026 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:42.580662966 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.581034899 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.587011099 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:42.627904892 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.646184921 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.646214008 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.646239996 CET	443	49746	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:42.646367073 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.166985035 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.207155943 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.207385063 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.237140894 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.277282000 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.280203104 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.280266047 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.280311108 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.280325890 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.289315939 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.331962109 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.332104921 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.344928980 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.386651993 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.387746096 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.413476944 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.413510084 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.413537979 CET	443	49748	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.413568020 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.426853895 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.427016973 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.444993019 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.461222887 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.485136986 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.487859964 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.487879038 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.487889051 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.488208055 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.489525080 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.529505968 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.531852961 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.537373066 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.579297066 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.592983007 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.593019962 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.593046904 CET	443	49749	104.23.98.190	192.168.2.3
Feb 1, 2021 13:31:44.593236923 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:31:44.664321899 CET	49749	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:32:01.318928003 CET	49746	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:32:02.553941965 CET	49748	443	192.168.2.3	104.23.98.190
Feb 1, 2021 13:32:02.735721111 CET	49749	443	192.168.2.3	104.23.98.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2021 13:28:59.216948032 CET	64185	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:28:59.264928102 CET	53	64185	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:00.127966881 CET	65110	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:00.176038027 CET	53	65110	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:01.269016027 CET	58361	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:01.317019939 CET	53	58361	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:02.516761065 CET	63492	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:02.569441080 CET	53	63492	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:13.349462032 CET	60831	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:13.397661924 CET	53	60831	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:16.431164026 CET	60100	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:16.490526915 CET	53	60100	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:20.900108099 CET	53195	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:20.948139906 CET	53	53195	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:23.858836889 CET	50141	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:23.911160946 CET	53	50141	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:24.810740948 CET	53023	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:24.860874891 CET	53	53023	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:25.646713018 CET	49563	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:25.696690083 CET	53	49563	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:26.833936930 CET	51352	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:26.882045984 CET	53	51352	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:28.218255997 CET	59349	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:28.279561996 CET	53	59349	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:29.304369926 CET	57084	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:29.352374077 CET	53	57084	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:31.726248980 CET	58823	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:31.777128935 CET	53	58823	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:32.818933010 CET	57568	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:32.866981030 CET	53	57568	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:33.843837976 CET	50540	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:33.904483080 CET	53	50540	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:38.807836056 CET	54366	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:38.857064009 CET	53	54366	8.8.8.8	192.168.2.3
Feb 1, 2021 13:29:49.351733923 CET	53034	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:29:49.418762922 CET	53	53034	8.8.8.8	192.168.2.3
Feb 1, 2021 13:30:02.960099936 CET	57762	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:30:03.017563105 CET	53	57762	8.8.8.8	192.168.2.3
Feb 1, 2021 13:30:13.738193035 CET	55435	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:30:13.804760933 CET	53	55435	8.8.8.8	192.168.2.3
Feb 1, 2021 13:30:16.272480011 CET	50713	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:30:16.331005096 CET	53	50713	8.8.8.8	192.168.2.3
Feb 1, 2021 13:30:24.550024986 CET	56132	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:30:24.606308937 CET	53	56132	8.8.8.8	192.168.2.3
Feb 1, 2021 13:30:47.385190964 CET	58987	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:30:47.437189102 CET	53	58987	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:01.019228935 CET	56579	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:01.077106953 CET	53	56579	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:18.281862020 CET	60633	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:18.341321945 CET	53	60633	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:22.709028959 CET	61292	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:22.758601904 CET	53	61292	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:23.435662031 CET	63619	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:23.507647991 CET	53	63619	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:42.382093906 CET	64938	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:42.429873943 CET	53	64938	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:42.933465958 CET	61946	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:42.992605925 CET	53	61946	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:44.069084883 CET	64910	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:44.120579958 CET	53	64910	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:44.161408901 CET	52123	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:44.220738888 CET	53	52123	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:44.798934937 CET	56130	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:44.858637094 CET	53	56130	8.8.8.8	192.168.2.3
Feb 1, 2021 13:31:59.554116011 CET	56338	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:31:59.614866018 CET	53	56338	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:01.269294977 CET	59420	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:01.326045990 CET	53	59420	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:02.431868076 CET	58784	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:02.490565062 CET	53	58784	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:05.613373041 CET	63978	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:05.675867081 CET	53	63978	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:06.200283051 CET	62938	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:06.256623983 CET	53	62938	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:06.672820091 CET	55708	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:06.732122898 CET	53	55708	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:07.253746986 CET	56803	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:07.311764002 CET	53	56803	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:07.870692015 CET	57145	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:07.930886030 CET	53	57145	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:08.562553883 CET	55359	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:08.613559008 CET	53	55359	8.8.8.8	192.168.2.3
Feb 1, 2021 13:32:09.056766033 CET	58306	53	192.168.2.3	8.8.8.8
Feb 1, 2021 13:32:09.114964008 CET	53	58306	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 1, 2021 13:29:16.431164026 CET	192.168.2.3	8.8.8.8	0x3d6d	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Feb 1, 2021 13:30:16.272480011 CET	192.168.2.3	8.8.8.8	0x39c2	Standard query (0)	84.102.13.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Feb 1, 2021 13:30:24.550024986 CET	192.168.2.3	8.8.8.8	0x5160	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:18.281862020 CET	192.168.2.3	8.8.8.8	0xc79a	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:42.382093906 CET	192.168.2.3	8.8.8.8	0x473e	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:44.069084883 CET	192.168.2.3	8.8.8.8	0xb976	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:44.161408901 CET	192.168.2.3	8.8.8.8	0x75b8	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 1, 2021 13:29:16.490526915 CET	8.8.8.8	192.168.2.3	0x3d6d	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:29:16.490526915 CET	8.8.8.8	192.168.2.3	0x3d6d	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:30:16.331005096 CET	8.8.8.8	192.168.2.3	0x39c2	Name error (3)	84.102.13.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Feb 1, 2021 13:30:24.606308937 CET	8.8.8.8	192.168.2.3	0x5160	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:18.341321945 CET	8.8.8.8	192.168.2.3	0xc79a	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:18.341321945 CET	8.8.8.8	192.168.2.3	0xc79a	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:42.429873943 CET	8.8.8.8	192.168.2.3	0x473e	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:42.429873943 CET	8.8.8.8	192.168.2.3	0x473e	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:42.992605925 CET	8.8.8.8	192.168.2.3	0xd1ec	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Feb 1, 2021 13:31:44.120579958 CET	8.8.8.8	192.168.2.3	0xb976	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:44.120579958 CET	8.8.8.8	192.168.2.3	0xb976	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:44.220738888 CET	8.8.8.8	192.168.2.3	0x75b8	No error (0)	pastebin.com		104.23.98.190	A (IP address)	IN (0x0001)
Feb 1, 2021 13:31:44.220738888 CET	8.8.8.8	192.168.2.3	0x75b8	No error (0)	pastebin.com		104.23.99.190	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 1, 2021 13:29:16.645644903 CET	104.23.98.190	443	192.168.2.3	49713	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:29:16.645644903 CET	104.23.98.190	443	192.168.2.3	49713	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:18.708425999 CET	104.23.99.190	443	192.168.2.3	49742	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:18.708425999 CET	104.23.99.190	443	192.168.2.3	49742	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:42.537899971 CET	104.23.98.190	443	192.168.2.3	49746	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:42.537899971 CET	104.23.98.190	443	192.168.2.3	49746	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:44.280311108 CET	104.23.98.190	443	192.168.2.3	49748	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:44.280311108 CET	104.23.98.190	443	192.168.2.3	49748	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:44.487889051 CET	104.23.98.190	443	192.168.2.3	49749	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 1, 2021 13:31:44.487889051 CET	104.23.98.190	443	192.168.2.3	49749	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 1, 2021 13:30:25.142040968 CET	587	49733	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Feb 1, 2021 13:30:25.150007010 CET	49733	587	192.168.2.3	198.54.122.60	EHLO 878164
Feb 1, 2021 13:30:25.345933914 CET	587	49733	198.54.122.60	192.168.2.3	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 1, 2021 13:30:25.387917042 CET	49733	587	192.168.2.3	198.54.122.60	STARTTLS
Feb 1, 2021 13:30:25.581036091 CET	587	49733	198.54.122.60	192.168.2.3	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: POinv00393.exe PID: 6708 Parent PID: 5692

General

Start time:	13:29:05
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POinv00393.exe'
Imagebase:	0xe70000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 6892 Parent PID: 6708

General

Start time:	13:29:14
Start date:	01/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Imagebase:	0xcc0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6900 Parent PID: 6892

General

Start time:	13:29:14
Start date:	01/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6916 Parent PID: 6708

General

Start time:	13:29:14
Start date:	01/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Imagebase:	0xcc0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6964 Parent PID: 6916

General

Start time:	13:29:15
Start date:	01/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6980 Parent PID: 6708

General

Start time:	13:29:15
Start date:	01/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Imagebase:	0xcc0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7072 Parent PID: 6980

General

Start time:	13:29:15
Start date:	01/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 7080 Parent PID: 6708

General

Start time:	13:29:15
Start date:	01/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
Imagebase:	0xcc0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7128 Parent PID: 7080

General

Start time:	13:29:16
Start date:	01/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: POinv00393.exe PID: 2100 Parent PID: 6708

General

Start time:	13:29:23
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\POinv00393.exe
Imagebase:	0x800000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: POinv00393.exe PID: 6464 Parent PID: 3388

General

Start time:	13:29:26
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POinv00393.exe'
Imagebase:	0xe10000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: POinv00393.exe PID: 5436 Parent PID: 3388

General

Start time:	13:29:35
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POinv00393.exe'
Imagebase:	0x780000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: POinv00393.exe PID: 2296 Parent PID: 3388

General

Start time:	13:29:44
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POinv00393.exe'
Imagebase:	0x110000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: POinv00393.exe PID: 1784 Parent PID: 3388

General

Start time:	13:29:52
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POinv00393.exe'
Imagebase:	0xcc0000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: POinv00393.exe PID: 5404 Parent PID: 3388

General

Start time:	13:30:01
Start date:	01/02/2021
Path:	C:\Users\user\Desktop\POinv00393.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POinv00393.exe'
Imagebase:	0x740000
File size:	4552704 bytes
MD5 hash:	E0DB9D12220A5099BD1EBFEFC0CCDCFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 5556 Parent PID: 2100

General

Start time:	13:30:26
Start date:	01/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
Imagebase:	0x370000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: POinv00393.exe PID: 6708 Parent PID: 5692 POinv00393.exeCOMMON

Executed Functions

Function 01C87AEB, Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a06aa32bbbd4322f6fb69ad1b7ec83000571fa3d98ebab076fd7460cb17bd9
Instruction ID: a5a7bf332d72142ffccb0954665c8560de67c95c63fbcec2b5027e7a6cc855dd
Opcode Fuzzy Hash: 01a06aa32bbbd4322f6fb69ad1b7ec83000571fa3d98ebab076fd7460cb17bd9
Instruction Fuzzy Hash: EF027E70A002198FDB15DF69C894BAEBBB6BF88308F248469E505DB795EF34DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01C88251, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ff7829d6b921ce783ed4198644c399c25f2e4616c1911de906bcc1878f9166
Instruction ID: 38cf016c602677d40ca95dae25b1fd89f8567a203ddc92fb8391942aeccd3972
Opcode Fuzzy Hash: 11ff7829d6b921ce783ed4198644c399c25f2e4616c1911de906bcc1878f9166
Instruction Fuzzy Hash: D3D15D71A00115CFDB15EFA9C8C4AAEBBF2BF88308F958069E505ABA65D730DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01C80DC8, Relevance: 4.3, Strings: 3, Instructions: 594COMMON

Download Yara Rule

Strings

3)l^, xrefs: 01C80E2F
#)l^, xrefs: 01C80E51
SI, xrefs: 01C819BD, 01C819DF

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID: #)l^$3)l^$SI
API String ID: 0-3111387172
Opcode ID: 67cecfac573052441e7e1c58818d9c9bc349c11077c1b7d8f0f7a2b0ef575506
Instruction ID: d545bd9c2d82d82aa5c0b5517e182025e83ffd906d9a63f177440733ebcefb67
Opcode Fuzzy Hash: 67cecfac573052441e7e1c58818d9c9bc349c11077c1b7d8f0f7a2b0ef575506
Instruction Fuzzy Hash: 2B522C74269600CFC3A1BF68F98D44D3B61FF453067819924F903C7A2AEBB49D998F61

Uniqueness

Uniqueness Score: -1.00%

Function 01C80DC4, Relevance: 4.3, Strings: 3, Instructions: 594COMMON

Download Yara Rule

Strings

3)l^, xrefs: 01C80E2F
#)l^, xrefs: 01C80E51
SI, xrefs: 01C819BD, 01C819DF

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID: #)l^$3)l^$SI
API String ID: 0-3111387172
Opcode ID: e2af9053ff2f745f8cd5ce5591f1211334ffe6c6b5c859aea2ce11871924c6c3
Instruction ID: c5ed120d193f0cca863e8fee411b0435bc5fdb813d697916d40af09833527a03
Opcode Fuzzy Hash: e2af9053ff2f745f8cd5ce5591f1211334ffe6c6b5c859aea2ce11871924c6c3
Instruction Fuzzy Hash: E0522C74269600CFC3A1BF68F98D44D3B61FF453067819924F903C7A2AEBB49D998F61

Uniqueness

Uniqueness Score: -1.00%

Function 01C83F50, Relevance: 1.8, Strings: 1, Instructions: 593COMMON

Download Yara Rule

Strings

W, xrefs: 01C84789

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 544c8acc0c80941798655f7a9d9a8412ad7c1f04fa6a93e2853c694be8929216
Instruction ID: e7addc3762d5185709f32e1183d61705ca5ac254578ba992f5ff5fd1377b5647
Opcode Fuzzy Hash: 544c8acc0c80941798655f7a9d9a8412ad7c1f04fa6a93e2853c694be8929216
Instruction Fuzzy Hash: 2C5284B4A006198FCB64DFA8D84469DBBF1FB89321F105659D868E7390EB389EC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01C83F4B, Relevance: 1.8, Strings: 1, Instructions: 557COMMON

Download Yara Rule

Strings

W, xrefs: 01C84789

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 23c74c8e740a09ef762e04666a8e14cc75c5968c19ec8bce5220a818917baea6
Instruction ID: 0c6c04114433bb36e185df4a2bbb906c942a93947219f7827d328c2c1b806835
Opcode Fuzzy Hash: 23c74c8e740a09ef762e04666a8e14cc75c5968c19ec8bce5220a818917baea6
Instruction Fuzzy Hash: 245294B4A006198FCB64DFA8DC4469DBBB1FB89321F105659D868E7390EB389EC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06DA516C, Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06DA53AE

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9e77af31de5c4eee0814132cbd7c3345e7f66310a66fc2be0cd5ac1136927247
Instruction ID: 220570fb763771f187a30bfa9171e2c70c261f4d9fcd7abd559892288c5213b2
Opcode Fuzzy Hash: 9e77af31de5c4eee0814132cbd7c3345e7f66310a66fc2be0cd5ac1136927247
Instruction Fuzzy Hash: 40A17971D04319DFDB60CFA8D8817EEBBB2BF48314F1485A9E809A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5178, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06DA53AE

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3156a4fc84a9890c8ea006d503b3ec8df736ac63168cde8f5ef79770af58c15e
Instruction ID: 1ae99aaaa250736274e8bc5c2bedc94d2af313c5e342efdf2272f789fd57faf7
Opcode Fuzzy Hash: 3156a4fc84a9890c8ea006d503b3ec8df736ac63168cde8f5ef79770af58c15e
Instruction Fuzzy Hash: 75917871D04319CFDB60CFA8D8817EEBBB2BF48314F1485A9E809A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4EE8, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06DA4F80

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: de58f98fd15ef8b29a46281da472f4b18450a04e53ff749ce7ef707834d1c015
Instruction ID: 648da8fbe2d09b26adccc11afed89bc7fa3d0c1a3a6da2dedee8ec9dd72734b0
Opcode Fuzzy Hash: de58f98fd15ef8b29a46281da472f4b18450a04e53ff749ce7ef707834d1c015
Instruction Fuzzy Hash: 842135B2D003199FCF50CFA9C9807EEBBF5BF48314F10842AE919A7241D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4FD8, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06DA5060

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 459c57a4cb0a516ad04784707e323403bd297324383a7e6686d2d1f2d3d18ad3
Instruction ID: 0d41182eb3e3c1045713a1181bb9e5045e8d805bc8e4ca62eac14bbe9658b629
Opcode Fuzzy Hash: 459c57a4cb0a516ad04784707e323403bd297324383a7e6686d2d1f2d3d18ad3
Instruction Fuzzy Hash: 05215771C002199FCB10CFA9D880BEEBBF4FF48314F44842AE919A7240D7759904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4EF0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06DA4F80

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ed700bedb9a5ccd79523511427861f811d897d1e6e5ff72aeddb0d91f0bd155
Instruction ID: 23df64d70f8476778888e33ad07775aa6821e0bf2d6dfe42252ca492bf74c688
Opcode Fuzzy Hash: 2ed700bedb9a5ccd79523511427861f811d897d1e6e5ff72aeddb0d91f0bd155
Instruction Fuzzy Hash: 76214471D043099FCB50CFA9C880BEEBBF5FF48314F00842AE919A7240CB78A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4949, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 06DA49CE

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: eac0749b9bca0129edd0d4fb8fcfa6709a83ec2b26c5de9a428142b2e1f1a282
Instruction ID: f9a06553dcb50d1b7d5eeeb29226cc1cee16b04a9a57e4e7d115387bf06da8dd
Opcode Fuzzy Hash: eac0749b9bca0129edd0d4fb8fcfa6709a83ec2b26c5de9a428142b2e1f1a282
Instruction Fuzzy Hash: FA216871D043088FCB10CFAAC5847EEBBF4AF88228F54842ED519A7340DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4FE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06DA5060

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d36d256d79bd6389884e668b36ec54964ed153fda83af7924760d9a6099eb78b
Instruction ID: f4c5b53b4e265c301d5e2c6243b40db01be71a1ea66aba8a52f510aacc1c8967
Opcode Fuzzy Hash: d36d256d79bd6389884e668b36ec54964ed153fda83af7924760d9a6099eb78b
Instruction Fuzzy Hash: 20212571D043499FCB10CFAAD880BEEBBF5FF48324F50842AE919A7240D7799944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4950, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 06DA49CE

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 61969b299ccaacd1bbd9112ca796b64f879a8a4b4d59c3ea2d1d689af87cd763
Instruction ID: 7f307992f1fbbe08a36c32a11d7cacd8fe92e38b2fb76098fa8d98e91d00cfeb
Opcode Fuzzy Hash: 61969b299ccaacd1bbd9112ca796b64f879a8a4b4d59c3ea2d1d689af87cd763
Instruction Fuzzy Hash: A4213871D043088FCB50CFAAC5857EEBBF4AF88228F54842ED559A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4E2A, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06DA4E9E

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bde0a5d1a8cbe476b990901d84a4dcd7447cf48134f68d22179d34cbf765edbe
Instruction ID: 285d5d514112d19cc048269e2d174c021a5034d7c74228045997fcf528d5941a
Opcode Fuzzy Hash: bde0a5d1a8cbe476b990901d84a4dcd7447cf48134f68d22179d34cbf765edbe
Instruction Fuzzy Hash: 5C1159719042089FCB10DFA9D8447DFBBF5AF48324F148819D915A7250D775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5571, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,00000005), ref: 06DA55DA

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c364055d1dfcc891ec25dd8705e1bb6a3c82ed49b876fd188802cf8117bd622b
Instruction ID: 15a83f92113fd15cbd1d5bea54530d728bffe995e9a5ed3c8ae9a050163d20f1
Opcode Fuzzy Hash: c364055d1dfcc891ec25dd8705e1bb6a3c82ed49b876fd188802cf8117bd622b
Instruction Fuzzy Hash: EC114672D043488FCB10DFA9D8447EEBBF9AF88224F158819D519A7640DB35A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA4E30, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06DA4E9E

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f9e8efb1f4f859981009c9b9c7917f29f0363118c8549cef642be64830b7184e
Instruction ID: 2636834f1c0d33951a2edd82afb7a055cb51c70ed97a90164081d06372f9ebb6
Opcode Fuzzy Hash: f9e8efb1f4f859981009c9b9c7917f29f0363118c8549cef642be64830b7184e
Instruction Fuzzy Hash: 97113772D042489FCF10CFA9D8447EFBBF5AF88324F148819D519A7250CB75A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DA5578, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,00000005), ref: 06DA55DA

Memory Dump Source

Source File: 00000000.00000002.335707418.0000000006DA0000.00000040.00000001.sdmp, Offset: 06DA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c7f7ae6958fc4560411fac67b4767ff044d3b07e3535e63681a5650ca506961e
Instruction ID: 01e990941e66d778f1d26b33742f07901a92dd34c2e910cb165c469daf6664a5
Opcode Fuzzy Hash: c7f7ae6958fc4560411fac67b4767ff044d3b07e3535e63681a5650ca506961e
Instruction Fuzzy Hash: 99113672D043488FCB10DFAAD8447EEFBF9AF88224F148819C519A7640DB79A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01C88740, Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cb08484fb83d79905e9f90740b965f62cd81916ba23fa72299179b752e8b38
Instruction ID: ec378643d6d4b2b85233f2b07e7d7038a232ac6fe659a94d4ee60290e48a3831
Opcode Fuzzy Hash: a5cb08484fb83d79905e9f90740b965f62cd81916ba23fa72299179b752e8b38
Instruction Fuzzy Hash: 95228D30A00209DFCB15EF68D8C4A9EBBF2BF48318F558559E919DBAA1D730ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01C8AD48, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89383fd6a134ec1b9ff3459983759978c169d7ffe9c5c2f1b46b69fd3b9689f
Instruction ID: 49d3f4fd0148078647b205b32db1758d5e3456801bb01655a667918f14209d54
Opcode Fuzzy Hash: f89383fd6a134ec1b9ff3459983759978c169d7ffe9c5c2f1b46b69fd3b9689f
Instruction Fuzzy Hash: 0EA17070704111CFEB25AA2EC6D873E36A6EF84608F14446AE612CF7E2DB69CD42C752

Uniqueness

Uniqueness Score: -1.00%

Function 01C8FD6A, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15a5e88ac81b0aeba3bd1d48b9e7587c1e44817829bf7b754b406340dbe5a3a
Instruction ID: 88c6999e7dc7db006ecc57d0c27f8676516b6a724a48362663c04a08653ebbd4
Opcode Fuzzy Hash: f15a5e88ac81b0aeba3bd1d48b9e7587c1e44817829bf7b754b406340dbe5a3a
Instruction Fuzzy Hash: DB1148357082408FD715567998A86AABFAB9FCA310F1884BBE646C7799CF64CC018762

Uniqueness

Uniqueness Score: -1.00%

Function 01C8FD78, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c62b14c294c24942e18de7eb3fb032768a5ea21fc3d6f22c99adc6ff0cc3c70
Instruction ID: 243bc734f61b388834e116b165753768d93099e9eaa2be43df471e96f09fbd4a
Opcode Fuzzy Hash: 9c62b14c294c24942e18de7eb3fb032768a5ea21fc3d6f22c99adc6ff0cc3c70
Instruction Fuzzy Hash: 87016D357091048BD7141A7A985867BFA9FEFC9310F54847BE646C3389CF78CC418762

Uniqueness

Uniqueness Score: -1.00%

Function 01C8EF40, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a44609e89ac761e816ceee763fe3bae06f8179b03b5256fd48dcb4c266472a2
Instruction ID: 9b2e17821d59947e0540aae55edf7d997d7754989e5edc82969549a698c2f340
Opcode Fuzzy Hash: 8a44609e89ac761e816ceee763fe3bae06f8179b03b5256fd48dcb4c266472a2
Instruction Fuzzy Hash: 35A16A34610A00CFDB157B74E86CB6E7BB1EB88359F100469E903D73A5DB39DD8A9B90

Uniqueness

Uniqueness Score: -1.00%

Function 01C86FD0, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efb08833a7d078c86d090777deca970a60366656ddcd5e20922fb007c3a7532
Instruction ID: dd4a13011d8e5b4a28451e13d262ad0403b3ae45c5bfef3f98d460a10a6b6e44
Opcode Fuzzy Hash: 0efb08833a7d078c86d090777deca970a60366656ddcd5e20922fb007c3a7532
Instruction Fuzzy Hash: 7A81C030700215DFCF19AB68C898BBE7BA6FB88709F148468E906DB784DBB0DD41C791

Uniqueness

Uniqueness Score: -1.00%

Function 01C8BA88, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a0ad7d5fe15a3fc7f16a0acde2b920d5bbf6f954370f9cf7cf8545a0a4a37d
Instruction ID: f28fb606725b7481b26192e3f79d56fe820dfedc2cbb5701acf12835bfeb3676
Opcode Fuzzy Hash: 27a0ad7d5fe15a3fc7f16a0acde2b920d5bbf6f954370f9cf7cf8545a0a4a37d
Instruction Fuzzy Hash: A771F170A00206CFDB15EBADC8D07BE7BA6EF85308F188469D505DB392DB39DD428790

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F012, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fee79c042ed134d6285b98ea18bcf9ef58af5147f7343c69a37349ee55f204
Instruction ID: 2f22f2816bcb821ef90d8752138a023faba145ca8390a1ee0a82ce52e97eb50b
Opcode Fuzzy Hash: a0fee79c042ed134d6285b98ea18bcf9ef58af5147f7343c69a37349ee55f204
Instruction Fuzzy Hash: 9B815B34610A10CFCB157B74E86CA6D77B2FB88719F100069E903973A9DF399D8ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C876BC, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee83353dd5bc29517c233b30367e40450d60278b35f2222a57eb8acd9722d7d
Instruction ID: 893931ea9f5b3396aecf590a704c6be838a65ac4c5aa2a00067af369756d8edc
Opcode Fuzzy Hash: 2ee83353dd5bc29517c233b30367e40450d60278b35f2222a57eb8acd9722d7d
Instruction Fuzzy Hash: C6719E34A10305CFDB14EF6DC4C49AEBBB2BF89218B258169D516EB361E731ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F067, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7e3e80071711c4f91f849378422a9c42e1c67dd6fac8ebf8b74dc5708a15d0
Instruction ID: 64f71e6a150c2f9960e4a2fa1d700e048860eceb7e78de6602c42fc6eae61fbb
Opcode Fuzzy Hash: 6e7e3e80071711c4f91f849378422a9c42e1c67dd6fac8ebf8b74dc5708a15d0
Instruction Fuzzy Hash: E3713E34610A00CFCB05BB74E46CA6D77B2FF88319B105069E902D77A5DF399D8ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 01C89D78, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d16b338f5fc5a2eba5c65178658fa0b4220729d161fc4136e10932d9e124350
Instruction ID: 75a08f01dd9f92bf209184248ee55f424b3ae3f69ebbca35b4b109640051d6bf
Opcode Fuzzy Hash: 5d16b338f5fc5a2eba5c65178658fa0b4220729d161fc4136e10932d9e124350
Instruction Fuzzy Hash: 1561FA34700215CFDB29EF69C4D8ABD7BE5AF89609B1500A9E506DB3B1DB70DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F0C7, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9529695da1ed5ab9d7ea88c767b50064c8e72638d56e966b94e95e87a9d5b25
Instruction ID: 539c5968c367892a5e2a168a93a27132b1b1fc4831cac17355b66fd475b972cf
Opcode Fuzzy Hash: b9529695da1ed5ab9d7ea88c767b50064c8e72638d56e966b94e95e87a9d5b25
Instruction Fuzzy Hash: 00613C34610A10CFCB05BBB4E46C96D77B2FF88319B205069E80297769DF399D8ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F0EA, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e95afc0654a63c2110be6bc5baac09e5c73b16d20d5a9e10615f3ded48edb73
Instruction ID: 0116f349a88cad99a1f2ca9b659f582c64edb173b16158e5f8e062c3527fc1c6
Opcode Fuzzy Hash: 7e95afc0654a63c2110be6bc5baac09e5c73b16d20d5a9e10615f3ded48edb73
Instruction Fuzzy Hash: DB613D34610A10CFCB05BB74E46C96D77B2FF88319B205069E80297769DF399D8ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F109, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ab91b8abb01374fbe4ca7e5c1a41321af9df1e8ddf72b051c597681e680326
Instruction ID: 974cf1f405c557d8a4f93ca7304520fb496a24f7e5fe61612b6de3a76ce3cc4c
Opcode Fuzzy Hash: d6ab91b8abb01374fbe4ca7e5c1a41321af9df1e8ddf72b051c597681e680326
Instruction Fuzzy Hash: 7F614D34610A10CFCB05BB74E46C96D77B2FF88319B205069E80297769DF399D8ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F122, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18888e0089ac30e1ae4ac2a12439c06207aaf650a714adbba4de48ed0a7f8cde
Instruction ID: 67e95a418193a20bebd635b10232f67756ca8633f31447a9e8b33da80e4cbf52
Opcode Fuzzy Hash: 18888e0089ac30e1ae4ac2a12439c06207aaf650a714adbba4de48ed0a7f8cde
Instruction Fuzzy Hash: B2613D34610A10CFCB05BB74E46C96D77B2FF88319B205069E80297769EF399D8ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C85538, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad7cffb2c1f7aa46850c6ccbb70da32f719772b7bbde52c167ca5aa620e02b6
Instruction ID: d33781b318d3d0f62e11081e3d1255ffdac75b7c55d8d733dbc9ed9d1b8631c9
Opcode Fuzzy Hash: 0ad7cffb2c1f7aa46850c6ccbb70da32f719772b7bbde52c167ca5aa620e02b6
Instruction Fuzzy Hash: C8614E34A0410EAFCB18DBA4D851B5EBB72FF88304F219899DD056B758DB396D81DF41

Uniqueness

Uniqueness Score: -1.00%

Function 01C8B8E0, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb773396049a2e298a6ff2f74e6b3e796c264cfe0e016fbb2d2f0e7bee2f3bcd
Instruction ID: 7f45d0442e09b21b0ca6401bb8535de3de89562fdf5527c29eef05840b675ddd
Opcode Fuzzy Hash: eb773396049a2e298a6ff2f74e6b3e796c264cfe0e016fbb2d2f0e7bee2f3bcd
Instruction Fuzzy Hash: ED51B230704248DFDB01EB69C884B6ABBF6EF88354F048066E909CB365DBB5DD00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01C872C4, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537c242a418ff725c91f7253895339fa4f0901bf1e0b7e9cf26d148de728c840
Instruction ID: ff621b2a364eef5fe6f80fb47827d0f4a326f9bef0ff6ed0ff464a89830f9288
Opcode Fuzzy Hash: 537c242a418ff725c91f7253895339fa4f0901bf1e0b7e9cf26d148de728c840
Instruction Fuzzy Hash: 6F41C0307042518FDB29AB7984D477EB7E2ABC9208F288469D9468B785EF78CC458792

Uniqueness

Uniqueness Score: -1.00%

Function 01C853D0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593780ec3dd7559f103dc708186ef1c5d2e93a0b2aa2b3785d6c5104f6996b69
Instruction ID: a4c481f9f4f3df136a638e49a8579dc76e8a422306980d35f13159620a6afac3
Opcode Fuzzy Hash: 593780ec3dd7559f103dc708186ef1c5d2e93a0b2aa2b3785d6c5104f6996b69
Instruction Fuzzy Hash: F941AE74B04249CFCF15DF69C8949AEBBF6AF88208F20406ED405EB751DB70DD058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D420, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8980c96809916cb61ac45e6a3fdfaed9a3f17d632380b3a4b0a56867d4a5e410
Instruction ID: 0632fe849ed31c9d430a8bff124bd67610139a28097212732dd02141446161b9
Opcode Fuzzy Hash: 8980c96809916cb61ac45e6a3fdfaed9a3f17d632380b3a4b0a56867d4a5e410
Instruction Fuzzy Hash: CD41A275204255DFDB16AFA8D884BBE3BF2FF89208F05845AE8069B391DB74DD01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01C89E41, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e11900aa772a7fbad7b9775abfcc194c9f2710538566954648682954e481e0
Instruction ID: a00b31fc0fb51b316725e5c9736d1a26ebf1b29c12d11da96f70d317124804f5
Opcode Fuzzy Hash: 90e11900aa772a7fbad7b9775abfcc194c9f2710538566954648682954e481e0
Instruction Fuzzy Hash: 42410430604215CFDB6AEF69C4C4ABE7BA6AF85209F144065E906DB2A1CB71DE81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F1FA, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f2da3b58a4580bcf757bcc7e55e21c94da1011808813c35bd204615ce8522f
Instruction ID: d330383eb85998aa99fb5a4ad829e4daa5b907702cc8fab4835f72fb51a4705d
Opcode Fuzzy Hash: f0f2da3b58a4580bcf757bcc7e55e21c94da1011808813c35bd204615ce8522f
Instruction Fuzzy Hash: 5D410D38A10A10CFCB05BB74E46C96D77B2FB887197105069E80393369DB399D9ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C89368, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8919f69e27f36b9e026ea4f61bfaa565260f9673bf27dcbbf2fe36a2e4f556
Instruction ID: 681907e8272862cdc79affb25f5a448da569a3999ba3a58e8086eaba23ae2b2f
Opcode Fuzzy Hash: dd8919f69e27f36b9e026ea4f61bfaa565260f9673bf27dcbbf2fe36a2e4f556
Instruction Fuzzy Hash: 5A31B235B041049FCB18AB68D894AAE7BF6EFCC215F144469E506DB7A5CF70DC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01C88108, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e0619165edbeff5161daaec414e17edd9c61e29c9300ebfebd2231a7e2e5a
Instruction ID: 64557ae6a78dbae2b5a742eb992972aa65e14aab39499bd4b36de329c99f7e1c
Opcode Fuzzy Hash: 680e0619165edbeff5161daaec414e17edd9c61e29c9300ebfebd2231a7e2e5a
Instruction Fuzzy Hash: 5D41F030A00208DFCF15DFA8C884BBFBBB6EB84308F44846AE9158BA51DB74DD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01C85278, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129ceab6932b9a6db3ba10ccbd95885974b5fd7d4034cd0caf9e13c48c62ee67
Instruction ID: e14c2b93253406610f0cb911517d9a93bc6303aefc26cb2b6cf9da37947fd175
Opcode Fuzzy Hash: 129ceab6932b9a6db3ba10ccbd95885974b5fd7d4034cd0caf9e13c48c62ee67
Instruction Fuzzy Hash: 4F31C335B05105DBCB69AABD84903BF36A7ABC4728F24856CD516CB7C4DFB4CC424792

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F238, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da589538065d9dbc62262f93075613240ceb81128530ecbbd1007668851223e9
Instruction ID: c5021c3bb496476a1c8043b9dc8d22abc3b95d2813b82e15b74f318646dfae24
Opcode Fuzzy Hash: da589538065d9dbc62262f93075613240ceb81128530ecbbd1007668851223e9
Instruction Fuzzy Hash: B9412E38610A10CFCB067B64E46C86D77B2FB4872971050A9EC0393769EF399D9ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F5B0, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675243c78040db1ee09c2b548c61e56c0fea9e3aac35664576d1f71482733c14
Instruction ID: 5264c546461d305d1c4097bfe55759af2b001293adb7f76be2017c4095ca6087
Opcode Fuzzy Hash: 675243c78040db1ee09c2b548c61e56c0fea9e3aac35664576d1f71482733c14
Instruction Fuzzy Hash: 14318D347040248FDB58EB78E491AAE32E7EF8965CB50856CE506CB7A4DF38DD068792

Uniqueness

Uniqueness Score: -1.00%

Function 01C8ABA8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c5d480a5b29ed251878c524c43ff4515e74b26499886f0d3c39bd9e2c77305
Instruction ID: 9c18a02d50f3660c5f34b43377392519ffb978e0e8dded92526cc13c0a4ba552
Opcode Fuzzy Hash: 73c5d480a5b29ed251878c524c43ff4515e74b26499886f0d3c39bd9e2c77305
Instruction Fuzzy Hash: 6231E570318205CFDB26AB7DC8D4A3D7BA6FF81648B19487BD106CB292DB26ED808751

Uniqueness

Uniqueness Score: -1.00%

Function 01C86380, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab65ca552b98a11c874a867790c7429401126f18719aa41688bf1d6afd3b70ba
Instruction ID: c99ee1df125d3c335c73a7ab22feb60aff3e9b2a184296ba5cf6a4d668d22eab
Opcode Fuzzy Hash: ab65ca552b98a11c874a867790c7429401126f18719aa41688bf1d6afd3b70ba
Instruction Fuzzy Hash: A2319C31604219DFCF0AAF68D8C8AAE7BA2FB88304F008029F90697750CB75DD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C85E68, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f0f3a45bdf92ed64cb2d1e6f38469726e99efc89fd44d348d488488c4b3f47
Instruction ID: 8bf2d1f290b6eec2b9aeb839974763990c6c27e068a05af153a19283db68da75
Opcode Fuzzy Hash: 13f0f3a45bdf92ed64cb2d1e6f38469726e99efc89fd44d348d488488c4b3f47
Instruction Fuzzy Hash: 2E21E430B44104AFDB28A6A99C95BBF37A7EBC4255F248469E606DB7C4CFB4CC018751

Uniqueness

Uniqueness Score: -1.00%

Function 01C89528, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9668a8fae54b6f3b5c972e42b49de39c478118f326bf9a2c1bac173ea1d26868
Instruction ID: 026e3937f7f2122a7c1c9e65a9a17598064ac9d467e2aef6e2151b1702157758
Opcode Fuzzy Hash: 9668a8fae54b6f3b5c972e42b49de39c478118f326bf9a2c1bac173ea1d26868
Instruction Fuzzy Hash: 44315071A005098FCB04DFACC8C49AEBBB6BFC431CB158559E6159B3A5CB34ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D288, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39437a94414883595a16bc5cbc8ab32d3c484864fe4862de9fb4c2536e20940f
Instruction ID: f63fb396ce376a26aeccbb6f041d1451ace23e9469fd86b4863dff3d2739c3b0
Opcode Fuzzy Hash: 39437a94414883595a16bc5cbc8ab32d3c484864fe4862de9fb4c2536e20940f
Instruction Fuzzy Hash: C2317E3160015AEFCF16AFA8D8D4ABE7BB2FB58315F044019F9068B291CB75CE61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C8A030, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca6c9c7b092bc209b3cba45085708fc146119beb0d00788c7d3d25d23f4dd63
Instruction ID: 0bd35ee54537bafabd09d2cb4f424671c1636f5ae38a0777aa8562aa56c4e03b
Opcode Fuzzy Hash: dca6c9c7b092bc209b3cba45085708fc146119beb0d00788c7d3d25d23f4dd63
Instruction Fuzzy Hash: D721B634304214CBDB25667A99D477A36979FC465CF24803AD903CFB95DF7ACC429782

Uniqueness

Uniqueness Score: -1.00%

Function 01C85E78, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab30e0b02a7f7b462d209d92a4164dde9d2166da592fe90e1084b6ebf08b674
Instruction ID: a757d6e9a1c01427502d8257722d661532639508b0941b7c5f6ffb28363f0962
Opcode Fuzzy Hash: dab30e0b02a7f7b462d209d92a4164dde9d2166da592fe90e1084b6ebf08b674
Instruction Fuzzy Hash: 25219230744104ABE7386A2A5CD5B7F36ABABC4769F648424F6069B7C4CFB4DC018765

Uniqueness

Uniqueness Score: -1.00%

Function 01C8A02D, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58644e7b062b34da4c5b8ddd4ea87aa1bbe3e228442fffcb0cfe4219f516c36
Instruction ID: 1d145dfd58ca7e6b8cc70ae097c049f5099f9e14a3074d19728807184e0a1276
Opcode Fuzzy Hash: e58644e7b062b34da4c5b8ddd4ea87aa1bbe3e228442fffcb0cfe4219f516c36
Instruction Fuzzy Hash: 0221D434304214CB9F25667A99D4A7E36A79FC855D724803FD903CFB96DF69CC429382

Uniqueness

Uniqueness Score: -1.00%

Function 01C89523, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d629664e7b2b37348bf46819daf69692ac639ec076d67d167829df419ec084
Instruction ID: 12675a82dca95ec147e8c0294e913d9100cf04d2e57e2d55b830431121d4bb9e
Opcode Fuzzy Hash: 00d629664e7b2b37348bf46819daf69692ac639ec076d67d167829df419ec084
Instruction Fuzzy Hash: C5314D71E005058FCB04DF6CC9C49AEBBB6BFC8318B198559E5159B3A9CB34ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C857D8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce5316632c1d075dfe6efe240a805dae378cccfbe9027648dd2d344dc33acc
Instruction ID: edb7f2d5c93ba305b2d2457b58ce9b5830ef82d04ddc6346845e5afab2ee05d8
Opcode Fuzzy Hash: 85ce5316632c1d075dfe6efe240a805dae378cccfbe9027648dd2d344dc33acc
Instruction Fuzzy Hash: AE216F30F50108DFDB24EBA9D884BEEB7B6EF88319F50452AD502A7388DB709945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD56C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256826357.0000000001BAD000.00000040.00000001.sdmp, Offset: 01BAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7507cb6e29e9fe06b0801659e8f1134941349f89cd5b19c99968e609ae51f9e
Instruction ID: 5d0731501d521c7f13ddf30a037ad32f7b34aa23b5952a3ade5e34a055bcbbb5
Opcode Fuzzy Hash: d7507cb6e29e9fe06b0801659e8f1134941349f89cd5b19c99968e609ae51f9e
Instruction Fuzzy Hash: 93213A71508244DFDB09CF98D9C0B2ABF65FB88328F6486ADE9094B646C336D856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD480, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256826357.0000000001BAD000.00000040.00000001.sdmp, Offset: 01BAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d21aa78b34935b1628c0be540456dd2e968ad09aa2e3cd1c5fa72598c479b7
Instruction ID: b3fcc8139f737650fec797fc374523e7848428dfd84c6465c38a75e89f5fa970
Opcode Fuzzy Hash: 45d21aa78b34935b1628c0be540456dd2e968ad09aa2e3cd1c5fa72598c479b7
Instruction Fuzzy Hash: FB216771508200DFDB09DF94D9C0B6BBF65FB88328F64C6E9E8490BA46C336D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01C87528, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f30f18537ac419b270dcefd25daa6490cb236b181346999ddadeacb3d7e928
Instruction ID: a37dcedd424963c23ae7e57535a1787db9d1888c93f4db6bd9a96fa740984c8d
Opcode Fuzzy Hash: f2f30f18537ac419b270dcefd25daa6490cb236b181346999ddadeacb3d7e928
Instruction Fuzzy Hash: 5821F035700711CBC729AB6AD4D4A2AB7A2FF8965972440B9E906CB754EF70DC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F5A1, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9939b6b49f7e320b123eff4208c1c0476ace6552bafd9bdbf09dfad4e64b36
Instruction ID: 4dd28deb9466b97675816932b18f416cb0765b98ff993a923f2122ca501e22a2
Opcode Fuzzy Hash: 4e9939b6b49f7e320b123eff4208c1c0476ace6552bafd9bdbf09dfad4e64b36
Instruction Fuzzy Hash: 2721F6353041559FEB18EBB8E851A9E37EAEF8525CF10816DD506CB7A0DF38DC058792

Uniqueness

Uniqueness Score: -1.00%

Function 01C8FA4D, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26cda9dd7ba0de7acbd804ab28ba00c243084dc0caf4c9a85f4f7e46751da31e
Instruction ID: c350a1e486ca5f8b017517f1b7f09dfcdbcf97d0ed9695eba22d38760d4a4194
Opcode Fuzzy Hash: 26cda9dd7ba0de7acbd804ab28ba00c243084dc0caf4c9a85f4f7e46751da31e
Instruction Fuzzy Hash: 9B21B230901244EFEB15EFA4E4857ECBBB2EF49319F208069D102AB290CB75CD46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F2D0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0748083434dc20bf6bc8eae27ca02d43cb2de6e5418e1a4ed0264ff3f5f81b
Instruction ID: d98c47089ceb17833cf9b2df74c36c0c337c3d9a614c095319373cf4cdd5f91a
Opcode Fuzzy Hash: 9e0748083434dc20bf6bc8eae27ca02d43cb2de6e5418e1a4ed0264ff3f5f81b
Instruction Fuzzy Hash: 7721E039610E10CFCB067B64F56C82D7BB1FB486293105095EC0793369EB385E9AEF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F2E9, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acef8259df6b8ed29367016cad44339dd758dd240e92aa9d0ba9b646ef99320
Instruction ID: d57b692c44aee92ea1a43913461fbfd184f3024e43f184ba6d33de3db3289797
Opcode Fuzzy Hash: 6acef8259df6b8ed29367016cad44339dd758dd240e92aa9d0ba9b646ef99320
Instruction Fuzzy Hash: AD21EE39610E10CFCB067B64F92C82D7BB1FB486293105095EC0793769EB385E9AEF91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8B411, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6784b55853bdb52a0acdb9cf36109ba2705d90949316d83f58471bfaa0509040
Instruction ID: 4ca789e9c278047d2427659ed53bd67184a04e5fd50e7debc5b38553ced06302
Opcode Fuzzy Hash: 6784b55853bdb52a0acdb9cf36109ba2705d90949316d83f58471bfaa0509040
Instruction Fuzzy Hash: A7215C70E05248DFDB15DFA9D490AEEBFB6EF88309F248069E911A6650DB34DE41DF20

Uniqueness

Uniqueness Score: -1.00%

Function 01C87524, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096611c1a5f335f70af818e549f596e62dea1d3086c4be90cad8ccbd23ad8627
Instruction ID: 6a32f634772c1b342f822c0bf6b02034a3cbd49c296cda76399280cfb55f194d
Opcode Fuzzy Hash: 096611c1a5f335f70af818e549f596e62dea1d3086c4be90cad8ccbd23ad8627
Instruction Fuzzy Hash: 0E110435700611CFCB29AB2ED4D492EBBA2FFC865532840B9E906DB764DF30DC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01C88105, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49c694087f64322c26de6a8c9e2a44ad470eb6cace565e0c380749646af72b0
Instruction ID: be8f27b3f428323911cae0ac4a87d0724f17099a799a817da88eefd3c6e9758c
Opcode Fuzzy Hash: e49c694087f64322c26de6a8c9e2a44ad470eb6cace565e0c380749646af72b0
Instruction Fuzzy Hash: 00117F31A00208DFDB24DF98C884BAEBBF5EB44314F44C02AE9198BA11D771DA44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01C89370, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321380b6f3ac309559c7f016142e476b59d1c0a29478991d950f6841a8f9c49e
Instruction ID: db40f8b60d15e88cfc2daad43e864e107dbff40534363b716d42c224a07a57de
Opcode Fuzzy Hash: 321380b6f3ac309559c7f016142e476b59d1c0a29478991d950f6841a8f9c49e
Instruction Fuzzy Hash: 75112E35B001049FDB149F69D984AAEBBB6FB8C614F104069E916A7394DB71ED10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01C8FAF8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161ebb925e1f86b7b44457dd166abcf4874d55711b7111456bd8dc5433b998f6
Instruction ID: d5ba67b532180b0f27d4ae4dace6256762c824c73a5329f2c9990c6bc031c1c2
Opcode Fuzzy Hash: 161ebb925e1f86b7b44457dd166abcf4874d55711b7111456bd8dc5433b998f6
Instruction Fuzzy Hash: 8011C430904625CFCB24FBA8D8947DDB7B6AFC5318F04496DC0467B7A0CBB598498B91

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD47B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256826357.0000000001BAD000.00000040.00000001.sdmp, Offset: 01BAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: f97fcc2a6132c6e1dbd5bad5ffd492caeb4cf9864611299455ec9ff66c04ee91
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: 8911AC76408280CFDB16CF54D9C4B1ABF71FB84324F2886A9D8490B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD567, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256826357.0000000001BAD000.00000040.00000001.sdmp, Offset: 01BAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: 47db64fc83be43573d8cd629fbfe36b358cae9145121dc578352797f0570330f
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: D211D676404280DFCB06CF58D5C4B56BF71FB88324F28C5A9E8080B657C336D456CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F889, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add7943924109cf308fa0f5b51f659fd7058729f114af85f5497414464b58fc3
Instruction ID: 213ed2e4705ab8733515b6fbd0cb68d3dbab2a34c167b88d3f359580bfaf8fdc
Opcode Fuzzy Hash: add7943924109cf308fa0f5b51f659fd7058729f114af85f5497414464b58fc3
Instruction Fuzzy Hash: 5D21E130804308DFCB15EFA4E8849DCBBB2FF8A324F218259D016671A1D734999ADB40

Uniqueness

Uniqueness Score: -1.00%

Function 01C8FBD1, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf2b90a3664c2d09f7af2988e3355634ce017574f6d291ec3b0fbf89b74cc61
Instruction ID: a908cbcf12d6128bf7a37b3cc50bea6cb675fde95857e3ab9ae1a9ac4d5d97ef
Opcode Fuzzy Hash: 4cf2b90a3664c2d09f7af2988e3355634ce017574f6d291ec3b0fbf89b74cc61
Instruction Fuzzy Hash: C7110130604618CBCB29EFA8D4903DCBBF6AF8631CF15495DC046AB650CB7A8E4A8752

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F7C0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984a9602247ab81da4638eb587185e258870facd0f3bc54de901c21574475572
Instruction ID: e3700a83f4f9bfaaf50a1cb5be1594ae1ba94be67ed8f21315702def32516eb6
Opcode Fuzzy Hash: 984a9602247ab81da4638eb587185e258870facd0f3bc54de901c21574475572
Instruction Fuzzy Hash: 5D11A331911304DFCB04EBA8E8989DEBB71EF89324F118219E50167271EB759999DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D3A0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b604fdbbdcb8fb17b768d952315b8dd9236917d5ac93e4fcb5782d4605899965
Instruction ID: abbe87a368de7bde4ee356c509a57fe129d2cef5cb0a45282c66d8118f066284
Opcode Fuzzy Hash: b604fdbbdcb8fb17b768d952315b8dd9236917d5ac93e4fcb5782d4605899965
Instruction Fuzzy Hash: 4401D632B04019AB8B19AE999880BFF3BABEBC8750F148029F605D7290CF71DD1197D0

Uniqueness

Uniqueness Score: -1.00%

Function 01C8F7D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9db8ef6fd32a538a5007a1a3e6c4da2ea55807b7ff3f9410bb5815f53bb19a
Instruction ID: 92dc3e64c225264f5d4036ef24b046702fb00bc8044527edb63183a39e38d949
Opcode Fuzzy Hash: 6e9db8ef6fd32a538a5007a1a3e6c4da2ea55807b7ff3f9410bb5815f53bb19a
Instruction Fuzzy Hash: F511A131910308EFCF14EFA4E8889DDBB75EF89324F118219E505772A0DB759999DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D391, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0db43cff6887e9847224c23329c19a80cbc574a41b914ccd5fe1fba8c5eb84d
Instruction ID: 1ae509ada3a2fd2851da1484a300eb32f861fcb63cc5b8bbc4ff5c0b7abf7392
Opcode Fuzzy Hash: b0db43cff6887e9847224c23329c19a80cbc574a41b914ccd5fe1fba8c5eb84d
Instruction Fuzzy Hash: 07012632604149ABCB02DEA49C50AEF3F76DB89351F188056F604CB191C631C915D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D5BC, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbe71dcc038c2ce482ab398bf84502792d0be03ec32a87dec521f0beda950e0
Instruction ID: 2088f22ece144d1493fca4c487fea344bf72e455ebc3ddc713abccfd11ca0809
Opcode Fuzzy Hash: 8bbe71dcc038c2ce482ab398bf84502792d0be03ec32a87dec521f0beda950e0
Instruction Fuzzy Hash: 5EF0A0A254E2C89FD702A7B898A56617F70DE5310834D80CBE889CF6B3C224DD0AD762

Uniqueness

Uniqueness Score: -1.00%

Function 01C8B8D8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50e1534b4c366e9fd113d7074ae80b093a3319faf852278ed6eb6fa7e2b3e0d
Instruction ID: 98ea69cc833150635452b07db6346c5b174a8001473a71d39e65b7623640a71b
Opcode Fuzzy Hash: a50e1534b4c366e9fd113d7074ae80b093a3319faf852278ed6eb6fa7e2b3e0d
Instruction Fuzzy Hash: E7F0A036E00168DFCB00DF69DC48AAABBF1EBC8330F14C026E918D7210D3708E118B91

Uniqueness

Uniqueness Score: -1.00%

Function 01C8ABA5, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef74bcf698edbf556df5506f5f3383054137163952b892fa57a3a45f19964ae
Instruction ID: d4eb721e002e96aa814b9d09eaf8fa23bba09ebb03f8001f28a42e9ec169548f
Opcode Fuzzy Hash: 0ef74bcf698edbf556df5506f5f3383054137163952b892fa57a3a45f19964ae
Instruction Fuzzy Hash: A6C012B3A4C030AFA625608E3C80EB26B8DC2C03B9A2A4277F81CE3A408482CC8101A4

Uniqueness

Uniqueness Score: -1.00%

Function 01C87960, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a469748edd10a0499af25902828e6edebc9ccb9393c152585ec5156dec2b1aaf
Instruction ID: 16c0d10ba9bf3f15529eb6905da91591968a22d88b48780cc2ec2959d97b2d08
Opcode Fuzzy Hash: a469748edd10a0499af25902828e6edebc9ccb9393c152585ec5156dec2b1aaf
Instruction Fuzzy Hash: E1D0123405C2845ED751AB35E8D54953B62EA822053849491C4418B975DB749889CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D5A0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70bc8620e2724f96894789c896b4b5975c4de5c9978aa933bfbad157c9d6d4c
Instruction ID: c729645fa96f3635f479980339ed1ffbb564b403319effc22886991fc3fd4628
Opcode Fuzzy Hash: c70bc8620e2724f96894789c896b4b5975c4de5c9978aa933bfbad157c9d6d4c
Instruction Fuzzy Hash: 27D0122504B2C47FCF129B74A8A69FA7F308E5201570C81C7E88895813C1304519DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01C87970, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842b24ecb46da916d7c4613ad38a82d329fd8fb29aeca972df48af8603c7181e
Instruction ID: ae19f3e792d066160ca7b30e74ce1720b5fa0efc6860319073b2d18cd4c7d8e1
Opcode Fuzzy Hash: 842b24ecb46da916d7c4613ad38a82d329fd8fb29aeca972df48af8603c7181e
Instruction Fuzzy Hash: 45C0123006C2094A8794BF76F88041633AAEA822057C0D860C5054B924EFB8AC848B95

Uniqueness

Uniqueness Score: -1.00%

Function 01C8D5B0, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257674424.0000000001C80000.00000040.00000001.sdmp, Offset: 01C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f62be4847828426c0f78e954ae8272186a3fc3ec4ec778337ef5a54c5436dc8
Instruction ID: 055b709e40b8ce199f63beddf8d6d34ba9a6cef9f08a8d242e38c1d93a3b3f48
Opcode Fuzzy Hash: 2f62be4847828426c0f78e954ae8272186a3fc3ec4ec778337ef5a54c5436dc8
Instruction Fuzzy Hash: 32902230000F0C8F020033883008800B3CCC0008083800000A00C000030A2020000080

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 6892 Parent PID: 6708 powershell.exeCOMMON

Executed Functions

Function 02DC865B, Relevance: 1.0, Instructions: 1033COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d59f7f6d7df8092d62a3b2efe56491ba415b4de30176bdfc13052377655187
Instruction ID: 9f1dc0d3f39a6d8cdaa3009245a8f8a7ffa135d95e5720d2f6d048c73a3bab66
Opcode Fuzzy Hash: 57d59f7f6d7df8092d62a3b2efe56491ba415b4de30176bdfc13052377655187
Instruction Fuzzy Hash: 37B2E574A01329CFDB65DF24C854BA9B7B2BB89305F2444E8D40AE7B90DB369E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 032DDEB8, Relevance: .9, Instructions: 923COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9740eef483cbf56d2e57e67a1a1cc93abfccb5ce4ebbad2a048a78fb239390
Instruction ID: bca80eb426e5b9fc80f69c49da0bee1b4188cee02ed1feddd8865ef55c8e3dea
Opcode Fuzzy Hash: ea9740eef483cbf56d2e57e67a1a1cc93abfccb5ce4ebbad2a048a78fb239390
Instruction Fuzzy Hash: F5823934B002148FCB54DF68D895BAEB7F2AF88304F1585A9D50AEB754DF34AD868F90

Uniqueness

Uniqueness Score: -1.00%

Function 02DA6C30, Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d421e8a66a473fbeb745c875bf82a7890a96f4fb3a2ea5baa78f08481941090
Instruction ID: 0225732ddc23a76729c227f323d404273fb22e75e8484a8550d1a6dccfc45c1e
Opcode Fuzzy Hash: 8d421e8a66a473fbeb745c875bf82a7890a96f4fb3a2ea5baa78f08481941090
Instruction Fuzzy Hash: 16329E78B002159FDF14EBB8C8A4A6EB7E6AFC8214F15C429D50A9B355DF34EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0040, Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562dd3f6fda9c7fa522fa5224c424d84e11a5551f031c63afa45eeed362c9c3c
Instruction ID: 6a9a1cc2660f2622acc0ace0099200bc483e922862e7fea400f968771c338eee
Opcode Fuzzy Hash: 562dd3f6fda9c7fa522fa5224c424d84e11a5551f031c63afa45eeed362c9c3c
Instruction Fuzzy Hash: E4526D34A0021ADFDB14DF64C844BEEBBB6AF88305F248599E949AB350DB71DD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DAE66B, Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060fada16b3bfc99666fd67dab7ec038edd86b2c3cf102b68e6a4645770909a9
Instruction ID: 16819273c84e5c00a4cdebf36cded4c79fe1a92c9950faa34c6b5fea4c24aa3b
Opcode Fuzzy Hash: 060fada16b3bfc99666fd67dab7ec038edd86b2c3cf102b68e6a4645770909a9
Instruction Fuzzy Hash: 8E323834B002099FDB18DBA4C9A4EAD77F6AF88304F248068E902DB795DB39DD49DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DA7FE0, Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a04219a6928964d186b47adc4083046117f6623f563ff680adc96d602f8ddb2
Instruction ID: 630d9a785e680d52c9d248eb5a377f23d0cdf55ff6aa4fe6663ee27cf159bbcf
Opcode Fuzzy Hash: 2a04219a6928964d186b47adc4083046117f6623f563ff680adc96d602f8ddb2
Instruction Fuzzy Hash: D0326A35A002099FDB15DFA5C8A0BEEBBB2AF84304F248569EC01EB391EB35DD45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA960, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91444a78339d6debadab8b788e0a629b6b17eaa872db3fab9ff395f1cee79e6
Instruction ID: 5719bcce43964e55b25ff5f9279f549b1e4e8700d07356a527d17880f4ed7dad
Opcode Fuzzy Hash: a91444a78339d6debadab8b788e0a629b6b17eaa872db3fab9ff395f1cee79e6
Instruction Fuzzy Hash: 01229C347042049FDB14EF68D894AAEB7F2EF84308F158969E542DB7A0DB74EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 032D5ED0, Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9224c1d12f3f26564083760383d67278d273d7c861179be63ac080492a6a474d
Instruction ID: ec5f30aef4c0d180d8b4b5d8fd4928046bb0a70dad920f6e03f26181c7ac5c9c
Opcode Fuzzy Hash: 9224c1d12f3f26564083760383d67278d273d7c861179be63ac080492a6a474d
Instruction Fuzzy Hash: 86128B38B002159FCB18EBB8D894A6EB7F2FF88214B158469D40ADB354DF35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032D2B48, Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356a76a1efa614e4ba9a56fcbc2811c33030fb8bbb17afc8565550528fea9a3a
Instruction ID: 5359bb0f313fa41084cda5c063654d316adac6e8702bc45ed9e8b2a579c1b270
Opcode Fuzzy Hash: 356a76a1efa614e4ba9a56fcbc2811c33030fb8bbb17afc8565550528fea9a3a
Instruction Fuzzy Hash: 7F025A34B102058FCB18DFA8D880AAEB7F6EF88315F148969D506DB765DB35EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DAF3D7, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f496a834eb4ca5cf7f97ae1133c459f92f8ecaef77d7e2d02553d8caf661af
Instruction ID: 32e522496264bbcc3a7680d4889c6fb4f4f19fadf44dc9b6b0a40a7ef67d621e
Opcode Fuzzy Hash: 72f496a834eb4ca5cf7f97ae1133c459f92f8ecaef77d7e2d02553d8caf661af
Instruction Fuzzy Hash: C3C18C71E007198FDB14CF65C850BAEB7F2BF89304F2485A9D409ABB51DB71AD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA3D8, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8228371efb1a0409781e520a13776fcaf06d234b8fa986c97ecd146f5251e8
Instruction ID: 242e295a033f772d16fb09fe1acf09b6ac0a7615463641f88cda2a1f56a88212
Opcode Fuzzy Hash: ea8228371efb1a0409781e520a13776fcaf06d234b8fa986c97ecd146f5251e8
Instruction Fuzzy Hash: FFC17E74E006199FDB24DF64C850B9EB7F2AF89304F2486A9D409AB750EB70AD89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 032DCD98, Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

kE, xrefs: 032DD08F

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID: kE
API String ID: 0-1687065583
Opcode ID: 9eeeef804c7d57a11c279e6480bf5075541d1127a9d14d34b061a38d1cf5a63f
Instruction ID: 16fce7ff7e8f7b7536c7a8aa49c82252163ae63d9dc5ccdfdd430eccca620b33
Opcode Fuzzy Hash: 9eeeef804c7d57a11c279e6480bf5075541d1127a9d14d34b061a38d1cf5a63f
Instruction Fuzzy Hash: F7027B34B142198FCB14DFA8D890AAEB7F6AF88314F158429D906EB354DF34EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC786A, Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61619532d02d6aa590a285cb3670a0df1884206d992e31e1a9fd7ed8473922ba
Instruction ID: 8ab82707ec8a4004ee3893ea9ed359ceea8c1ac6206ca151a5ee3e2b1e6c2611
Opcode Fuzzy Hash: 61619532d02d6aa590a285cb3670a0df1884206d992e31e1a9fd7ed8473922ba
Instruction Fuzzy Hash: 29723FB4E016298FCB64CF28CD84B9ABBB1BB49305F1041EAD90DA7350EB356E85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8E98, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1bcc2173e157c5c4c1f6ea566b9f3362e69714449de0f3fad3e229cb35546c8
Instruction ID: 33b20d7af59abaa534bb6a9ad2105222e3f29f7dec02ac66378d2cc1fb9d9aa8
Opcode Fuzzy Hash: e1bcc2173e157c5c4c1f6ea566b9f3362e69714449de0f3fad3e229cb35546c8
Instruction Fuzzy Hash: 6F121974A01219DFDB64DF64D8A4BEDBBB2BF48304F1081A9E90AA7390DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DA6738, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa7b9cfe75deb754256975e74d0fb439fa44e05816467d01bc9e3ba509b7d64
Instruction ID: f1b03efbdd36b46800a34f784a978d41408dd0aea79a9635d000ca468ee24163
Opcode Fuzzy Hash: 0fa7b9cfe75deb754256975e74d0fb439fa44e05816467d01bc9e3ba509b7d64
Instruction Fuzzy Hash: F2D17135A04209DFDF24DFA8C8A0BAEB7F6AF88304F148529D5469B790DB74EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC6D07, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f8bd3b3743b76c80585f3c4c27140bfbc4d47f2ed8e9da3239ce79c41c6ca0
Instruction ID: 3243d63fd1926d2e1cd1efb88d8f0ad1c51f4812b675e6be252d753c0b563f31
Opcode Fuzzy Hash: 69f8bd3b3743b76c80585f3c4c27140bfbc4d47f2ed8e9da3239ce79c41c6ca0
Instruction Fuzzy Hash: F602BFB4A012298FDB65DF24C884B9DB7B9BF49304F1081EAE909A7750DB34AEC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02DCDEA8, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb8400bfb3be86483596cf69caa9c85e8e67ec203d56891760d6bbeb66abb86
Instruction ID: 92d5de909f6b55874b0517ffa829106c411a1c0e9d7354400a96cecffa9b9e49
Opcode Fuzzy Hash: cfb8400bfb3be86483596cf69caa9c85e8e67ec203d56891760d6bbeb66abb86
Instruction Fuzzy Hash: 1FB1A475A042558FC714CF68C98499ABBF2FF89320B25C5EAD859DB352C731EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032DECA0, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee085ec1e5942349b7a725e76d06e3df2398351f9fa00921094aa6ed0f05da68
Instruction ID: 7442486316369f27670f2fa79a839cd2c3d590e281c573b30a4fb719198a62d5
Opcode Fuzzy Hash: ee085ec1e5942349b7a725e76d06e3df2398351f9fa00921094aa6ed0f05da68
Instruction Fuzzy Hash: 09A19134B042059FDB14EF78D890BAEB7A3EF88314F158828D909AF794DF74AC558B91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0007, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f44754e9f15857d101b43586847bbad932bef328a0e59fe7499712afd6012d
Instruction ID: 6e41a82e6e67850f9778bd8485e35d87150b67949462283a57a7d50529e04377
Opcode Fuzzy Hash: 70f44754e9f15857d101b43586847bbad932bef328a0e59fe7499712afd6012d
Instruction Fuzzy Hash: ACB15735A01619DFCB15CF64C980AD9BBB2FF89300F1581A9E948AB361D770EE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DCAAD8, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab39900fd22ff5fda9013510e75d56df0523c383eded972c8109bd51e52c9b6
Instruction ID: d029573df31c6369d40b950da83cf8d1bc26fd947baa71aae9bc257474d12916
Opcode Fuzzy Hash: 7ab39900fd22ff5fda9013510e75d56df0523c383eded972c8109bd51e52c9b6
Instruction Fuzzy Hash: 6091CD35A0020A8FCB24DF68D480BAAB3E2FF84318F25896DC5499B751DB35ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA483, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76484c68ed8b111ee330efc4599aa8ac8a0f3e9c70bf3770fe13bda1a162b807
Instruction ID: a62e38f33fa2f8af4aff53c6c3832ba89b46adafc749fe23c977ff4265e6050d
Opcode Fuzzy Hash: 76484c68ed8b111ee330efc4599aa8ac8a0f3e9c70bf3770fe13bda1a162b807
Instruction Fuzzy Hash: 2981BE357042099FDB15AF78D8546AEB7B3EF84214F25882EE8069B790DF35EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC2140, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a2ed5a03b29f77f35d3274fe1e298bd7752e0d201635a69d03ca5de4cc45de
Instruction ID: 0cd66dc0d9dc062e6dd9bd1297e8b386110cf6e463f202318b8537ad449fd96a
Opcode Fuzzy Hash: e0a2ed5a03b29f77f35d3274fe1e298bd7752e0d201635a69d03ca5de4cc45de
Instruction Fuzzy Hash: 4E71A0357002149BDB14EB78D8957AE77A6AF88718F24846DEA06DB381DF31EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DA3B78, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4ab6bc1465332e8b2b52f0b308a4639f44cfd4f137e7a30c2f628e56c138b6
Instruction ID: 17726866f11af7c1385e4139cb2971ec9bc63a9bcfc057b8bac1312b543d7b1b
Opcode Fuzzy Hash: 2f4ab6bc1465332e8b2b52f0b308a4639f44cfd4f137e7a30c2f628e56c138b6
Instruction Fuzzy Hash: BA918E34B002058FDB54DF68C865A6EBBB7EF88304B2185A9E506DB7A4DF31EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA951, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01124aff265f46095ae9c90257b2e6a7e6a25b21be713845100832e4961fa9a1
Instruction ID: 9b82e5a72a2738e790094a8f5e880ef4fa968b306dc0f9d74b5e853bc25dcc2c
Opcode Fuzzy Hash: 01124aff265f46095ae9c90257b2e6a7e6a25b21be713845100832e4961fa9a1
Instruction Fuzzy Hash: C2918F34A042099FDB14DF28D894A9EB7F2FF85308F158A29E442DB7A4DB74EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 032DEC8F, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec50083d20a189fe937a2552359c1c0a22c1e950dce562f75683669d277244c
Instruction ID: 2436204ce332b220eec4f42feaa2722cf1b70848bbdaea08686cea7b9bef3671
Opcode Fuzzy Hash: 6ec50083d20a189fe937a2552359c1c0a22c1e950dce562f75683669d277244c
Instruction Fuzzy Hash: A591A034B042059FDB14EF78D890BEEB7A3AF88314F158928D909AF794DF34AD158B91

Uniqueness

Uniqueness Score: -1.00%

Function 02DA9A1F, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0069fd7da1b973d8f834dc2a1effeaf0d706453ede10b5cea5505346d51a22
Instruction ID: 9a53aa5fac1a521fd55d8892c026397afda493aa6cb79fd393c0ef589704a0e9
Opcode Fuzzy Hash: 1f0069fd7da1b973d8f834dc2a1effeaf0d706453ede10b5cea5505346d51a22
Instruction Fuzzy Hash: CBB1C534A00258CFDB64DF64C8A8FADB7B6AF48305F1485A9D50AAB3A0DB35DD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 032DC678, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a853babb6a225209c3b8762cd4adbe6f889e5f1c201db1fa9bf4532b1d22ad4
Instruction ID: 98b79719da5085c74a4da20ab02a59a1fca74a0aeba7747767e06ad9af02e3be
Opcode Fuzzy Hash: 9a853babb6a225209c3b8762cd4adbe6f889e5f1c201db1fa9bf4532b1d22ad4
Instruction Fuzzy Hash: 45817C34B101158FDB14EFA4D594AAEBBE6EF88310F148468E90ADB398DF34DC81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02DA2D80, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43430938cdbb403901175d6c8a44bb04ced219eb81eec2f00faea91748162dc6
Instruction ID: 062ea943054db6e6e26785a5ba7a4e51f6fab7ea21deba6f3dd2d00483d25643
Opcode Fuzzy Hash: 43430938cdbb403901175d6c8a44bb04ced219eb81eec2f00faea91748162dc6
Instruction Fuzzy Hash: A571AF78B042059FCB14EB69C8A1A6EB7E3EFC8354B154478D90A9B385DF34EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032D8108, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7db83410fecc18ef66fdea3015b38685921d7cb550439f5a9c6742ac4e20b7
Instruction ID: 07396c53f21b0605c26d0120bff2dda5d49bb58178d32e4aa879e35bd2afcaf0
Opcode Fuzzy Hash: 7c7db83410fecc18ef66fdea3015b38685921d7cb550439f5a9c6742ac4e20b7
Instruction Fuzzy Hash: 955104397002144FD718A7B9E89867E77EAEFC9264B14446DD906CB381DF38EC0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DA9F7B, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e1ba72a26d179f16b0826d9236b98f62c2e0e66361325bf24a6b6adb884ab9
Instruction ID: 849fba782c0190f7b61c93627c65ee84a03d80110197ef6aa5e9c155eaf6801a
Opcode Fuzzy Hash: a7e1ba72a26d179f16b0826d9236b98f62c2e0e66361325bf24a6b6adb884ab9
Instruction Fuzzy Hash: 80815934B142049FDB14CF68D4A5E99BBF2BF88314F1582A9E905DB361DB71EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1A20, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086a710ceb9e49ff9a198a7ecee5d393183d34f010e3ca8b269ecf11524072d5
Instruction ID: 22547a796409cb9e2a1f044a129a0ac4554662fc3eb16b46d158c4fd7cbd6c42
Opcode Fuzzy Hash: 086a710ceb9e49ff9a198a7ecee5d393183d34f010e3ca8b269ecf11524072d5
Instruction Fuzzy Hash: 29817170A0021A9FDB14DFA4D950AEEB7B2EF88304F20852DE805EB754DB75DD56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 032D3D20, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd43837eb91af989e84ee3333455882c459f16818fba344edc1e3a3491df5375
Instruction ID: f82ab2fd48ad5a3f7b8d48bbedaba4871fb8e5ff26efa0792cd9deed066b9643
Opcode Fuzzy Hash: fd43837eb91af989e84ee3333455882c459f16818fba344edc1e3a3491df5375
Instruction Fuzzy Hash: B281E478A1021ACFDB14DFA4D598AADBBF1FF48315F140169E505AB3A1CB719C80CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032DFAC8, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baaa1b23b1d2d6bce04593d17044291413a299f9322802fc8bf7f91398bc888
Instruction ID: 6f8e8e9cdfd91c42df828a23cf32a89a753bdb008646e0d1907cd5df7341f6aa
Opcode Fuzzy Hash: 7baaa1b23b1d2d6bce04593d17044291413a299f9322802fc8bf7f91398bc888
Instruction Fuzzy Hash: D8511435B00205AFDB14DF69D980AAEF7E6EFC8324F048579D51ADB640DB31EC518B90

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA3C8, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6375f4b9df52a04e0631e6ece20828268d9b1970b5fed2a46b2d8bc2ccfa04
Instruction ID: e6df3bcfc91683380aeb5fc0d813f7a7520b7f7457f0de8a8368737b4853c57b
Opcode Fuzzy Hash: 0d6375f4b9df52a04e0631e6ece20828268d9b1970b5fed2a46b2d8bc2ccfa04
Instruction Fuzzy Hash: 2F61B070E002059FDB24DF64C854BEEBBF2AF89304F1485A9D809AB750EB70AD49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 032DC668, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0a4f8e617044b05d866b0891a2984c27a5c641418cf205fc5eea2e6e5042c4
Instruction ID: b16c99d3b5c298b9e8af844d90220656da2d539233032fbb4df76a988275cb43
Opcode Fuzzy Hash: 4f0a4f8e617044b05d866b0891a2984c27a5c641418cf205fc5eea2e6e5042c4
Instruction Fuzzy Hash: 53518F34B101118FD718EFA4D99866E7BA6EFC8351F288468D90ACB3A9DF74DC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 032D1670, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db693b96a9dc662e5b9fee46758e6e386216716e93f2653fa80f38e430d37bb0
Instruction ID: e3217ea1ea9c05dada121ca51e0b0db34adf10319ace83a9305e4b1ad6647709
Opcode Fuzzy Hash: db693b96a9dc662e5b9fee46758e6e386216716e93f2653fa80f38e430d37bb0
Instruction Fuzzy Hash: A5510234A042019FDB65DF28D88496ABBF6EF84304B19C5AAD859CF765DB30FC52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DCBB08, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b8f119af6ffdd2ccd4e7d9eddf28558d4a9f01f433a0eb8f0a7a203c7d4697
Instruction ID: cb10ff253951b0f9e6b5e8b7b5405e7b9f261b0420893b8a5bd669f53e1a9f63
Opcode Fuzzy Hash: 68b8f119af6ffdd2ccd4e7d9eddf28558d4a9f01f433a0eb8f0a7a203c7d4697
Instruction Fuzzy Hash: 5D4159357052548FCB19AB7898292FE7BAADFC5219F1444BED046DB382DF398C06C791

Uniqueness

Uniqueness Score: -1.00%

Function 032D5C80, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7be026c9510c69a5bc1990feda4f060e2e890bd144feb8646786a80f1d8b0e4
Instruction ID: 4b2c422674737726d672102c4307dc023313d82c24cd575f6866e4f3a788c60d
Opcode Fuzzy Hash: a7be026c9510c69a5bc1990feda4f060e2e890bd144feb8646786a80f1d8b0e4
Instruction Fuzzy Hash: AB515630A242168BDF24DE69C8987ADB7F5AF49704F254469DC42EB359DBB4CC84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032D8742, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407cac7c096d1bfc27684f89373cdb6dd7fea0c42cfb222f26afac7b3f8da0c1
Instruction ID: 20c6bcdcefb92547507b70ac1556ecb94165d5d317fee96a723450b1f83bbbca
Opcode Fuzzy Hash: 407cac7c096d1bfc27684f89373cdb6dd7fea0c42cfb222f26afac7b3f8da0c1
Instruction Fuzzy Hash: C051D174F1024A9FEB10CB79D8807EEBBF5AF88304F084429D555AB380DBB5A984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02DAC949, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b2b0ee21c1167b69075be39631d9d8bb372b1b08799f518197eaa6ccf1cc6e
Instruction ID: b8baea8b66752a98a33ca2d6a6adb21c138ff3fc2119a5c656293fdb83dd1125
Opcode Fuzzy Hash: 78b2b0ee21c1167b69075be39631d9d8bb372b1b08799f518197eaa6ccf1cc6e
Instruction Fuzzy Hash: AF518BB4611204EFCB58EF78D45065EBBF2FF89215B60816EE505EB354DB36AC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 032DF249, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2233ae379c6394e995421d76f0adf80a014c606351ab316fe3073d18aaafc32c
Instruction ID: 6025a81eddbdbf55bd62375fe04c2e73ad21d0a562321df3cd2b0c3f19315318
Opcode Fuzzy Hash: 2233ae379c6394e995421d76f0adf80a014c606351ab316fe3073d18aaafc32c
Instruction Fuzzy Hash: F6518331A142069FCB54CF69C984AAEBBF6FF88304F188629D406A7754DB70ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032DF258, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcf4430b8e8c388693ae8eb202645e46db2b34173a7f13e1d354995c498598f
Instruction ID: f6f216d6ea3653c9791e863a2ff95580e2b615be02d6a08c6a48329f938aff82
Opcode Fuzzy Hash: 9fcf4430b8e8c388693ae8eb202645e46db2b34173a7f13e1d354995c498598f
Instruction Fuzzy Hash: 11517275A102069FCB54CFA9C984AAEB7F2FF88304F148629D406A7B54DB70AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 032DAAC0, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad47d85e497261645da91021e0afa61f608c615f382e629d81b7df4b91bcbc0
Instruction ID: 0e33e26b6d08589b5262173e4d4f764922e1e5d4fd533a716783d57ed7647b64
Opcode Fuzzy Hash: 6ad47d85e497261645da91021e0afa61f608c615f382e629d81b7df4b91bcbc0
Instruction Fuzzy Hash: 5F315E724493909FCB23CBA8DCD2AD03FB1AF57211F0D06C6C488DB267DA29B654CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02DAC958, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd76e7bac06f7676af3c137e86ba8e70f613877f27983fa0ca5b3fb20e6cd299
Instruction ID: 27dfbfdcae4c68d455d8091e2a3f7d6f604ada2d7bd246feb2d1185997a2235c
Opcode Fuzzy Hash: dd76e7bac06f7676af3c137e86ba8e70f613877f27983fa0ca5b3fb20e6cd299
Instruction Fuzzy Hash: 52416AB4611204EFCB58EF78D450A5EBBF2FB89215F60816EE505AB354DB36AC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 032D5A20, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfba77ee303c23110c852455086601bb66c9e6062ec1033d4e77d898da1023c
Instruction ID: 525925b09de1e2c639d3940a77a6a0d56cb38a1ca9846bae181ae56b656c8128
Opcode Fuzzy Hash: 5cfba77ee303c23110c852455086601bb66c9e6062ec1033d4e77d898da1023c
Instruction Fuzzy Hash: F84136347147218FC729CB74D8802AA7BF2EF8A304F18487ED046CB781CB79A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032D65B8, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78a2a69b5014e3d2c4eddf289d45968ede727799c3b06ef661eebb4120f8b46
Instruction ID: 349dc0b4e5f82b977abf79a2e83e1d66ee1d37a34ec29ce0d5a3727e83d7be08
Opcode Fuzzy Hash: e78a2a69b5014e3d2c4eddf289d45968ede727799c3b06ef661eebb4120f8b46
Instruction Fuzzy Hash: 1641B038B002099FDB14EBB8D8809AEB7F2EF88214F548529D50AEB354DF35AD41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC2418, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e30afeecf5853b063869b4685b6ab967b6c2b02b0bd9e5a944d50b1e9be3e2
Instruction ID: 54a9e17f23210f1addc2d3ecf1ce1dbfc227db6f680570f29c6aecda0513a378
Opcode Fuzzy Hash: f7e30afeecf5853b063869b4685b6ab967b6c2b02b0bd9e5a944d50b1e9be3e2
Instruction Fuzzy Hash: 9B319A357042168BDB24DE28C8587BB76E2AB98358F24453DDC46D7780EB39DD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DC2409, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5726876fabf9b98f9eb5f2b31d22f89941b4f58e6a13e5ea63b715d6a838d13
Instruction ID: 459de44d6d0d4833848eb5fa5032b096040ab5dab398c9065cfc528eb4148393
Opcode Fuzzy Hash: d5726876fabf9b98f9eb5f2b31d22f89941b4f58e6a13e5ea63b715d6a838d13
Instruction Fuzzy Hash: E231CE357083128BCB14CA3888586BB7BE2AF88344F28456DDC46D7790EB38CD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1EC8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7939c636696950faf56fb7547363ea985b467121c2835eb108cf8b90c9450174
Instruction ID: e7fb00313b21a8b52df1413a85c1b07bc44b25bac9e7215033468844819ae7ae
Opcode Fuzzy Hash: 7939c636696950faf56fb7547363ea985b467121c2835eb108cf8b90c9450174
Instruction Fuzzy Hash: 1131D432E0520A9BDF14CF94D8407EEB7B2EF89314F20842EE905AB754DB719D4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 032D70D8, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9dad1bea4d6a447dba7471c6a4bde520e5c3d0e7ac7a10e5b6cf84215cc632
Instruction ID: 7aa7f23545eb14763e95c926e3da6d1eacfc70f9d88e2d2a5ba0916bd2751aa6
Opcode Fuzzy Hash: dc9dad1bea4d6a447dba7471c6a4bde520e5c3d0e7ac7a10e5b6cf84215cc632
Instruction Fuzzy Hash: 4C41C334A043468FCB15DF68D858BAEBBF6FF85301F1841AAD445DB391CB799982CB60

Uniqueness

Uniqueness Score: -1.00%

Function 032DDD60, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a947e4e403e6c08d64eea2329d34320c2c185ab5529c361387044cb7572fa5
Instruction ID: 7308dea1acc6cba7ac4b8c48a92d39f6b01b5ee7ca46782f7fe7e9964f966854
Opcode Fuzzy Hash: 27a947e4e403e6c08d64eea2329d34320c2c185ab5529c361387044cb7572fa5
Instruction Fuzzy Hash: E631C1357146024FC708EB79E99492A73EAAFD8225B194479CA05CB359DF30DC51C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA710, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6ec3b19898755ee6dea0f92c5833d0265cdb1fb34d6d4593fc5aeeee458d5e
Instruction ID: 3c91e4fc9b2ded4241cdac06bc3c8df3ea87cff1c57b492121161ac984eee1e1
Opcode Fuzzy Hash: 3d6ec3b19898755ee6dea0f92c5833d0265cdb1fb34d6d4593fc5aeeee458d5e
Instruction Fuzzy Hash: 98318E357005168FCB18EF79C86466E77F6AF88618B25456DE906DB3A0EF30DD01C790

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA4E1, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cddf83792ac49a52fda3189f0bb09eb795ff9d9803ff4951aa8b709222b3953
Instruction ID: 1388cd2aa84288fbe71568d661d946bd9b9ab89c4676606a664e2d21c7418451
Opcode Fuzzy Hash: 1cddf83792ac49a52fda3189f0bb09eb795ff9d9803ff4951aa8b709222b3953
Instruction Fuzzy Hash: 5C41AF70A04209DFDB14DF64C850BDEB7F2AF89304F288669D505AB754DB74AD89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032DF078, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485d11dde95e863edcafb9453dd45e0ec7f6001a38b6b5c66fa965db64320546
Instruction ID: 2b494ccf8c07789288f97478ad36173841a2709fc31f1e49d2fe71975ed217fe
Opcode Fuzzy Hash: 485d11dde95e863edcafb9453dd45e0ec7f6001a38b6b5c66fa965db64320546
Instruction Fuzzy Hash: 19310A74B142069FCB54CF59D980A6AF7F2EB88215B18C46DD90EDB305D732ED82CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DC25C0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a55ffb01bbf25154455ba161f0ef3de6665711136b83e0986776c7e66d2e4d7
Instruction ID: 81409d497f285c1693aeeca6b627582dfb057068eafec6a4e7e2a734e9364394
Opcode Fuzzy Hash: 6a55ffb01bbf25154455ba161f0ef3de6665711136b83e0986776c7e66d2e4d7
Instruction Fuzzy Hash: 57318035B042098FDB14EF58C4447AAB7B2EF88714F248179D949DB350DB35ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DCB9C0, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f79154c1f56c397b006370f1b6f7d90ed472a39bac6e954e4a625d9d95ad621
Instruction ID: 6ca23de011650d25e21ad728addf519e214c12764ef8cdd2ba8439cce10c18cd
Opcode Fuzzy Hash: 3f79154c1f56c397b006370f1b6f7d90ed472a39bac6e954e4a625d9d95ad621
Instruction Fuzzy Hash: 4C310434A08244CFCB15EB79D8106AE7BA2EFC5225F1585BEC54A8B361EB349C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC96C0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d587e0adf6dcb61342622b524a393170fa9515f06096210bce9ea770ea492a86
Instruction ID: 3d7c599f87967fa554aefc494d0e79fa3639bf6ff81e3068153360a851c3eef9
Opcode Fuzzy Hash: d587e0adf6dcb61342622b524a393170fa9515f06096210bce9ea770ea492a86
Instruction Fuzzy Hash: 51411774A01359CFDB699F20C8687ADB7B2AB45305F2484EDC40AA7B94DB398EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 032DF069, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3782b0211bdfe43f18657b15793a4f68b81521d3852e657ab95597a36a3665bb
Instruction ID: 84e0e715a5f0f2fc342b6a081a4792744e5f208fab34c07746d3fd14ee335bf2
Opcode Fuzzy Hash: 3782b0211bdfe43f18657b15793a4f68b81521d3852e657ab95597a36a3665bb
Instruction Fuzzy Hash: C3316E74A14206EFCB54CF59D980659BBF1EF89205B18C46DD90ADB206D732EC82CB61

Uniqueness

Uniqueness Score: -1.00%

Function 032D70F0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7890c8d6373f56a270f7184b0bed2ad7957a70315712739b8735dff3c8c727
Instruction ID: 9096692e0e2a511d8d3723ae926a8984c8352d7bbeaf92c9363693cf8046a043
Opcode Fuzzy Hash: ec7890c8d6373f56a270f7184b0bed2ad7957a70315712739b8735dff3c8c727
Instruction Fuzzy Hash: 3C316034B002068FCB14DF68D858BAEBBF6FF84701F188169D405DB395CB799941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032D5C6F, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879476df0b5dd78079fd9f7dd096f98b449e0172e7e8012b541f1063e337e00f
Instruction ID: 5a54d1adca28aaf231d1d673e83958bf7cba729065519c5da7beedc54d02bb0d
Opcode Fuzzy Hash: 879476df0b5dd78079fd9f7dd096f98b449e0172e7e8012b541f1063e337e00f
Instruction Fuzzy Hash: 4931AC70A142068BDF28DF68DC947EE7BF5AF49304F244469D502EB245DFB48D85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD0A7, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83515ec6567d87bb02c5c97344fcd856a0e6b996564cbc7138024e3da60fb69d
Instruction ID: 1d5480afbfe50b3820d6296bb465bd21a127b324e9e3597d6c27848ca44a549e
Opcode Fuzzy Hash: 83515ec6567d87bb02c5c97344fcd856a0e6b996564cbc7138024e3da60fb69d
Instruction Fuzzy Hash: 7831913520A3815FC7169B78D8D4A86FFB9EF8722071945DAC089CF6A3D7285C09C736

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1D89, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346b89204446f3d94cce61e7c4fedd90bd98f2a9c58d73754a3c648c80c58e13
Instruction ID: 3bb788c9710c40eda7bdc996919e47b5656fc5040535e37682e73e16720fffbf
Opcode Fuzzy Hash: 346b89204446f3d94cce61e7c4fedd90bd98f2a9c58d73754a3c648c80c58e13
Instruction Fuzzy Hash: CE218B75B042188FC744DF3CD840AAE77F6EF89654F158069E909CB361DB70EC028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC06DE, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe8170ce1ae0f8185dd86e3ca571a35f93e0929ff25671c1cf7392a1bba8be8
Instruction ID: 911afc682061d65011fb2f4836c735e23fcd3588fafbebf338cf149b3bd41b96
Opcode Fuzzy Hash: 0fe8170ce1ae0f8185dd86e3ca571a35f93e0929ff25671c1cf7392a1bba8be8
Instruction Fuzzy Hash: 88316234A0020ADFCB11DF64C944BEDBBB2FF49305F208598E945AB2A1C776AE84DF41

Uniqueness

Uniqueness Score: -1.00%

Function 032D3B38, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68293cd4ac407cb6d64edc372e65310b5132e49d30d540bf6f312e38fb19ede0
Instruction ID: 8c3aed299a023e27d84531f0f142efbd9615a3cdbf345da9d0ef8b7cf04eeb6e
Opcode Fuzzy Hash: 68293cd4ac407cb6d64edc372e65310b5132e49d30d540bf6f312e38fb19ede0
Instruction Fuzzy Hash: 7921507A7141128FD725DF29D9C896AB7AAFF84361B19816AED09DF320CB30DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032D2A00, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a907976b46a60c5c03639030a2eb7241a3d84c1c988c03f4de3d4b720ec2db
Instruction ID: 7cbf34609be1453177a578528c7486267de82d4c54d5f20a755e1d156696ac38
Opcode Fuzzy Hash: 47a907976b46a60c5c03639030a2eb7241a3d84c1c988c03f4de3d4b720ec2db
Instruction Fuzzy Hash: FF213079B10626CFCB24DF58D58486AB7B5FF8832171545A5E9059B321C730EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD180, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e1a4fb25d6a30eb99709e74a4925d32fcc6bd8e609a54fc11d7d5ef5657139
Instruction ID: 57718a033f42d311408628686b6d840d6878d5b40d52f0ed7384c5c4a0344a40
Opcode Fuzzy Hash: 88e1a4fb25d6a30eb99709e74a4925d32fcc6bd8e609a54fc11d7d5ef5657139
Instruction Fuzzy Hash: 2521F3347042049FCB04DBA9D854AAEBBABFFC5220B14856AE804CB391DB34DC01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1D98, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5c787774cbaf0bb836a66b818d81dda437ab0d646daa5f675657d034a2d63c
Instruction ID: a416335d7d1961917933265e03b3841f8e5a2c0b6bd9973a2f3ac589ee8afeed
Opcode Fuzzy Hash: 7a5c787774cbaf0bb836a66b818d81dda437ab0d646daa5f675657d034a2d63c
Instruction Fuzzy Hash: 3C217F74B042188FC744DF2CC880BAE77F6EF89654F214469E519DB365DB70EC018B91

Uniqueness

Uniqueness Score: -1.00%

Function 032D3F64, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898ca360d5c2abb3037aff97a39de77e2c1f599f3cf781676b3c2c648141b9a0
Instruction ID: 8ff7557e3fe5618b93af38208ce238717d5001e9f2933d7ad765997aabc7832e
Opcode Fuzzy Hash: 898ca360d5c2abb3037aff97a39de77e2c1f599f3cf781676b3c2c648141b9a0
Instruction Fuzzy Hash: B3318E78A51219CFCF14CFA4C584AEDBBB1BF4C225F1502A9E506AB361C735AC85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 032D7B70, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3382f2e8654c4764081b7fda44146fb6b38975c76caeb1855ab44ec4bff078
Instruction ID: 7b86041b7e462ba8da4688724f72f4649c9e0180ec28a6bf20355c0fe4b49558
Opcode Fuzzy Hash: 7a3382f2e8654c4764081b7fda44146fb6b38975c76caeb1855ab44ec4bff078
Instruction Fuzzy Hash: 7121C0327082178FC724EF6CD88456EB7EAEFD4324B04882AE905CB389DB74EC418791

Uniqueness

Uniqueness Score: -1.00%

Function 02DCAF0F, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3aae3b3ceb88485a623c6d7cc4072c0221827e5e6a823c69e48126dacfcd9c
Instruction ID: 76b67a7c676b4d053bd8781f501636f5c0bd7c1d54b48963f35e6ac28431d647
Opcode Fuzzy Hash: ce3aae3b3ceb88485a623c6d7cc4072c0221827e5e6a823c69e48126dacfcd9c
Instruction Fuzzy Hash: 2221D875A042049FD705DF74D458ADDBBF1EF89310F1480AAE505AB3A1CB71AC06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032D6FA1, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a0acbff223a05ee7a6dd2e5c7f7bc7b85ceca12f0dab0fc1f8c46a40d75214
Instruction ID: 73fc4edc67d2cc91b7b1fc4f9d5a59fb48a7750634d20a560ea7bc3855655ffc
Opcode Fuzzy Hash: 32a0acbff223a05ee7a6dd2e5c7f7bc7b85ceca12f0dab0fc1f8c46a40d75214
Instruction Fuzzy Hash: E9212B326286924FDB36CF28A8553B97FB55F41211F2C04A9D042CB6C2DBAE99C9C791

Uniqueness

Uniqueness Score: -1.00%

Function 032D3140, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd042e6ad8e76123126cf0b42858f6c34c5439957e1d279fd183db6e2f02177
Instruction ID: fc19d9523602f6d7868e580259d47a45c0204181d8a49514cf3a65ab32a9cbd5
Opcode Fuzzy Hash: 5fd042e6ad8e76123126cf0b42858f6c34c5439957e1d279fd183db6e2f02177
Instruction Fuzzy Hash: 3311DFB97002128FC314DF58E8C8D6AB7F9FF88A24B140569EA06C7321CB70EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 032D44A1, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c292222ce21320fea821cfe753839ceff60686a933919afd5e31e550ef65a4
Instruction ID: 5f4449cc96b445318512fe58e42e6d84979aea50bd733f7ae9c1e4da55f8b15e
Opcode Fuzzy Hash: f9c292222ce21320fea821cfe753839ceff60686a933919afd5e31e550ef65a4
Instruction Fuzzy Hash: 5621D130F452566BE3118BA49C41BAEBB71AF81B00F24416DD5146F7C1CB70AD1687D0

Uniqueness

Uniqueness Score: -1.00%

Function 032D3F71, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f3048ed3ad9cb24e9e8c609b69098cd5fe47714eb835cc227e2e6c4edab272
Instruction ID: 07cd57fdf1b7b62801fe350a8d773e225c0e2f34a2b8b56986167592a4d36827
Opcode Fuzzy Hash: e7f3048ed3ad9cb24e9e8c609b69098cd5fe47714eb835cc227e2e6c4edab272
Instruction Fuzzy Hash: 27316C78A51219CFCF14CFA4C584AEDB7B1BF4C225F1502A8E505AB361C735AC85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1CE1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f0deff3202c8fbaa23afba55149507eb45e1fd0097dd883a777fb70d26dcb0
Instruction ID: c181d5e2358f754f6b97bb3a8beca640010a848e4a0b9054c05c30181f376843
Opcode Fuzzy Hash: 04f0deff3202c8fbaa23afba55149507eb45e1fd0097dd883a777fb70d26dcb0
Instruction Fuzzy Hash: A811C2317101245FDB059AB988506AF77EBEFC9618B20447ED405CB3A0DF72DC079790

Uniqueness

Uniqueness Score: -1.00%

Function 032D91E9, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f146ae631c33c2eb172f4b65ce296b2e54d8837265c631adfca5bedcfd4d8820
Instruction ID: f7ef6793c285a547eb909095d7ac389b4fcb38e37f63f248a64a9f0532feabe8
Opcode Fuzzy Hash: f146ae631c33c2eb172f4b65ce296b2e54d8837265c631adfca5bedcfd4d8820
Instruction Fuzzy Hash: BD2103B59012099FCB10CF99D988BDEBBF4FF48314F00851AE919A7250D774AA44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA700, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d33ce1c68e26c7eb0fd56a81a47c1a6e1f9ad396b6877f0c1e2466e6efca4ad
Instruction ID: 3da94da082ca37707362eea4943d6806b981ddd423ebb6b027b034cfc72cfd2c
Opcode Fuzzy Hash: 5d33ce1c68e26c7eb0fd56a81a47c1a6e1f9ad396b6877f0c1e2466e6efca4ad
Instruction Fuzzy Hash: 4A1132357042598FCB159F7988242BEBBF5EF85654F2440BED806CB3A1EB309E06C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9842, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a09e9825656ac295f15e4dd0be7ef4bff0262c9078505e6e362dedd98982dc
Instruction ID: 085c728078f7d4b705bf695b8bd44c32701b1a4bfa7c20c46f371b8e20dbb377
Opcode Fuzzy Hash: 54a09e9825656ac295f15e4dd0be7ef4bff0262c9078505e6e362dedd98982dc
Instruction Fuzzy Hash: 9C312635A00629CFCB25DF24D854698B7B2FF4A306F2045EAE40AA7710DB35AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 032D44B0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b813d60634e703bf500b16aa8049efe54c1936774b8b21921d8850b9ae226c6
Instruction ID: 76ccc8547c97b1a00fe503061fc00d333441cefb3c5be2e284c71d30fdaec9c0
Opcode Fuzzy Hash: 5b813d60634e703bf500b16aa8049efe54c1936774b8b21921d8850b9ae226c6
Instruction Fuzzy Hash: 18119030F813566BE3159BA49C11BAEBB71AB81B00F744029EA146F7C5CB71AD1687A0

Uniqueness

Uniqueness Score: -1.00%

Function 032D91F0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04df71fa371ada56fff5c8570448db5db290d1322e06da9b3257ead2a38f7061
Instruction ID: 66b03f9e91f3994b6ba67e6a245933cbe16b2bd9d938836d65834a24f3a3832c
Opcode Fuzzy Hash: 04df71fa371ada56fff5c8570448db5db290d1322e06da9b3257ead2a38f7061
Instruction Fuzzy Hash: 3521F0B59003599FCB50CF99D988BDEBBF4FF48314F00842AE919A7250D774A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032D7C38, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b21126eae642162cf5e4d1d9ca155d0806e32305bb848bf00ce4ef655d29270
Instruction ID: c73c660a2b24ef643d23f7c668299034b85e8baaf813d52fdb7a37afc67c00c4
Opcode Fuzzy Hash: 4b21126eae642162cf5e4d1d9ca155d0806e32305bb848bf00ce4ef655d29270
Instruction Fuzzy Hash: 6D119E352113148FD724DB65E894A6ABBFEEBC9311F05445DE5428B741CB79B841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1CF0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1bc50dc42811e5b067d29dc6caa81fe27d53eeb7eed16a18d4c6145482316a
Instruction ID: 00728d0403b5ccf5bb67494a9337846112497439ca0c850ae9279257c918785d
Opcode Fuzzy Hash: fb1bc50dc42811e5b067d29dc6caa81fe27d53eeb7eed16a18d4c6145482316a
Instruction Fuzzy Hash: AF0184317005295FD714AAB98C506AF72DFAFC9618B20443EE505CB3A0DF71DC029790

Uniqueness

Uniqueness Score: -1.00%

Function 032DDD50, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0f68c6af7e1f9eae458426f14a69aafe92c81c3d8b39ace2d284a96e333340
Instruction ID: f3206348282f44f1f12a5b072a9330953f33d146373b37a102e82e99d303e01e
Opcode Fuzzy Hash: 5e0f68c6af7e1f9eae458426f14a69aafe92c81c3d8b39ace2d284a96e333340
Instruction Fuzzy Hash: 6811E5353146018FCB14DB79D89496A7BAAAFCD211B194079D905DB35ACF30DC41C761

Uniqueness

Uniqueness Score: -1.00%

Function 02DA2D70, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7efdffaa3baec4c683eb0e9a7c7339e32d77154d2e9052eef9e70b20f807fae
Instruction ID: 7e111693dae31696db034db4eff1899e785acfe53178be6ca4cff5b547455c61
Opcode Fuzzy Hash: c7efdffaa3baec4c683eb0e9a7c7339e32d77154d2e9052eef9e70b20f807fae
Instruction Fuzzy Hash: B111C0746042459FCB01DF58C890DAAFBB4FF8D310B158596E8059B312C731FC06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032D7C48, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d49d4c2a4f1b44b22c3c53ed5b8c4d43caa90e8f6b5d9ad6e33e9d2d740f380
Instruction ID: 68ebae8ec9e04e7b037d1d4d740dfad203135d4391c0f164801b8b8a232e6bdd
Opcode Fuzzy Hash: 7d49d4c2a4f1b44b22c3c53ed5b8c4d43caa90e8f6b5d9ad6e33e9d2d740f380
Instruction Fuzzy Hash: 880169347117249FD724DB29D884A2BB7EEEB88316F15446DE64387B40DB79F8018B50

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD170, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2c78922db2a896b7894b6a2f1e61c07f46b6427f17f1651bb83d8e8ad509db
Instruction ID: 30c19a100ecadc4b93f0f912c5ff48a505abee3d4f571b392245535eb2ceb6f0
Opcode Fuzzy Hash: 1e2c78922db2a896b7894b6a2f1e61c07f46b6427f17f1651bb83d8e8ad509db
Instruction Fuzzy Hash: B401E134B04204AFCB14DBAAC850EAEBBEAFF89210B14C16AE8489B350D7309D14C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8D61, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5acf5060c1002920bf60ce0fd31bef34b2ece991c4c8f743c7dafa4f3c29b3
Instruction ID: e37f0019a22d4e548b7e49f11297273e8dd5457cb65bb9f6f0e54b41a0d348f0
Opcode Fuzzy Hash: 4d5acf5060c1002920bf60ce0fd31bef34b2ece991c4c8f743c7dafa4f3c29b3
Instruction Fuzzy Hash: AB012636E046819BDB014A7998102E5B7B2DFEA210F18C667D491E3240E7749895C391

Uniqueness

Uniqueness Score: -1.00%

Function 032D18E1, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2cea2127a5324880c04c50b8847322f4a7ec86932e87c3f0741f72dfd483ad
Instruction ID: c2625eea4d8feeae1f38aa2750d12b711d4af21da0300eb4ae01cce17eafbb04
Opcode Fuzzy Hash: 6a2cea2127a5324880c04c50b8847322f4a7ec86932e87c3f0741f72dfd483ad
Instruction Fuzzy Hash: 1F018F7194D3888FD7179B78EC50B843F349F16204F0E44EBD084DB0A3D629EA18C792

Uniqueness

Uniqueness Score: -1.00%

Function 02DCAF20, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca84b50ce9dc84a734ebaea64dfb2b7880de8369cd2d611b04b6e07ddb38077
Instruction ID: 2c8e8abee0ae27510f3efb4bf986b89b537568da874ab3fa8eb9a1143b496ea4
Opcode Fuzzy Hash: bca84b50ce9dc84a734ebaea64dfb2b7880de8369cd2d611b04b6e07ddb38077
Instruction Fuzzy Hash: C7115E75A00508DFD714DF68D498A9EB7F5EF88310F248169E502AB3A1CB75AC41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0334D006, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.503698311.000000000334D000.00000040.00000001.sdmp, Offset: 0334D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6127a9f8a250c19a225b18658371e38a5e6b8cbe9e3073768f6b4f71cd8a143
Instruction ID: 3c4a58058e0b9f417b58e8e135af476d42779a7e52d4bc4e700e1bedd5812297
Opcode Fuzzy Hash: d6127a9f8a250c19a225b18658371e38a5e6b8cbe9e3073768f6b4f71cd8a143
Instruction Fuzzy Hash: BF01527140D3C05FD7128B258C94752BFA8EF43224F0985DBE9848F193D26D9C45C771

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8D70, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7436a29e10253fdff18d26830a7c7b7b0ab2cf2869e0961c557269852bf060
Instruction ID: efdbe883c4cea9a7297e8ceda861533ba00dbbbd5f68c1a5b164a2d050aa82ef
Opcode Fuzzy Hash: 4d7436a29e10253fdff18d26830a7c7b7b0ab2cf2869e0961c557269852bf060
Instruction Fuzzy Hash: 1101D436E0464196DB148ABADC107E6B3A2EFE9310F14C627D951E3380EBB4DDD1C292

Uniqueness

Uniqueness Score: -1.00%

Function 0334D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.503698311.000000000334D000.00000040.00000001.sdmp, Offset: 0334D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97724d91e8d66535e57c9e8aedee51233d63d37c9e539f99584796a21006715
Instruction ID: bf60a753678893e3b75535d8b9b769db5acb8df3321d34ea7e55a3892152409a
Opcode Fuzzy Hash: e97724d91e8d66535e57c9e8aedee51233d63d37c9e539f99584796a21006715
Instruction Fuzzy Hash: 5301A271408344AAE7208B25DCC4BA7FBDCEF41268F08855AED055B683D37DA845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 032D6FB0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e88380ad27c54953c0c7c98af4c2baa84c3c97873f90a4125427683877fa06
Instruction ID: 3694d4c4777c0e695f483e97c7314d10a772ed0ee8925a5661b0219e0b7c07ff
Opcode Fuzzy Hash: 73e88380ad27c54953c0c7c98af4c2baa84c3c97873f90a4125427683877fa06
Instruction Fuzzy Hash: 1401D632724A124FD735DE29A40833AB6AA5BC0622F59487DE407862C1DFBDD4CA5740

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD108, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf70497bd953ffe5bd8e42d3d8d396f799502d72e4f72b73b0e7d241251af92e
Instruction ID: b590dd993d7dc493fee8fd93fdf496c836d4743854826127fad5dba67bdbe2aa
Opcode Fuzzy Hash: cf70497bd953ffe5bd8e42d3d8d396f799502d72e4f72b73b0e7d241251af92e
Instruction Fuzzy Hash: 08F096397046045B9B1896AA9CA4FABF7DFEFC9164714C429E51DC7740EB74DC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 032DABDF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5be63caee22b4547b392a69d98a06acde361531399db2fda4850ae4ade2d48
Instruction ID: 94156bd16d35b531ba1e262e32e80c4d74651039976ef3a91a3368a6c922cea6
Opcode Fuzzy Hash: 5c5be63caee22b4547b392a69d98a06acde361531399db2fda4850ae4ade2d48
Instruction Fuzzy Hash: A9F06D728193919FCB17CB68CD92A903F72AE27210B0E05C2C444DF263D629A845CB12

Uniqueness

Uniqueness Score: -1.00%

Function 032D7038, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f96b11dc4f57c9a63796885f66af769a60990a4a8e21f953ec126f19770a3e6
Instruction ID: 57c9eea49908a6a42d6e3db3b8b8f2fc7095e35f22b7f6644a263427478c9409
Opcode Fuzzy Hash: 5f96b11dc4f57c9a63796885f66af769a60990a4a8e21f953ec126f19770a3e6
Instruction Fuzzy Hash: E201D870D183994ADB18DF68D8157EFBAF16B88304F04445DC001B76C1DBBE4944C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1EB8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a712eb9902b8268ea5bf02709f414e8100cf835b1ac5c5eab5b60786f46d8840
Instruction ID: b23f1a8cb24ec9583088d4b1aa352be38462e0d8737d453d7f46896796d85a1d
Opcode Fuzzy Hash: a712eb9902b8268ea5bf02709f414e8100cf835b1ac5c5eab5b60786f46d8840
Instruction Fuzzy Hash: 6AF02232B0014CAFCF128FB5E840ADE7FF8EF89320F04406AE505E3241DA319828CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DCAEF0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045a7adb3b17a27b94bc5a0551069a970c2f31231ea7e8a7b8e99db1eacc9f61
Instruction ID: a7f2622c300395093463c5eb4883201cd9136d0662ebe0191c7ff54ff9533a98
Opcode Fuzzy Hash: 045a7adb3b17a27b94bc5a0551069a970c2f31231ea7e8a7b8e99db1eacc9f61
Instruction Fuzzy Hash: 87F05937A0C1588FC3019BB8F8851C4FBB8DE8562530480E7E645CBA53C7211419C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 02DCBC09, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3b204801b27350f2987620cb6f69ad191c975c79ff0978d27cd95d8defdf67
Instruction ID: ffb780be848566a36b930ffd05b2fbea5b95d3142e9d5ef246af84dfcf98e872
Opcode Fuzzy Hash: 5d3b204801b27350f2987620cb6f69ad191c975c79ff0978d27cd95d8defdf67
Instruction Fuzzy Hash: CBF0F636A0021ACFEB246A64D95A7EE7BB5EF88315F15042ED002B7781CF7C8806C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 032D3C28, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6305885b3ea8fea856af43c68b6f7cd79156ed155f56201883025e633a5ad0bb
Instruction ID: 2bd11e115c240b5d2151f0338bd28f4365285ade085352861365283d6a0f9168
Opcode Fuzzy Hash: 6305885b3ea8fea856af43c68b6f7cd79156ed155f56201883025e633a5ad0bb
Instruction Fuzzy Hash: D0F037323005145BCB149A9EE454A6BB7AFEFC9A25F18416AF30AC7261CFA1DC058791

Uniqueness

Uniqueness Score: -1.00%

Function 02DCE7BD, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db31e450d0f8800096e3de4b5782f578c5102ff9affedb90f98314f6798365f
Instruction ID: e50534c6371722f3f4ea5d5fb27729ad3888f09f3d52becbe8cc9f514c4877c1
Opcode Fuzzy Hash: 9db31e450d0f8800096e3de4b5782f578c5102ff9affedb90f98314f6798365f
Instruction Fuzzy Hash: 4101AC75E0430ACFDB14ABA0D9997ADB7B9AF84345F24802DD416AB394CF709C01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032D5B48, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042f9a0b9f987c3b05e4c0688c90d638115b3ac57184d080a9362b74b1a203cd
Instruction ID: d60ef4f473f9eb7578dc4e26f2e13be2a68c79638386a1116c6377a66ee4aad2
Opcode Fuzzy Hash: 042f9a0b9f987c3b05e4c0688c90d638115b3ac57184d080a9362b74b1a203cd
Instruction Fuzzy Hash: FF016D30119B61CFC324CF29D444952B7F2EF46309B548CADD5868BA65CB7AFD45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02DA9237, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740c28225adc5bd8289da977853eae40e7bf7e1084eec22801607e895e84779e
Instruction ID: 4c40322a13413af3f1998f151b7dc0874c4f84ebaa1ceede4785fe77344bca7a
Opcode Fuzzy Hash: 740c28225adc5bd8289da977853eae40e7bf7e1084eec22801607e895e84779e
Instruction Fuzzy Hash: 64F03771A0020CDFDFA4CFA4D8A0BEDB7B2BF85305F5080AAE408A3350DB318999CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DA922E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740c28225adc5bd8289da977853eae40e7bf7e1084eec22801607e895e84779e
Instruction ID: 4c40322a13413af3f1998f151b7dc0874c4f84ebaa1ceede4785fe77344bca7a
Opcode Fuzzy Hash: 740c28225adc5bd8289da977853eae40e7bf7e1084eec22801607e895e84779e
Instruction Fuzzy Hash: 64F03771A0020CDFDFA4CFA4D8A0BEDB7B2BF85305F5080AAE408A3350DB318999CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032D2AD8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af37371aabf3cc07d05e74dafd9463964bcbbf84f788826c11e80b1e77c069f
Instruction ID: 6739507646bfe215b647efe89c49be219e3a0df5c9d3f8999564990f9da7deb0
Opcode Fuzzy Hash: 1af37371aabf3cc07d05e74dafd9463964bcbbf84f788826c11e80b1e77c069f
Instruction Fuzzy Hash: 8BF082323101105FC7158BA9E885CAA7BFAEFCD611319025EF10AC7361CE619C06C791

Uniqueness

Uniqueness Score: -1.00%

Function 02DAE2EF, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d097aadc04efe111f0041712a0c0de9c0e2a25a970f0b46500662689ea54b5
Instruction ID: cba43f46fff544d90d517b9b48cc7e66ce02ddd2104a899b553d5a0ba9921452
Opcode Fuzzy Hash: 98d097aadc04efe111f0041712a0c0de9c0e2a25a970f0b46500662689ea54b5
Instruction Fuzzy Hash: AFF04936600649CFCF11CF68E8D48DABBB1FF4531075589AAD9968B216C731E816CF00

Uniqueness

Uniqueness Score: -1.00%

Function 032D4F26, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0023c6e6d6eae3560bab299920ce60f70f8caf815f268ecccd1a1f5c61b5d041
Instruction ID: 1dce30ea45f1fc47a92eadefc480b8ace0a75e0829c4bc2663de7a4d015f3619
Opcode Fuzzy Hash: 0023c6e6d6eae3560bab299920ce60f70f8caf815f268ecccd1a1f5c61b5d041
Instruction Fuzzy Hash: 76F065757002149FC3189B79D454956B7EEEFC9225310447DE54EC7721CE36EC02C755

Uniqueness

Uniqueness Score: -1.00%

Function 02DAEF40, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a1f4dec750c8e77c42c5c4650265317588d161a83a71dc099f2865afe81c18
Instruction ID: 849ba5bd2972bc5cf34182d82bd2244960a734b5f8f1d9c7f23c786f8a236232
Opcode Fuzzy Hash: 32a1f4dec750c8e77c42c5c4650265317588d161a83a71dc099f2865afe81c18
Instruction Fuzzy Hash: BCF0127250624DFFDF02DFB4DC018EA7F7AEB45210B0580A6F944D7021D2328A25EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 032D4F28, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16922eb57a4ab6c334ec29bf9a38c455b1752daf7234dfbf58d5f00e2ba0d74b
Instruction ID: 2de9de42e8eb959582836d81eba68526e935490b2587c52846e5ac95c2ede36c
Opcode Fuzzy Hash: 16922eb57a4ab6c334ec29bf9a38c455b1752daf7234dfbf58d5f00e2ba0d74b
Instruction Fuzzy Hash: 90F065757002109FC3189B79D454816B7EEEFC9225310447DE50EC7721CE36EC01C754

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8E30, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001d899efbc975f392b24eb2a170e05cebb2a6982becd483628911c9994e64e4
Instruction ID: 42dcd05ccf548916fb40d0b7c03ed24165f604715f324a280c2563f82afceab9
Opcode Fuzzy Hash: 001d899efbc975f392b24eb2a170e05cebb2a6982becd483628911c9994e64e4
Instruction Fuzzy Hash: CBF0B73614518ABFDF124FA48D11FEA3F76AF49214F098192FA94994A2C63AC425AB50

Uniqueness

Uniqueness Score: -1.00%

Function 032D4D81, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46c65d446dcebcd7614696763608d64b6e4970160b10f997000e98177b0c7f2
Instruction ID: 836a2dc0369b47c10b1c3a931b815a5f968680ea00dcf2969649074153a5f3e7
Opcode Fuzzy Hash: e46c65d446dcebcd7614696763608d64b6e4970160b10f997000e98177b0c7f2
Instruction Fuzzy Hash: 7AE04F7240D3D08FC327CBA4DC95A803FB09E47251B0E05EFC885DB267D629BA14C792

Uniqueness

Uniqueness Score: -1.00%

Function 032D2AE8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c399acab666f56b99fddb55686bbbdb0bafb7af45d25fafb6090c965a325fcf
Instruction ID: c2fefab2bbe9f5703b50659fdc1c0c1a11beae824e512dcbf1b4b189f91b3c66
Opcode Fuzzy Hash: 5c399acab666f56b99fddb55686bbbdb0bafb7af45d25fafb6090c965a325fcf
Instruction Fuzzy Hash: 5FE04F323101109F87189B9DE444C6B77EFEBCC621315416EF20AC3321CE61DC0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 032DAB62, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd3c0b475e7ae24e97d48f0edd2160136ec07529d256c3a9362c09b2a2c0f1f
Instruction ID: 013e5c5bf9af5e6b4de8e6da257b428a6e22aefab9a52fe54b7663b29a22f0ae
Opcode Fuzzy Hash: cbd3c0b475e7ae24e97d48f0edd2160136ec07529d256c3a9362c09b2a2c0f1f
Instruction Fuzzy Hash: 67E0467505E3C09FC71387B4ACA1AD43F349F46240F0D01EAA4849B2A7CA28AB28C741

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8E40, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b83bcc20b11058c9935176d8a35171f4e7bb43b3904089c5dda2d768cec1ee4
Instruction ID: 540657a8796b08ecd404068bd47a5c9e6c86db64edaf5d58e237c4c01ccb25f0
Opcode Fuzzy Hash: 0b83bcc20b11058c9935176d8a35171f4e7bb43b3904089c5dda2d768cec1ee4
Instruction Fuzzy Hash: 29F0AE7200014EBFDF128E90CD01FEA3F6AEB8C304F088151FA54940A0C63AD530AB60

Uniqueness

Uniqueness Score: -1.00%

Function 02DAEF50, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604761fe3e486197415d76fa26d1a5ca5768790e856188d06e4a7a9f03ff54f4
Instruction ID: 5a1981be6aa02b32a53876d22ec90974e53b62317a3db67e1eb7053f8ecec399
Opcode Fuzzy Hash: 604761fe3e486197415d76fa26d1a5ca5768790e856188d06e4a7a9f03ff54f4
Instruction Fuzzy Hash: D7E092B290010DFF9F41DEA0DD00CAF7BBAEB48200B00C465BA0492120E6328A31ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA8D0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78c414e06cb6b8aafef65724b670769ec69cc30a581fdc8c1c35c4deb647392
Instruction ID: 03772a7c6b17c899062940acd0883103fea692d0fce7d23ebfeb85f495a046be
Opcode Fuzzy Hash: f78c414e06cb6b8aafef65724b670769ec69cc30a581fdc8c1c35c4deb647392
Instruction Fuzzy Hash: 9AD05E3631A2C01FD7026B346CA61C07FF2DF8362976805EBD5C08A122C23A4C0BC340

Uniqueness

Uniqueness Score: -1.00%

Function 02DA3B68, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eff08942927961c63ba081f18e651b6bdfa30ed40dd828abc13db173a0da0b6
Instruction ID: bf6cacb73edad150df9544bbecbecf7220ef6dfff5dcdb6a78e36be56e2873ff
Opcode Fuzzy Hash: 5eff08942927961c63ba081f18e651b6bdfa30ed40dd828abc13db173a0da0b6
Instruction Fuzzy Hash: EED05E1028F3C62FE70257B698215A17FAB9D4705430C80E9D88486212EA06E81AC3D2

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9EC8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957bc24fd0189362c48914b0d99dcd9783fef489413cee119f0c202d2e23fd62
Instruction ID: 84ea92e2ba0ec71108e4515533aad82d00305318646ee95a606f2c4949343f60
Opcode Fuzzy Hash: 957bc24fd0189362c48914b0d99dcd9783fef489413cee119f0c202d2e23fd62
Instruction Fuzzy Hash: A5D01232714124578714164EB8195FB769ED7CDA72B14803FF50EC3351CEE59C0247E9

Uniqueness

Uniqueness Score: -1.00%

Function 02DAC501, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.480434327.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202a1fafc39f7f6901f580789bfb297b2a3a854f9ae0a5e13aa85ba878e495eb
Instruction ID: eaad10fbc0d15fb18e776a3315217a35c2d38be102074d3652aa7e8a11e31908
Opcode Fuzzy Hash: 202a1fafc39f7f6901f580789bfb297b2a3a854f9ae0a5e13aa85ba878e495eb
Instruction Fuzzy Hash: 22D0223334211006F2106228B800BAEE3679FD022AF70803AC3018EBC4CEA11C1982F4

Uniqueness

Uniqueness Score: -1.00%

Function 032D4D00, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677891edc074df03fd4e1c6677fd5e2f9ae05c4f5585b51f277eb888180066be
Instruction ID: 26563518a841d3d0feb3e3e6de3b24c67ec8bcc102c40d07aee417baf58ba382
Opcode Fuzzy Hash: 677891edc074df03fd4e1c6677fd5e2f9ae05c4f5585b51f277eb888180066be
Instruction Fuzzy Hash: 58C08C321082918FC33B8BB0E8D51C03F60DD0A22030806F6D048CF226CE399205CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02DCAF00, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.483431965.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Uniqueness

Uniqueness Score: -1.00%

Function 032DAB90, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531bf9fa2a281ba33880130a263f83ba00f0deac415fffddb9035f51a07e040e
Instruction ID: 419afd298f5c893913f885730596fc09e5d2e1659a1b87b99ac2ece38bb0321f
Opcode Fuzzy Hash: 531bf9fa2a281ba33880130a263f83ba00f0deac415fffddb9035f51a07e040e
Instruction Fuzzy Hash: F4A0223000030C8F8AA832B83888808B32C8080A20B80C02AF00C8320A8F32F80002C0

Uniqueness

Uniqueness Score: -1.00%

Function 032D1910, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d52d20e6c789bf10a530ebd510aab0b8f3ed0b7928502134a05e0267733bf5
Instruction ID: a38e296211cbba4312d4f4cca95e286dd258956cd352c330a5ad2f27f0138c6f
Opcode Fuzzy Hash: 68d52d20e6c789bf10a530ebd510aab0b8f3ed0b7928502134a05e0267733bf5
Instruction Fuzzy Hash: B1A0223088030CCBC22832F0300C808B30C8080A0CB80C828E00C8300A8F32F00000C0

Uniqueness

Uniqueness Score: -1.00%

Function 032D1680, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9996cbd76fff34d5edb05d46442922319310c7906a5ebe77373109cd343b2c5c
Instruction ID: 0f593123b54cafcafeee55f4056d3a5971880aee2dcc4017160bf14cf1d1a0e6
Opcode Fuzzy Hash: 9996cbd76fff34d5edb05d46442922319310c7906a5ebe77373109cd343b2c5c
Instruction Fuzzy Hash: 7EA0223088030CCBC22C32F0300CC08330C8080A0CB808028E00C830088FB2F00000C0

Uniqueness

Uniqueness Score: -1.00%

Function 032D4D10, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe8c11447989952052c1a6ccc82cbe278e1d49b26a7a81a493ddae6d43eaa94
Instruction ID: d32d61e7d18d4e1511a0b69b1dc6f6e3dcf8f8af513952c14a39e96f5394e72c
Opcode Fuzzy Hash: ffe8c11447989952052c1a6ccc82cbe278e1d49b26a7a81a493ddae6d43eaa94
Instruction Fuzzy Hash: 64A0223008830C8B82283BB03008808330C8080A00B808028E00C8F0088FB2E00008C0

Uniqueness

Uniqueness Score: -1.00%

Function 032D4DB0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4ef0bc907439187b33d6415aa3ec8a19055edcef19ccba6d910f7ac3f8d261
Instruction ID: 3c466c1ab728ca3a919f23546616c9a65fe5c5d32d4fa5be4cbfdf811c50a313
Opcode Fuzzy Hash: 5c4ef0bc907439187b33d6415aa3ec8a19055edcef19ccba6d910f7ac3f8d261
Instruction Fuzzy Hash: 39A0223008030C8B82A83BB03088808B30C8080A00B80C02CE00C8B00A8F32E00008C0

Uniqueness

Uniqueness Score: -1.00%

Function 032DAC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502266571.00000000032D0000.00000040.00000001.sdmp, Offset: 032D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0c9bb53eb4ef4445befe772596763e4c5b097a8f3cb79e857f1a866ac54224
Instruction ID: 0af0c74afbfb5cfa4b9fb31d84aac209d8083a13fe82c60d744f95b90bb556c9
Opcode Fuzzy Hash: 3e0c9bb53eb4ef4445befe772596763e4c5b097a8f3cb79e857f1a866ac54224
Instruction Fuzzy Hash: 02A0223000030C8B822833B0B80C888330C8080A00B808028E00C830088FB2F0000AC0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 6916 Parent PID: 6708 powershell.exeCOMMON

Executed Functions

Function 0311B0F0, Relevance: 1.7, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

d, xrefs: 0311B4FE

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d0b918988fc4a135ccfcefcd1ac55c432a6d23d8a631e7d4ccffb7cbb839effa
Instruction ID: 5ea6f70a2048902853fdba3c7cfe22f83f3eb578558eeb0de7f0adbbc1ebf65f
Opcode Fuzzy Hash: d0b918988fc4a135ccfcefcd1ac55c432a6d23d8a631e7d4ccffb7cbb839effa
Instruction Fuzzy Hash: 82120574A042098FCB14CF98C580AAEBBF6BF4D314F1585A9E905AB365D731ED52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031652D8, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0316503A), ref: 0316533F

Memory Dump Source

Source File: 00000003.00000002.581827206.0000000003160000.00000040.00000001.sdmp, Offset: 03160000, based on PE: false

Similarity

API ID: DecodePointer
String ID:
API String ID: 3527080286-0
Opcode ID: f17199b6c4b8f081107805984de0f4086d4276e029a70deb92f5ceb2d7722b46
Instruction ID: 60783d25f46a17677ef25d8f59d3fe486a3e53c6f046c28ffd00f3b421612ec8
Opcode Fuzzy Hash: f17199b6c4b8f081107805984de0f4086d4276e029a70deb92f5ceb2d7722b46
Instruction Fuzzy Hash: 9B1100B18006598FCB10CF9AD988BDEFFF8BB89324F14845AD518A7240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03163634, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0316503A), ref: 0316533F

Memory Dump Source

Source File: 00000003.00000002.581827206.0000000003160000.00000040.00000001.sdmp, Offset: 03160000, based on PE: false

Similarity

API ID: DecodePointer
String ID:
API String ID: 3527080286-0
Opcode ID: 475a9c2c4188a9d95c0eeb4d49ba0c98c6d81ac5b07f99ffbc838f31c8433d85
Instruction ID: ec1c36aec54792211b0dfbca69e31ce5e04dac4fe96ffeed0be8fb67017f2a53
Opcode Fuzzy Hash: 475a9c2c4188a9d95c0eeb4d49ba0c98c6d81ac5b07f99ffbc838f31c8433d85
Instruction Fuzzy Hash: 291130B1800609CFCB10CF9AC888BDEBBF8EB89324F10841AD519B7340D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03113F40, Relevance: .8, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4b086390047b14d1448d3d6f9618183724e2a751f512d7bcc50457f0e0707c
Instruction ID: 1ffc696b064ffe2ee6083015ee43f482b932b6476ec08c1eaafcc770212ed229
Opcode Fuzzy Hash: 7f4b086390047b14d1448d3d6f9618183724e2a751f512d7bcc50457f0e0707c
Instruction Fuzzy Hash: 6C629D34A00209CFCB29DFA5C8546EEB7B2AF89705F1444B9D906AB390DF35DD91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031151D8, Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef4c085083072bf04394418ba39a3d4dd04b09f0df25b1620226510970b6f97
Instruction ID: 506540df0120a479c31d59050ae0aa0dfcacc2f64fd672ddd4284c8783cde40a
Opcode Fuzzy Hash: 1ef4c085083072bf04394418ba39a3d4dd04b09f0df25b1620226510970b6f97
Instruction Fuzzy Hash: 12522874A10218DFCB25DF64D894BEDB7B2BF89301F1481A9E909AB3A1CB749D91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03116450, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aeb47d75f947aca4729f8562483aa8e557fffc97632f76cdb5e1557c2fe162
Instruction ID: f25378ed88d34802cf9d30a5ff9e80dce682c5b671f0a5fc6a7074b152d73d5c
Opcode Fuzzy Hash: a1aeb47d75f947aca4729f8562483aa8e557fffc97632f76cdb5e1557c2fe162
Instruction Fuzzy Hash: D8B1AD74A05205DFCB04DFA8C980AAEBBF6FF89304F148568D9059B765DB31EC96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03116443, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6196ac43ad93b8619f2f977601cee12d17baeb5de909482b22aead1e7ea9da
Instruction ID: 9a638a34d2defd03dcf8ceb46ccecff5d202697c965da8ac0eba17fd33df9fae
Opcode Fuzzy Hash: 1f6196ac43ad93b8619f2f977601cee12d17baeb5de909482b22aead1e7ea9da
Instruction Fuzzy Hash: D2A18E74A01205DFCB04DFA8C580AAEB7F6FF89304F148569D9059B764DB31EC96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03117698, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718573363707c418a2edae928bc4e84c217b9abea8cdf268a3c6278296717080
Instruction ID: 4fadb38e84a143a933fcb1f3706dc35853586f12ce0afa3f107ac472a7be3a68
Opcode Fuzzy Hash: 718573363707c418a2edae928bc4e84c217b9abea8cdf268a3c6278296717080
Instruction Fuzzy Hash: 7681B135B002049FCB18EB74D858AAEB7F6AF88614F158579E506DB3A5CF70DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03116170, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cf21057fccb7790076563c0b7d79a9ab777f54e4687b24b0c5dea99d8468fd
Instruction ID: caea9341e675ba63dd4aa0f28cf5384fe1bf5aa03cccb8fe7a801edce0004da6
Opcode Fuzzy Hash: 28cf21057fccb7790076563c0b7d79a9ab777f54e4687b24b0c5dea99d8468fd
Instruction Fuzzy Hash: 24916C78700605DFCB05CFA4C584AAABBF2FF8D304B118568E91A8B761D736EC95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03116C08, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12ae1df22b40a3b096725d12c477dad4e8c782bfcc2c93a5be4ca96ba1baea0
Instruction ID: 7fb853d7e43aac56d875a9ca45090fe8235edbcd752df2b3e2d55f4793deb673
Opcode Fuzzy Hash: c12ae1df22b40a3b096725d12c477dad4e8c782bfcc2c93a5be4ca96ba1baea0
Instruction Fuzzy Hash: 3C818D347112049FCB08DF68E894AAEB7F6FF88301F148579E906EB360DB71E8458B60

Uniqueness

Uniqueness Score: -1.00%

Function 03110540, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17997bdf4d8188d78ee0a8e7f50469f0c633ed4953b13dff18cf8dbbe4e24f4c
Instruction ID: 8e1656c4bc0a728b4ac861b7eb6bd3030a5683eff4bc1e9eb55b8127289cb79d
Opcode Fuzzy Hash: 17997bdf4d8188d78ee0a8e7f50469f0c633ed4953b13dff18cf8dbbe4e24f4c
Instruction Fuzzy Hash: 0381A0356006058FDB15EF65E8487AABBB7FF8C311F048428E907976A9CF74AD91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0311570E, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9231cf80231b61696f8f86e52789955a6b85d9b2ca107b53a77c738a7137ed73
Instruction ID: cc25c5e1014246b6d1b9477046048397f95c2b38cf07d76c83f97498cd037c7f
Opcode Fuzzy Hash: 9231cf80231b61696f8f86e52789955a6b85d9b2ca107b53a77c738a7137ed73
Instruction Fuzzy Hash: 15912E74A002188FCB25DF58D884BE9B7F2BF89314F1581A9D9099B355CB74ED91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03116180, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92b815c1b597289ad5712d0a6c796ab1e34b827233ffc3f42ec35f493589932
Instruction ID: 80d83938b7ceca856a6a117cb5f77ba32333fe85a5e2e68e161c136e7d75b9a5
Opcode Fuzzy Hash: d92b815c1b597289ad5712d0a6c796ab1e34b827233ffc3f42ec35f493589932
Instruction Fuzzy Hash: E0913B78B00605DFCB15CFA4C584AAABBF2FF8C314B118568E91A8B761D735EC55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031159D0, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5d091f40dcce40b6094cda25aa03679e3b6c625d256442dd4ce067c447f725
Instruction ID: 33eee6511a204dbeed48e4b079691302b1e770e0f1c1c97d37576d81f4223621
Opcode Fuzzy Hash: ae5d091f40dcce40b6094cda25aa03679e3b6c625d256442dd4ce067c447f725
Instruction Fuzzy Hash: 2E912D74A002188FCB25DF28D984BE9B7F2BF89304F1581A9E9099B365CB74ED91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0311B8C8, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24128250c5cac2bfa9f9701d78d144ba0eb644101210ae87d973e33015bf5d2
Instruction ID: 9eae7e87a73f8252db668338241b1d9980c741ce33665d6dc8064bd100ab5be2
Opcode Fuzzy Hash: f24128250c5cac2bfa9f9701d78d144ba0eb644101210ae87d973e33015bf5d2
Instruction Fuzzy Hash: 8581E975A08209DFDB14DF94D884BEEBBB6FF8C324F18D165E805AB265D7309891CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03118DB8, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78df210eb7b117b6695c652dc287ef2198129ffdb8cf4cf896901f98371e1c94
Instruction ID: 4d10c6c820c043743783a85fbed7adb50f4d7980431b9889b961e618cbb78c34
Opcode Fuzzy Hash: 78df210eb7b117b6695c652dc287ef2198129ffdb8cf4cf896901f98371e1c94
Instruction Fuzzy Hash: FC816878A01218DFCB18DFA8D580A9DBBF2AF48314F1585A9E910EB361DB70ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0311A568, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83789a3d013b0e80b0888bdefb4b8eb24a3539feeba1f6676f81f03b4c0cff2f
Instruction ID: ae3c2b15db52be085b006da38ff733af8f6fbc355d1b3c7c867c69a2bad75d8d
Opcode Fuzzy Hash: 83789a3d013b0e80b0888bdefb4b8eb24a3539feeba1f6676f81f03b4c0cff2f
Instruction Fuzzy Hash: 46512A757006049FC758DF68C444AAABBF6FF8C324B158469E90ADB365DB71EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03116B35, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4486eb0328466c2c32c52ccb39a0eecac8f741792c17492a957b3abdbc84bf6d
Instruction ID: 3c07b7d61deee7eb19f3451532856b2eb1ac220f8db42894cfdaf5be721396f1
Opcode Fuzzy Hash: 4486eb0328466c2c32c52ccb39a0eecac8f741792c17492a957b3abdbc84bf6d
Instruction Fuzzy Hash: F6516E3150E3D04FC707DB3898A06EA7FB5AF4B214B0A44E7C481DF6A7D7259859C762

Uniqueness

Uniqueness Score: -1.00%

Function 03117688, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69344dcfd50c2c29c5ea260a2e52ef74b4ce60097f474fca3f0f9a9561a5c50
Instruction ID: abb49442eb7a7b3b4436121aabd594efc67afafefb286309ac253a221636f795
Opcode Fuzzy Hash: d69344dcfd50c2c29c5ea260a2e52ef74b4ce60097f474fca3f0f9a9561a5c50
Instruction Fuzzy Hash: 31518E31A00604DFCB18EF64D894AEDB7B6BF88704F198578E502EB3A4DB70AC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0311D678, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ce2c9275b286b3647ca49eb3635e4fbb9e42a84ebe0195d24efa736f9e7f28
Instruction ID: 87b24afda06c8b2426ccea6f2855b0613cbeba143480654936c02d636e2fa570
Opcode Fuzzy Hash: f3ce2c9275b286b3647ca49eb3635e4fbb9e42a84ebe0195d24efa736f9e7f28
Instruction Fuzzy Hash: F941A335A002199BCB18EBA4E8586FEBBB6EF88315F144429D502F7384DF74AC95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03115B21, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe4782a707e0fbdd730071a953f0954c81affe693b3f41e267596a8abca7a00
Instruction ID: ec4f615525ef6418ae1b797dc969815f18f8c03c804b95dc64c51559ced378d4
Opcode Fuzzy Hash: 1fe4782a707e0fbdd730071a953f0954c81affe693b3f41e267596a8abca7a00
Instruction Fuzzy Hash: A0511A34A012198FCB29DB24D894BE9B7B2BF89304F1941E9D909AB351DB74ED91CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0311CC30, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c953659ecac5476cd6e6343ada6878e8223dc1cd5d5e12eb94c834fcccab919a
Instruction ID: e6d662372d9f3890f2ab74d293b0eb3f70e6c1113f40f49ff3c1928c0f8bcb90
Opcode Fuzzy Hash: c953659ecac5476cd6e6343ada6878e8223dc1cd5d5e12eb94c834fcccab919a
Instruction Fuzzy Hash: F7417CB8601204DFC714EB78E85976D7FE6FF89211F20846DE60AEB350DB7598498B60

Uniqueness

Uniqueness Score: -1.00%

Function 0311D060, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03efd9483a962c47de8a1ab8b981572ed2573d4c29609ef9e60a8abad745326d
Instruction ID: 49a598a7e086ba19d3cf5a53d70050339939af2ddb6dc13c40cbc943eb7dbc9d
Opcode Fuzzy Hash: 03efd9483a962c47de8a1ab8b981572ed2573d4c29609ef9e60a8abad745326d
Instruction Fuzzy Hash: D641B170A007549FDB25DF69C8406EEBBF2FF89300F148A6ED496AB751D730A894CB60

Uniqueness

Uniqueness Score: -1.00%

Function 031155A1, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07751aa029183b84130462fedebdba6634cba76280ad477ec40ffad72ddb767
Instruction ID: 6ade5f41beac21b3c1865ecaa2e85d573a5473cf06f79d6ae20369e1a21a69fb
Opcode Fuzzy Hash: c07751aa029183b84130462fedebdba6634cba76280ad477ec40ffad72ddb767
Instruction Fuzzy Hash: 08515D74A20119DFCB24DF64D898BEDBBB2FF89301F1485A9E806A7294CB349D91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0311CC40, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbf920ab5424f0863052cdcc52738f5fef9f666bc4bc7f56821874c0a3f5d25
Instruction ID: 0b593f0dfbad3390872c8419a46e62c0637df8408a5bfe0282af8eaef883e63c
Opcode Fuzzy Hash: edbf920ab5424f0863052cdcc52738f5fef9f666bc4bc7f56821874c0a3f5d25
Instruction Fuzzy Hash: 9E418DB8601204DFCB14EB78E44A76D7FE6FF89211F20846CE60AE7340DB7598488B60

Uniqueness

Uniqueness Score: -1.00%

Function 0311A558, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67982c7e41d4f1e717ecf57cc7ca00aba69d488408cb216a6053326cd304c12f
Instruction ID: 5c192b9d62fb41c7f4b813d8a5484be651ec7d8842eaa19d99df3613490f996f
Opcode Fuzzy Hash: 67982c7e41d4f1e717ecf57cc7ca00aba69d488408cb216a6053326cd304c12f
Instruction Fuzzy Hash: 89315C35A00204DFCB54DF68C884EAABBF6FF8C320F198469E9059B355DB31E851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03116BC5, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcba03362507e9075cdcb893b88511f1f1a1d65e463bc5c61ab27d771da37f60
Instruction ID: 210aff11a3f0c8511897852efac48247be1b10445eacfe821a4081eaf45fa22c
Opcode Fuzzy Hash: dcba03362507e9075cdcb893b88511f1f1a1d65e463bc5c61ab27d771da37f60
Instruction Fuzzy Hash: E331083161A2509FC705DB64D8A0AEF7FB2EF8A311F0544BAD801DB265DB319C54C761

Uniqueness

Uniqueness Score: -1.00%

Function 0311C0A8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddbf6f30fc06d058712bc550a9b4162e4b29539acd51dc0e98d1e0e66e1c72a
Instruction ID: d1bdfad2507aa34249d678429da6814bf84da9fcb028fb60a06d090e0fe4d2b2
Opcode Fuzzy Hash: bddbf6f30fc06d058712bc550a9b4162e4b29539acd51dc0e98d1e0e66e1c72a
Instruction Fuzzy Hash: 62316D75B40209CFCB08EFA9D858AEEBBB6EF8C350F14C029D516E7354DB7098558B90

Uniqueness

Uniqueness Score: -1.00%

Function 03113F0F, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15cabf9ff0f23d83eb2143fe8affe4aa749d8bd5ed2cc969545b8e69be79ed5
Instruction ID: f44c6f78721fca56c309bd842eb053b86427fdeefc1ef25c3deeac9f101db372
Opcode Fuzzy Hash: c15cabf9ff0f23d83eb2143fe8affe4aa749d8bd5ed2cc969545b8e69be79ed5
Instruction Fuzzy Hash: 0931C470A0421ADBCB25DF25C8507EABBB9EF89700F0485A9D905AB251DFB05DD1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0311CE00, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb786359be818733349186c1bd675cfbe9603fcd30788fc1eb7e86674f74696
Instruction ID: 902c7ed3aecdaa183efc436a882cf354646eb7211cfbbc65f74680dd1fbca55e
Opcode Fuzzy Hash: feb786359be818733349186c1bd675cfbe9603fcd30788fc1eb7e86674f74696
Instruction Fuzzy Hash: F9311B34641209DBDB14DB94C994BEEBBB6BF88301F104178D5017B395CF7998858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03115FC9, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d020e02a1e0ace039b327459c113b081c6a989a01b0f8d464f428098e8f71f1
Instruction ID: 9afcbd5cd91b09623e05dcf340dd33bbb3c9917dbdb875469eeedd5783512c41
Opcode Fuzzy Hash: 0d020e02a1e0ace039b327459c113b081c6a989a01b0f8d464f428098e8f71f1
Instruction Fuzzy Hash: CC314A356105049FC704DB68D850AA9B7F2FF88315F2544A9E606EB3B1DB75EC85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0311E0A8, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707a287ba47419cc06ecf920845d5aebf89401afda3820d789ce474859e967cb
Instruction ID: 953fab108e6af0b44118e8a8e56640a886150959e1cfb3b4f294ff415fb4780e
Opcode Fuzzy Hash: 707a287ba47419cc06ecf920845d5aebf89401afda3820d789ce474859e967cb
Instruction Fuzzy Hash: B12149323042519FC314DBADE45499AF7AAEFC976170940BBE908CB762CB31DC61C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03110428, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e48d03f4eccae5f5a336cf1a12ef91473c11d4ababe582e1d111f31c20aeba0
Instruction ID: 963316ef0f7060f6cecc13f591da1dbf19219e4bd67f47f9bcaaee84c823538d
Opcode Fuzzy Hash: 2e48d03f4eccae5f5a336cf1a12ef91473c11d4ababe582e1d111f31c20aeba0
Instruction Fuzzy Hash: 9C315830E002188FCB14DF69C940AEEB7F6EF8C314F198469C509AB754DB34AD91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03118CBB, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb382ce0a6b7c83f687b94ed4f10bb549a7d54be63ad493d5b36c3cc7943dad
Instruction ID: 9ea62e00a98a5cd78571d31e156034bec97443cf4e0eddefcc5bb7d7e2a15ce0
Opcode Fuzzy Hash: ceb382ce0a6b7c83f687b94ed4f10bb549a7d54be63ad493d5b36c3cc7943dad
Instruction Fuzzy Hash: 8C21AD302187459FC700EF29CC8098ABBF6AF85308B45C969E645CB675DB70FD09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0311DFE0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0da57df62425d93b0baf78d2678765807b73f448debed885d4a9d7f7a3e437
Instruction ID: 18ba6951460adb23e4773e8bb39416a65a64fd0c7007f0523d3093b51c7e4fd9
Opcode Fuzzy Hash: 0d0da57df62425d93b0baf78d2678765807b73f448debed885d4a9d7f7a3e437
Instruction Fuzzy Hash: 6121F830301600CFC728CF76D594A67B7B6BF88715368887CD84A8BB54DB36E852CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03118CC8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fbceb7669a78bb07c03bfc78a4b95c8d105e4383d0021fb5189add738c282f
Instruction ID: a08ca6212eec4fc3c68f54dafd7c26f78f7f3eda150fba74d7ac0dfad36acb43
Opcode Fuzzy Hash: 70fbceb7669a78bb07c03bfc78a4b95c8d105e4383d0021fb5189add738c282f
Instruction Fuzzy Hash: 1721BD302187459FC740EF2ACC8098ABBE6AF85308F45C929E6458BA75DB70ED098B90

Uniqueness

Uniqueness Score: -1.00%

Function 03110418, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb9aa99da48d51061c9689cd2efb360f4ca3f71026dc7080d11e26971cf9282
Instruction ID: 8dae77fc958da5307135ab07c0482b8c77f7d806b26efd89bcb9f6bc73fd9f1f
Opcode Fuzzy Hash: 8bb9aa99da48d51061c9689cd2efb360f4ca3f71026dc7080d11e26971cf9282
Instruction Fuzzy Hash: A7214830E00619CFCB24DF58C940AEEB7F5EF8C314F158479D509AB664E734A991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031150D0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc32391749a31bd562d97a13193b294d413086211005c3a8a94f532c6ef1bbdb
Instruction ID: f09c4038478d20cba327055f0073b1823acb264898ffe7f7d89417dfbfd62e28
Opcode Fuzzy Hash: fc32391749a31bd562d97a13193b294d413086211005c3a8a94f532c6ef1bbdb
Instruction Fuzzy Hash: D3210834908209AFDB05DFE8D840AAE7BB6EF86300F0185BDC146AF291DB705D858B61

Uniqueness

Uniqueness Score: -1.00%

Function 0311AFC8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af79e2696c183d00fba87c834ee66edfb0de81a9a20f8d65ef33244055fe39ae
Instruction ID: feb1090c194833b9f42a38ab455bc703060343e468bfef72a02c00ed830aeb82
Opcode Fuzzy Hash: af79e2696c183d00fba87c834ee66edfb0de81a9a20f8d65ef33244055fe39ae
Instruction Fuzzy Hash: 8311E53770D2265FAB1599D9F840AEBF7A9EBD8270B14803BE914CA100DB32C86193D0

Uniqueness

Uniqueness Score: -1.00%

Function 0311D7A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84faf9ddd5b70200ccabac043f3a43f6b115d13f501dcfa048b4f779972b92a8
Instruction ID: eb790e50e535939490f0ae9cefd3a3552be68ccb4f1761978b00b9e1d1861e11
Opcode Fuzzy Hash: 84faf9ddd5b70200ccabac043f3a43f6b115d13f501dcfa048b4f779972b92a8
Instruction Fuzzy Hash: A311C131A001199BCB18ABA8C8696FFBBB69FC4304F158828D502A7385DFB45916C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 03116E37, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05695cfa589661b984439f94dcde0fbb46446ec5591e4fcc87362505c37d772a
Instruction ID: e1aa8ee5c73039f685af013b21cef19592d74c4f3fc7e6a4bc259c50d9be4cd5
Opcode Fuzzy Hash: 05695cfa589661b984439f94dcde0fbb46446ec5591e4fcc87362505c37d772a
Instruction Fuzzy Hash: 162190347112149FDB04EFA4E844BAEB7B2FF89301F1541B9E945AB2A1CB39DD91CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03117D20, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e0d04e0869f048f2484bd85f3a28fb0e504cba0e1d36aba9e9114431229068
Instruction ID: 7cdf422caa7d2694db6774f0712146063e0ffd47b1c949935186652f9698edba
Opcode Fuzzy Hash: c5e0d04e0869f048f2484bd85f3a28fb0e504cba0e1d36aba9e9114431229068
Instruction Fuzzy Hash: BB119430B001149FCB14DBA9D858AFEBBF6AF8D714F194069E001EB3A1CFB09C418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03115100, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ec472a6daad556aeb6277341210660b51e464a14898d6c8a6eecb2effeb820
Instruction ID: b155839b32e0ca954ebb8e5daab52723733e3a22ee86b07f0a5fa04d7823d2f9
Opcode Fuzzy Hash: 43ec472a6daad556aeb6277341210660b51e464a14898d6c8a6eecb2effeb820
Instruction Fuzzy Hash: A1119874A04209AFDB04EFE4D4447AE77B2EF84304F1186B9C259AF394DF705D858B51

Uniqueness

Uniqueness Score: -1.00%

Function 0311D050, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f6b83a77bcd281be7058a8d03f04b4e0a19c8daa7b6f83148996b50522bfe5
Instruction ID: 138e35169073a17927f10df975abdc64513eb58790f56568bc1d017d6acfc39b
Opcode Fuzzy Hash: 58f6b83a77bcd281be7058a8d03f04b4e0a19c8daa7b6f83148996b50522bfe5
Instruction Fuzzy Hash: D211CE31A042189FCF24CF68C8004EEBBF6EF8D200B0885AAD445E3710D730AC55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0311D3E9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b27484250fc1c1c234998068f5ebf6e5253e82a711367ec77801c2b7671af33
Instruction ID: c4df46391d93e8c299b25964c81a28af5add295d177f900acd8d40d682af4cf1
Opcode Fuzzy Hash: 5b27484250fc1c1c234998068f5ebf6e5253e82a711367ec77801c2b7671af33
Instruction Fuzzy Hash: 9901AD32D1461EABCB00DBA4DC404DEFB72EFDA311F164622E5113B160EBB12A5AC7E0

Uniqueness

Uniqueness Score: -1.00%

Function 03114CD0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5d461cba03b56284d865c1d364ab92e767b37d871b5ac5d728d0ff949510f3
Instruction ID: 235c261a0525a4f7fb2b8d943baca1bfc97c253b2d58f539507ae6ddc541d10c
Opcode Fuzzy Hash: 5e5d461cba03b56284d865c1d364ab92e767b37d871b5ac5d728d0ff949510f3
Instruction Fuzzy Hash: DB01AD30A012198BDF15DBA9D840BEEBBF9AF89300F14003AD908E7241DB748A55CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0311C1CB, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687f03104724051f38ae2d7600ec2cbabf23859dea37a748b83dae00406fe022
Instruction ID: f0a4d3b1d3cf7a137d36a9f2fd8678e81b5ca084917b061deeb2eff19cdd7534
Opcode Fuzzy Hash: 687f03104724051f38ae2d7600ec2cbabf23859dea37a748b83dae00406fe022
Instruction Fuzzy Hash: 2C01F775708644AFC704D768EC5089E7FA6EFDA210315447ED249CF2A5DBB15C4987A0

Uniqueness

Uniqueness Score: -1.00%

Function 0311B070, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6b46c0caf6f04b9bf5cb030c167c4276a1184191a9d194c8d4a7724d7be733
Instruction ID: 866f1179d398df084f6ee6d02e1ef35fa377d7ede3696e94e224ab9812372922
Opcode Fuzzy Hash: fd6b46c0caf6f04b9bf5cb030c167c4276a1184191a9d194c8d4a7724d7be733
Instruction Fuzzy Hash: B3014F35B08204ABDB14DA6AD404ADEF7E9DF98361F04C07BE819C7240DB75D951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0311BC94, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c515e98a16f10ccff1df19dd90dc9d36b0791c22deb8050e87838f3acb014e9e
Instruction ID: 48769cb5f0c7fd233118d3a778d38a6a4b9f519be607d4408b2c81667f8133d1
Opcode Fuzzy Hash: c515e98a16f10ccff1df19dd90dc9d36b0791c22deb8050e87838f3acb014e9e
Instruction Fuzzy Hash: 8A012B72A0C084EFDF05D7AC9CA0AE9BF72EE6E264349C2D2D5418B566E7218826C750

Uniqueness

Uniqueness Score: -1.00%

Function 0311D3F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555eede107e00fb79a88edcd997ba9403a86455b87bf6a951fb9a22bc9644788
Instruction ID: b4fd251638491f1311114e1591beae73e17fde0a75d65cf3d9e9cffe9fe95002
Opcode Fuzzy Hash: 555eede107e00fb79a88edcd997ba9403a86455b87bf6a951fb9a22bc9644788
Instruction Fuzzy Hash: 1A014832D1461E9ACB04DBA9DC404DEF776EFD9311F124626E61137160EBB1295ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0311C1E0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b41a1013427eeb4cd8caba64685ffa8f8b76c7f3b1f2cd39399903ac1eca5a
Instruction ID: 614ee536ce65beaef33f6fbca9b9e9880de8114dade0ad8134ceb78ec74a67d2
Opcode Fuzzy Hash: 42b41a1013427eeb4cd8caba64685ffa8f8b76c7f3b1f2cd39399903ac1eca5a
Instruction Fuzzy Hash: 2DF0C275304619AFC704EB59EC40C9EBBAAEFC9260740492DE209DB364DFB16C4887E4

Uniqueness

Uniqueness Score: -1.00%

Function 0311B6A2, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a48fd9e729b548c326445937f8b489bf79a8f97a24d47de225b6e91d11c70
Instruction ID: 646b4093799699a01d3526a92e3ee82507aa8143cbefabf9b99631727b448648
Opcode Fuzzy Hash: d30a48fd9e729b548c326445937f8b489bf79a8f97a24d47de225b6e91d11c70
Instruction Fuzzy Hash: F501D239A182088FCF08CA98D580BADB3B1EF98314F158165E9059B3A1D730AD62DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0311CFF0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78011d2a9d52c084d53b91b7e5654d8468141e791bd5219dc11f33bd5454f218
Instruction ID: 549cdaa23761346bd377e43a3594f6526b8c14fb6f56fb51684d2b396dd41ad5
Opcode Fuzzy Hash: 78011d2a9d52c084d53b91b7e5654d8468141e791bd5219dc11f33bd5454f218
Instruction Fuzzy Hash: 81F0E2316047066FC313C62DE820AFA779A9FCA224709467AE585CFB00EB65EC1987D2

Uniqueness

Uniqueness Score: -1.00%

Function 0311AFB1, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7367d7c0e820eee442ff8e5f9ea5095b17a8a9144d286f2be62691ba4388da12
Instruction ID: 3ee275a1e74465e32e3434f33849c5e8b65e330322d95b7ed2c22f349c12367e
Opcode Fuzzy Hash: 7367d7c0e820eee442ff8e5f9ea5095b17a8a9144d286f2be62691ba4388da12
Instruction Fuzzy Hash: CFF0273650E3A36FDB13866898449EFAF25DFCAB20B1D807BE805CB152C7344852C791

Uniqueness

Uniqueness Score: -1.00%

Function 0311DFD0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e163d64217b88617a686d84096b612c08ef54f7dfa07c39b9c3e55b0f2673ce
Instruction ID: 53043a167e353ead4e64c4ea99b9030ebc6c8bd2bc7f8fc85d607fb8540bd94f
Opcode Fuzzy Hash: 6e163d64217b88617a686d84096b612c08ef54f7dfa07c39b9c3e55b0f2673ce
Instruction Fuzzy Hash: CCF09034205340CFC329CB79D4548677BB6FFC931132884BDD45A8B621DB32D882DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0311902F, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7858024ec02697c5658d15ef3c80798c29d3a6db2f2688566b6264e3c021c5
Instruction ID: ed069292e25cc4be27a2206be1271b6bf3554e064caadb38f7c8973c05271835
Opcode Fuzzy Hash: ae7858024ec02697c5658d15ef3c80798c29d3a6db2f2688566b6264e3c021c5
Instruction Fuzzy Hash: 2EF0BC79A51104CFCB08CF69E490DA8B3B6FF88324B2240A5E611CB372C731ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0311C17E, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338fdb325f66c3efb9e7abf24574deec47bff0f856e66f65bd76683b6989e8c6
Instruction ID: 57897f3a2e07db8f8adaadaa86c7599fa4f2e9b459059a98306d7bac8339f270
Opcode Fuzzy Hash: 338fdb325f66c3efb9e7abf24574deec47bff0f856e66f65bd76683b6989e8c6
Instruction Fuzzy Hash: F8F0153A640108DFCB48DF94D8949EEBBB2FF88224B14C169E90597214C732D861CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0311BC4F, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bcb62f22914cdde0ac6e3e4ca75b9336ba88888a23bd8676a477d9f47fc270
Instruction ID: f6f2d717af0782fe85b490f9908941b40379341112e0e8694c7e0f49fad8ac7b
Opcode Fuzzy Hash: 79bcb62f22914cdde0ac6e3e4ca75b9336ba88888a23bd8676a477d9f47fc270
Instruction Fuzzy Hash: 13B0923BA08008CADB10CB84B4417EEF720E794275F108027C21051400833102B98691

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0311E910, Relevance: 6.7, Strings: 5, Instructions: 429COMMON

Download Yara Rule

Strings

S+j^, xrefs: 0311ED54
s+j^, xrefs: 0311EB5D
c+j^, xrefs: 0311ECBC
%, xrefs: 0311EA81
C+j^, xrefs: 0311EDFC

Memory Dump Source

Source File: 00000003.00000002.577308204.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Similarity

API ID:
String ID: C+j^$S+j^$c+j^$s+j^$%
API String ID: 0-1363606606
Opcode ID: 38a2a7584fe1b85f9d18b9d1f6b2f21b9812d5a40bc321b9bf6192b81ecbafbe
Instruction ID: 3973c1022ccc785d2abcfb37c9e5037784075aba519b9e6ec5f3a92147a58e26
Opcode Fuzzy Hash: 38a2a7584fe1b85f9d18b9d1f6b2f21b9812d5a40bc321b9bf6192b81ecbafbe
Instruction Fuzzy Hash: 91E1B238B002158FCB14DBB8D9909AEB7E6EF8C604B148578D90ADF355EF34DC958BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6980 Parent PID: 6708 powershell.exeCOMMON

Executed Functions

Function 009E8ADB, Relevance: 1.0, Instructions: 1033COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663322ec663019d10ff3797f021afa11366fef997ce1cf981ca516382cda450e
Instruction ID: caa0dad6e6498a94b294e1704987149101a0de2020e4846ef6c85fa317abd0c4
Opcode Fuzzy Hash: 663322ec663019d10ff3797f021afa11366fef997ce1cf981ca516382cda450e
Instruction Fuzzy Hash: 14B2F474A02329CFDB65DF25C844BA9B7B6BF89305F2044E8D40AA7B90DB359E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 009E0040, Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61b9fa6be01f54b4a10fe0df64fd5aa62307bf95caa798db6cf1499ce7c6d00
Instruction ID: cfeb4f1e4208c57bcdd7e8470e56ccd67db41bf255c53e2917672f71de98685a
Opcode Fuzzy Hash: d61b9fa6be01f54b4a10fe0df64fd5aa62307bf95caa798db6cf1499ce7c6d00
Instruction Fuzzy Hash: 22527A31A002599FCB15DF65C844BEEBBB6EF88304F1485A9E909AB351DB70ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009883E0, Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c2830ce3cf73bf7b7b9e4abbee3135c333c19b202831f3db966d72e83490c9
Instruction ID: f4363e399a7eabd0258901f7043d23a0cfebe5145c1039c080e953c988cdd1b4
Opcode Fuzzy Hash: 21c2830ce3cf73bf7b7b9e4abbee3135c333c19b202831f3db966d72e83490c9
Instruction Fuzzy Hash: 6F327B30A042098FDF15EFA5C890AAF77B6BF84304F648569E805AB391EF35ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0098E810, Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0c10a2e4eea2fa40bf9688a904f0abdad257a196476157196cc65a0632ca6e
Instruction ID: 47a6ba9994f0b28d85bd0e16d41cfda4e1275063cc991001bfbef50ec0f9b64d
Opcode Fuzzy Hash: 4e0c10a2e4eea2fa40bf9688a904f0abdad257a196476157196cc65a0632ca6e
Instruction Fuzzy Hash: 5F223034B002089FDB18EBB5C594AAE77F6BF88344F248468E902DB395DB79DD09DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0098AD60, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b364ebfd2300ea694217dc6abacf62a7bcce822dcc25f234243259fec105ce26
Instruction ID: 3124a354e3c9f5f32bbf545ed17a57ea5366ec8c1a5fc549bdd922fb2a20f0d2
Opcode Fuzzy Hash: b364ebfd2300ea694217dc6abacf62a7bcce822dcc25f234243259fec105ce26
Instruction Fuzzy Hash: 88228B307042058FCB14EF68D894AAEB7F7EF89304F158868E5069B7A5DB74ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00986738, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0489d8412220853cbdb209494e596ebceb7ef45b5d0bddcc9f862cacc886f4e
Instruction ID: b38ebdbf34dd8edcafcb74cc4df75119a6acb10c2bb7ef3585651be3a124b4b0
Opcode Fuzzy Hash: a0489d8412220853cbdb209494e596ebceb7ef45b5d0bddcc9f862cacc886f4e
Instruction Fuzzy Hash: 6AD1A375A042059FCF14EFA8D850BAEB7F6FF89304F148929E509AB390DB34AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0098C610, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d7e800bf3d903000a760d437a90d14da0a9f055deb881c89e47952d122f2f4
Instruction ID: c93e97f63585631b8b96cc52061b2c324fe6a47f618b533e7de75c1ee60e83e6
Opcode Fuzzy Hash: b0d7e800bf3d903000a760d437a90d14da0a9f055deb881c89e47952d122f2f4
Instruction Fuzzy Hash: 34A122B57043009FDB28AB748851B7B7AA7AFC5304F14C879D50A8B782DF39DD4A87A1

Uniqueness

Uniqueness Score: -1.00%

Function 0098F528, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83a9fa2b0a453651fec1466f3f7b200529ab2155745cdc7ae8d1b62549d2ad1
Instruction ID: ab39ca55a2528da63aa15dac8258c29343c1f8469f0a40ac16b7d8d3738d1529
Opcode Fuzzy Hash: c83a9fa2b0a453651fec1466f3f7b200529ab2155745cdc7ae8d1b62549d2ad1
Instruction Fuzzy Hash: 2BB18C71E007198FDB14DF65C85069EB7B2FF89304F2086AAD40AAB751EB70AD49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0098A7D8, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662dab99ab529b9b56bf4d95f71d383dc01155d2ac6db22f26ef8589cc689379
Instruction ID: 96451620a1d0c505b4579d1bb0ae271d84d7af41ba8987e883350967739048f3
Opcode Fuzzy Hash: 662dab99ab529b9b56bf4d95f71d383dc01155d2ac6db22f26ef8589cc689379
Instruction Fuzzy Hash: FAC17070E04219CFDB14DF65C840A9EB7F2EF89304F2485AAD409AB755EB70AD89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0096E170, Relevance: 9.5, Strings: 7, Instructions: 761COMMON

Download Yara Rule

Strings

d, xrefs: 0096E95E
{0[m^, xrefs: 0096E51C
#", xrefs: 0096E2E1
k0[m^, xrefs: 0096E5B4
`qq, xrefs: 0096E4B0
\5p, xrefs: 0096E77C
[0[m^, xrefs: 0096E65C

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID: \5p$`qq$d$#"$[0[m^$k0[m^${0[m^
API String ID: 0-508009999
Opcode ID: 05a47b967fb3bf551dcb4d5180d112bc55c3f3da43ea184f3baeacf779f91421
Instruction ID: c7d6f610e80dc8383d7e4b1d6b1d99ef7af294ea474c1f279915f06176c0ddcc
Opcode Fuzzy Hash: 05a47b967fb3bf551dcb4d5180d112bc55c3f3da43ea184f3baeacf779f91421
Instruction Fuzzy Hash: 1F52A038B042058FCB14DFA8D590AAEB7F6BF89304F148569E906EB395DB34ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04383FFC, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 043855F8

Memory Dump Source

Source File: 00000005.00000002.544598393.0000000004380000.00000040.00000001.sdmp, Offset: 04380000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3ce261e9f506e27e899a1562dd54ac3f01290acfb502bf657b7024e50bdad84a
Instruction ID: d59605f24dce9162ddd4cd7ad1523f5efd4ee21ed32c816fc1e03b094e083491
Opcode Fuzzy Hash: 3ce261e9f506e27e899a1562dd54ac3f01290acfb502bf657b7024e50bdad84a
Instruction Fuzzy Hash: 2B2153B1D04619ABDB10DF9AC84479EFBF4FB48314F00812AE819B3200D734A904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04385580, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 043855F8

Memory Dump Source

Source File: 00000005.00000002.544598393.0000000004380000.00000040.00000001.sdmp, Offset: 04380000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f937edc780ca673a647f93fce2237872b5c27cb1020a83dc454cde956cf15740
Instruction ID: fdb9524a795d353d031f25eeebdc9a1cde27e2ad23231dfb6a3ba1994308644c
Opcode Fuzzy Hash: f937edc780ca673a647f93fce2237872b5c27cb1020a83dc454cde956cf15740
Instruction Fuzzy Hash: A42150B5C042599BDB00CFA9CA447DEFBB4FF08314F10812AE819B3600D738AA04CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00955DED, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0095893A), ref: 0095A53F

Memory Dump Source

Source File: 00000005.00000002.523019661.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f7a924bc0eaa9438bdab1188479d0423b243e69683339e1ce476197a3ca41df6
Instruction ID: 4ea5aac3cd7a1fae003a3c4fcfabaafd74336578b6e961b5b8d25729a75eb461
Opcode Fuzzy Hash: f7a924bc0eaa9438bdab1188479d0423b243e69683339e1ce476197a3ca41df6
Instruction Fuzzy Hash: BE1158B19043488FCB10CF9ED844BDEBBF4EB89314F20841AE919A7250D3746944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0095A4D8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0095893A), ref: 0095A53F

Memory Dump Source

Source File: 00000005.00000002.523019661.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 2f4c5f7e2d14dc321a13c6acb59d8026507be23fc62c07490dda2097a1484898
Instruction ID: fde11586b6fb0ccad4c1b929fb1c45244589b2541aa5f2ab6e15a2eca63291ae
Opcode Fuzzy Hash: 2f4c5f7e2d14dc321a13c6acb59d8026507be23fc62c07490dda2097a1484898
Instruction Fuzzy Hash: 031118B19002488FCB10CF9ED448BDEBBF4FB49315F148519E918A7750D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00955DF4, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0095893A), ref: 0095A53F

Memory Dump Source

Source File: 00000005.00000002.523019661.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 51bfbf62af453779d4baa88a6b120ac17b98fae6009a6e4c6b48aa707121ff90
Instruction ID: 27b39df2da12d4939f5080ede4911f6ac5638bbdfdb0a84593ad5b3ee85f0c9a
Opcode Fuzzy Hash: 51bfbf62af453779d4baa88a6b120ac17b98fae6009a6e4c6b48aa707121ff90
Instruction Fuzzy Hash: 8A1115B1904649CFCB20DF9AD488BDEBBF8FB49314F208419E919A7350D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0098A37B, Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

tYm^, xrefs: 0098A4AF

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID: tYm^
API String ID: 0-3537765030
Opcode ID: ae65182244a4d9f6fd758b6c5411daa99f91c78a11245135581a96dcca46deb3
Instruction ID: 850a7e5f906693ec29c5bf316a9dc9f3459f10ae318064a8627b2b715f39c8bf
Opcode Fuzzy Hash: ae65182244a4d9f6fd758b6c5411daa99f91c78a11245135581a96dcca46deb3
Instruction Fuzzy Hash: 3B8187347142009FEB04DF28D495AAEBBF2FF89314F1585AAE5059B361DB71ED40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0096AB33, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

XEq, xrefs: 0096AB8B

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID: XEq
API String ID: 0-937581808
Opcode ID: b25cd9a5d52e134bf72c75dc30a4fcdc040f6e079f69799bcd4ca4ddc4f45e92
Instruction ID: ae19c6932b7a211828b68b0de03edb8a4edaf751350e8233fa7fc88f2a23aca4
Opcode Fuzzy Hash: b25cd9a5d52e134bf72c75dc30a4fcdc040f6e079f69799bcd4ca4ddc4f45e92
Instruction Fuzzy Hash: 620124B23082005FCB01D76CAC4489EBBA3EFC6364345496AE205DB2E2DF385D0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0096AB48, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

XEq, xrefs: 0096AB8B

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID: XEq
API String ID: 0-937581808
Opcode ID: 9e8e81a56e67d473410cc15c29c3c37314d16a8cd074d1c27ef5f66c4e9b9eee
Instruction ID: 32b08bbc62bcbc66925c377804a3013acc6ad6f9745e1d6cd7ad9151c94dcbf7
Opcode Fuzzy Hash: 9e8e81a56e67d473410cc15c29c3c37314d16a8cd074d1c27ef5f66c4e9b9eee
Instruction Fuzzy Hash: 59F0A472304114AB8704E75DEC4189EBBAAEBC53547504939E205DB294DF355D0087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00963DA0, Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0145cbb95cc7fb9400e39612b880fb1fd53292bdfda7d72866a98d869e0cd6d
Instruction ID: 8e41e6137675efda16a0a166ffe9c2344e8b0644f89a21c1699447eb4aebe6e7
Opcode Fuzzy Hash: f0145cbb95cc7fb9400e39612b880fb1fd53292bdfda7d72866a98d869e0cd6d
Instruction Fuzzy Hash: 2062B134A00219CFCB15DFB4D8556AEBBB6EF89304F2084AAE9069B391DB35DD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00965030, Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38472f67e8c443873eaeab45682dad457ad9f54913cdcdf06d2fa26dff04ee41
Instruction ID: 7c77815539678685c1f85172ab1c43f368b8b26b248739a9e6c597791f170f5a
Opcode Fuzzy Hash: 38472f67e8c443873eaeab45682dad457ad9f54913cdcdf06d2fa26dff04ee41
Instruction Fuzzy Hash: 11523974A00218DFCB25DF64D894BE9B7B6FF88305F1585A9E909AB3A1CB349D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009E7CEA, Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e7aea3eef5bdf118cff00060faf3a83c230d783ec7f10cccf336ec1bfa5e5d
Instruction ID: 69def5fef7f095cc14e6671d4d9520b48c0c7def48ba7ef5dc05cede9856add6
Opcode Fuzzy Hash: 99e7aea3eef5bdf118cff00060faf3a83c230d783ec7f10cccf336ec1bfa5e5d
Instruction Fuzzy Hash: 157231B4E016298FCB60CF28CD84B9ABBB1BB49305F1045EAE90DA7351EB355E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00960458, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0893717601abc374cdf4c82ed978b0849e0dd4c9384bdeee5535b69a115631b
Instruction ID: 5e08f187809be615538ebd9d4001a453a5819cf0342e8bf7c4a29a1d08900c92
Opcode Fuzzy Hash: e0893717601abc374cdf4c82ed978b0849e0dd4c9384bdeee5535b69a115631b
Instruction Fuzzy Hash: DE228074A042558FCB15CF68C484A5ABBB2FF89314F1A859AD8499B356C730FC86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00967750, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a2adb534ca0bc68925353b1abe46b711ee3cbb5dbf46836de42cd4499cf5e5
Instruction ID: 92375c6b83e0f560120f155cec85fa18c74f58251b54904a58da2e00337742f3
Opcode Fuzzy Hash: 99a2adb534ca0bc68925353b1abe46b711ee3cbb5dbf46836de42cd4499cf5e5
Instruction Fuzzy Hash: 25E10135B042149FCB14DBB8D8547AEB7B6EF84319F248569E5069B791DB389C02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00989298, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f194bb61e35f24d9161d7a794d230c35471ec598c94084c2a1b6baf6e8aaa697
Instruction ID: 5a5840007123e646bf04504c3b6f8b64e22eb86e27c101489ff1fb1b74ce2419
Opcode Fuzzy Hash: f194bb61e35f24d9161d7a794d230c35471ec598c94084c2a1b6baf6e8aaa697
Instruction Fuzzy Hash: BC123A34A01218DFDB64EF64DC94BADBBB6BF48304F1445A9E80AA73A0DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00960FE8, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4b1f9330ef234262e35b743ddcad1d74f79e8c51fea0d480046f285aa8954d
Instruction ID: e31413a81637a2b39dc1e55ab760beeb641765b2b2695d4ece7c2ee71687f12d
Opcode Fuzzy Hash: ad4b1f9330ef234262e35b743ddcad1d74f79e8c51fea0d480046f285aa8954d
Instruction Fuzzy Hash: 7CE18E34A04209DFCB14CF99D494AAEBBB6FF89314F198569E905AB761CB31EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009E7187, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5165e78979991cf0225db60723fa93ab139e323d6352b2f6c68ad59db5c3a034
Instruction ID: 57ce984e23ef3c823460e57357d1f70d2e48b1c1a590cb7cca7105a3fc87d9ec
Opcode Fuzzy Hash: 5165e78979991cf0225db60723fa93ab139e323d6352b2f6c68ad59db5c3a034
Instruction Fuzzy Hash: 9602A1B4A012298FDB65DF64C984B9DB7B5BF48304F1081EAEA09A7351EB309EC1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 009EDEA8, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601d1955f09a3a07ba85b7810c71077981e0d66ea3da67cd110626aaaa7b1316
Instruction ID: f16c0d9e66daa912a8f3dfd6c82d6afc136ca41efd5bb1d9f1fa5cfc0072c9df
Opcode Fuzzy Hash: 601d1955f09a3a07ba85b7810c71077981e0d66ea3da67cd110626aaaa7b1316
Instruction Fuzzy Hash: B3C1D335A082958FCB12CF69C88499ABBF1FF4A310B1585EAD445DB3A3C735EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009662A8, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d22a4251d9fc8232d2efdb74c1b079cfb3444c4bb6de9b466e3df899abeb772
Instruction ID: 3ed07473ebe6d197888216408453224651fde729d7c93d678516e0d9396c3652
Opcode Fuzzy Hash: 0d22a4251d9fc8232d2efdb74c1b079cfb3444c4bb6de9b466e3df899abeb772
Instruction Fuzzy Hash: A2B1A170A042059FCB05DF68C980AAEBBF6FF89304F548969E5059B7A5DB34EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0098FD20, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab63b31347edaccc606b4d1f6e53cddbe1840c0db7b3ec0031c265983213b26b
Instruction ID: 98dc1be3a47c3e59dd42ae064c0326c493341cd5f27da69833367d620c882442
Opcode Fuzzy Hash: ab63b31347edaccc606b4d1f6e53cddbe1840c0db7b3ec0031c265983213b26b
Instruction Fuzzy Hash: 3981E231B002198FDB14EB69C850BAEB7BAEF85304F148479E515DB792CB34DC468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E0006, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46cb7329fedfed9eb46da1c48b1f7e7416dc225fe2ecdbf2b8a1349651283d9
Instruction ID: d34fed7d17dedc4e94de90235575cf9ba79ea221651c7b51ef4e5472ff996e70
Opcode Fuzzy Hash: a46cb7329fedfed9eb46da1c48b1f7e7416dc225fe2ecdbf2b8a1349651283d9
Instruction Fuzzy Hash: 27B16835A013499FCB51CF65C880B9ABBB6FF89300F158199E948AB362DB70ED85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009E2140, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3723eba479be2171906fcbb29cfe38a29a3dccbfd3ee78f8c23c5980b84b3bd8
Instruction ID: a54c390967c51dbcb07edc1f5179b75326d1ca804e1c742e323a5d8d425429e7
Opcode Fuzzy Hash: 3723eba479be2171906fcbb29cfe38a29a3dccbfd3ee78f8c23c5980b84b3bd8
Instruction Fuzzy Hash: 0671AE717002548FDB15EB79E8517EE77AAAF88704F108439EA06DB791EF35EC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 00966298, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2dd40ccd6122fa2c602292d9f94c2d6c3cc583b02dcf00568a2017b06680cf
Instruction ID: 7d6ec9e84759dd8cafb329cf7ef4853fc6ddfc6083e7af75782d0e14d63efb5e
Opcode Fuzzy Hash: fb2dd40ccd6122fa2c602292d9f94c2d6c3cc583b02dcf00568a2017b06680cf
Instruction Fuzzy Hash: 96A1BF70A042059FCB14DF68C980A9EBBF6FF85308F248568E5059B765DB31EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0098AD4F, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094ced39a925a919eb0fac26b7e456aa8e08f8919f0aa8c238361b1586ba6a7c
Instruction ID: 566f14632bfc99767fead1b06663da23473e586eb5ea9b0dbc9fe3ea05b9a643
Opcode Fuzzy Hash: 094ced39a925a919eb0fac26b7e456aa8e08f8919f0aa8c238361b1586ba6a7c
Instruction Fuzzy Hash: CA918E307042058FDB14EF69D894AAEB7F6BF85304F198969E402DB7A1DB74ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009EA483, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01c83fe5233c21d698a31da150c068cd710f5d35ed1d02c612f6ac3b81cf747
Instruction ID: e8076f1f9fd81b7214388434b61ed9dae6eebfdf65979dd15a006579df089a3d
Opcode Fuzzy Hash: c01c83fe5233c21d698a31da150c068cd710f5d35ed1d02c612f6ac3b81cf747
Instruction Fuzzy Hash: 8581DE307042549FCB159B79D814AAEB7B7EFC4314F25882DE9068B7A0DF35ED058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00983B80, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdebd5b6151ee61696708d129459f8e3dcc0bb784f57ce96add5117ab224cf0
Instruction ID: 39eec02c01976c01a07cb6ba785421ccc43d4c51f34c4431ae0da241a1f99ad7
Opcode Fuzzy Hash: 4fdebd5b6151ee61696708d129459f8e3dcc0bb784f57ce96add5117ab224cf0
Instruction Fuzzy Hash: AE91A0307002058FCB14EF78D854A6EB7B6EF88704B21856DE906AB7A1DF75ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0096F1E0, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37f802812a96d8b0acd345ff923577873e74cd07f77118ac1f6bd4b82d4af41
Instruction ID: 78535b5628e761378dd078dbbf3faf91dd470cbae57370c1aac73ebd84771689
Opcode Fuzzy Hash: b37f802812a96d8b0acd345ff923577873e74cd07f77118ac1f6bd4b82d4af41
Instruction Fuzzy Hash: 80812E31D04515AFCB11EB24D8A899AFB76FF09300B4589B5E46567A71CB32ECA1EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00989E1F, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7bbd553c5501d7857b9aed8738786f9e61a47cd8557f2c540c65d002eb5bfe
Instruction ID: afd74f7a43258ccbfa680a3a04489f500e6564edc94b4b18a64c00d27c114180
Opcode Fuzzy Hash: 4a7bbd553c5501d7857b9aed8738786f9e61a47cd8557f2c540c65d002eb5bfe
Instruction Fuzzy Hash: 12B11634A00258CFDB64DF65C898BAD7BB6BF48305F1485A9E50AEB3A1DB349D81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00965FC8, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae02f6df38fc66b685b1acc5bd9a7e83722f8f6f4729ee75a0124e570c4d5419
Instruction ID: 7eba986313895ceec8f664ba362a9180fd90087cfe63d49faec667617663b699
Opcode Fuzzy Hash: ae02f6df38fc66b685b1acc5bd9a7e83722f8f6f4729ee75a0124e570c4d5419
Instruction Fuzzy Hash: C1918C79704601DFCB05CF64C584AAABBF2FF88304B118568E9198BB62DB35EC55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00966BA8, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33960c9a1e31a01e36fa5a61c28c30e39f7b3f938e624d7550e0ec13f214e7ee
Instruction ID: 2f86b1de13f6657355b728110a2eee95843fd1c64bde6126b704cdfb829d37a1
Opcode Fuzzy Hash: 33960c9a1e31a01e36fa5a61c28c30e39f7b3f938e624d7550e0ec13f214e7ee
Instruction Fuzzy Hash: 89817C757002149FDB04DF68E894AAEB7F6EF89301F148469E506EB390DB35EC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00983188, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83aeafd137ad2013094f714d483c44df8306c3428c46bb925e0c1e7c135a43a
Instruction ID: e3e314c694d99d7ab08d4345378b5cb95ca3aac2c97dbf01f982cd1eacdcc4af
Opcode Fuzzy Hash: e83aeafd137ad2013094f714d483c44df8306c3428c46bb925e0c1e7c135a43a
Instruction Fuzzy Hash: 0E71BE34B001018FCB14EB68D991A7EB7E3EBC9304F158878E50ADB345DF38AD428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00965566, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc1947cefbbcfb9d4414ff66ee5331fafa0347b2e5a2cbef911654e48985fcb
Instruction ID: 2170cc474a101efcbece5926b8861462e7ed280e2a28676172e0834bfbeac06c
Opcode Fuzzy Hash: 3fc1947cefbbcfb9d4414ff66ee5331fafa0347b2e5a2cbef911654e48985fcb
Instruction Fuzzy Hash: 8A914E74A00618CFCB25DF68D984B99B7F2BF88314F1585A9E9099B391CB74ED81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 009E1A20, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62db8039c642ff42ad07b1b833a9a1fc8b9b9ffde382db1b00eea9eba1b5c47a
Instruction ID: 62492287439e7681a4234b7bc5580b5330420320d44f892746ab0eb830344022
Opcode Fuzzy Hash: 62db8039c642ff42ad07b1b833a9a1fc8b9b9ffde382db1b00eea9eba1b5c47a
Instruction Fuzzy Hash: B081CF70A00249CFDB05DFA5D850AEE7BB6FF88304F248529E906EB754DB75AD16CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00965FD8, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9873edceaabc351ce6bca5f962817a40ff487c84d9c4f46eb69718ffd4400d
Instruction ID: 703e0fce3758c0fbc912c5675aeca9cada11602637087ec33508b39807dba8f6
Opcode Fuzzy Hash: 0c9873edceaabc351ce6bca5f962817a40ff487c84d9c4f46eb69718ffd4400d
Instruction Fuzzy Hash: C9915A78700605DFCB05CF68C584AAABBF2FF88304B118568E91A8B762DB35EC55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00965828, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89c129dcd0b48e7863aee442736a339e733c9d625521e9392180f69f924ad4c
Instruction ID: 8d136fd8701f0874bdfe8510400001c4ced0da78dd60efc9b28f9e838ecd86c5
Opcode Fuzzy Hash: a89c129dcd0b48e7863aee442736a339e733c9d625521e9392180f69f924ad4c
Instruction Fuzzy Hash: 26914C74A00618CFCB25DF68D994B99B7F2BF88314F1585A9E9099B3A1CB34ED81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0096A150, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602c36aee79fe1efc4b771abc6e5068dcd83c6e55e907855d516a74b82f9ac4b
Instruction ID: ea090037bac092168b9e1bf33fbbc12f2dbd1e313b63c6ce35c9691e97cfd8fe
Opcode Fuzzy Hash: 602c36aee79fe1efc4b771abc6e5068dcd83c6e55e907855d516a74b82f9ac4b
Instruction Fuzzy Hash: DC810A34A042099FDB04CF98C894BADBBB6FF88324F188565E815AB365DB759C41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009EDB68, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63ec15fcbb25f6f4e24597e42a639404dcddf0bf0d15b794a5989acaae45ca4
Instruction ID: b377a5a92e95d4503f1113beeb92d9bd53680aad8f76065e33a2cd82cf170a37
Opcode Fuzzy Hash: f63ec15fcbb25f6f4e24597e42a639404dcddf0bf0d15b794a5989acaae45ca4
Instruction Fuzzy Hash: 7B718870F043499BDB09DFA5D894BAEB7B6BF85344F204429E409AF791DBB0AC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00968AF8, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b16133ec0f8ee7a32cf30d2c518870e609de92c8c0d9d40111d15713c0d21f
Instruction ID: 2129319e228e4081309fbc4759df5adcc39cd76a91be9b5eb482af03864fab05
Opcode Fuzzy Hash: 37b16133ec0f8ee7a32cf30d2c518870e609de92c8c0d9d40111d15713c0d21f
Instruction Fuzzy Hash: F9816AB4A052149FCB14DFA9D584AAEBBF2EF48310F158559E905EB3A1CB74ED01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0098A7C8, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6341d10bce3486d2217a51176f1b2841d52c85363fc1fd28eec1500a5331aca4
Instruction ID: 6ff27f96b253586f58ea031c5ba4f78a5445fb889fab5d11333e5c674ef5d92d
Opcode Fuzzy Hash: 6341d10bce3486d2217a51176f1b2841d52c85363fc1fd28eec1500a5331aca4
Instruction Fuzzy Hash: 1261C170E04204DFEB14DF65C840AAEBBF6AF89304F14846AD409EB755EB30AD45CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00969E20, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8686a3824578984035d5892feb7baa2164cb7924ed2b021f7c8502d9b8ef79d1
Instruction ID: edc35f09f5edd630823356ea2743c8c387ac30292640de027be11d8dd17f9432
Opcode Fuzzy Hash: 8686a3824578984035d5892feb7baa2164cb7924ed2b021f7c8502d9b8ef79d1
Instruction Fuzzy Hash: 18513C75700204DFCB54DF69C484A6AB7F6FF88324B158469E90ADB3A1DB35EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EBF20, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c476b976b68dbcc2c572324939129c78ce55af12fa13f87160ab72085036671b
Instruction ID: 9e0538215f917c13b96b70292e7fe49a462182e6068bb81acebe97a5e74d98bf
Opcode Fuzzy Hash: c476b976b68dbcc2c572324939129c78ce55af12fa13f87160ab72085036671b
Instruction Fuzzy Hash: 014156717042548FCB1AABB8A8293BE7BA7EBC5305F10487EE106C7381CF798D068791

Uniqueness

Uniqueness Score: -1.00%

Function 0098CA8F, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00ccb38d5b8b36554faf5be96e502cd5cbbd45dba528df09705322be5e58bed
Instruction ID: c68a8f96caa95bac89f1c0c937a43a0f19b944a9a5fe7b7035ced4984df21b85
Opcode Fuzzy Hash: d00ccb38d5b8b36554faf5be96e502cd5cbbd45dba528df09705322be5e58bed
Instruction Fuzzy Hash: BD514C706012049FCB59EF78D45179EBBF2EF8A300F20846DE509AB391EB369D45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009EDF70, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38c3fe1c46b5babc112f3ac4af61cb1fa49e2185fea9fc5848c47a62d745882
Instruction ID: 280e41f7bd147aca847cd44bfdd48caeb4c2e5d5960a79e84aa05428f421651f
Opcode Fuzzy Hash: e38c3fe1c46b5babc112f3ac4af61cb1fa49e2185fea9fc5848c47a62d745882
Instruction Fuzzy Hash: BE51CA70E042158FCB10DF6AC9849AEBBF2FF89311B248969D819E7351D771ED02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098D1A0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42d5c53b9b3c71ee73fbc0907802a1f13a7fd2e1ca96c93bcd1863bed83986a
Instruction ID: ffc2a3bb6eb61d4ac1022b63cddc1073db25e3632fb7f76eaadfee3ee0ec1990
Opcode Fuzzy Hash: c42d5c53b9b3c71ee73fbc0907802a1f13a7fd2e1ca96c93bcd1863bed83986a
Instruction Fuzzy Hash: C341222260E3D01FD707A77858B59D6BFB59E5726870A48E7C0D4CF5A3EA189C0AC372

Uniqueness

Uniqueness Score: -1.00%

Function 0098F517, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8e663ce73163b33e652fd099622a14dd3abcf0c715124bbc394b40953db751
Instruction ID: 7ca429d3568b1dcdc6e43a6deb35ce8ddecafce76318a519fab8aa6808e83583
Opcode Fuzzy Hash: bf8e663ce73163b33e652fd099622a14dd3abcf0c715124bbc394b40953db751
Instruction Fuzzy Hash: C9417F71A006188FCB14DF69C950ADEB7F6FF88304F248569E506EB360EB30AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0098CAA0, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577e187ca2a674e63375f3f8f20fad4aee0b024678c6ebe02369cb3cbc3a961b
Instruction ID: 3a5c66f7245c5690307f9534a7e6be698461912fa20012d3ed3f19798598b69f
Opcode Fuzzy Hash: 577e187ca2a674e63375f3f8f20fad4aee0b024678c6ebe02369cb3cbc3a961b
Instruction Fuzzy Hash: DC413A70601204DFCB58EF78E451A5E7BF2EF89300F20846DE509AB391EB3A9D45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00965979, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51398178dcb1d2f79c444258b3032c6773529726aacf4c391b8c70eb4349235
Instruction ID: 88a4a475b760174f38b7a37336bc7fe01f651ef887b2478ebfd425c9907340ee
Opcode Fuzzy Hash: c51398178dcb1d2f79c444258b3032c6773529726aacf4c391b8c70eb4349235
Instruction Fuzzy Hash: A9513F34A00618CFDB25DB64D894BE9B7B6BF88304F1545E9E509AB391DB34DD81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0096BE00, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f43936afb7f4273b74c1f755bba811008be3676cfd43727e8a28c08ea9b5b8
Instruction ID: 5bd6d9c215c60a2d8a5f2235a90fc639f4cbbde985ca97fa90ad1cfa6c9cf582
Opcode Fuzzy Hash: d6f43936afb7f4273b74c1f755bba811008be3676cfd43727e8a28c08ea9b5b8
Instruction Fuzzy Hash: FB41AF71A007548FDB21DF29C8406DEBBF5BF89300F148A6AD496EB791D734A884CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0096B628, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ca7e0e55e160b01b538ab4e33b21ff9ebf71af168bb5aec50f23fe589970fb
Instruction ID: a51901809c3620184ffca0f9da9ddf609194920945fd8aa021c8a9fde6e8b305
Opcode Fuzzy Hash: c9ca7e0e55e160b01b538ab4e33b21ff9ebf71af168bb5aec50f23fe589970fb
Instruction Fuzzy Hash: 6F415C74601204DFCB54DB79E54575D7BF2AB8A301F10886AE60AE7380EF3698458B65

Uniqueness

Uniqueness Score: -1.00%

Function 009E2418, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fe84084693752d4612b8a105d6732089b2e011aa844671312491237bfe50e9
Instruction ID: 9e7cc926ff791fcbbb3191f6a6426468e5c4a45962f6821d6a270a58d487574d
Opcode Fuzzy Hash: 97fe84084693752d4612b8a105d6732089b2e011aa844671312491237bfe50e9
Instruction Fuzzy Hash: E4318B357013058BDB259F26C9547BBB7EAAB88384F244539E906D73A4FB38DD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0096B638, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ab282280bc8ee205f6539115dd16cb407c90d76219793d959eeadc95e52f87
Instruction ID: 0a43d418e2086a6fe5aed2726d56ace7db8aa2e6deb611f8f9e9b7ef10096abf
Opcode Fuzzy Hash: 49ab282280bc8ee205f6539115dd16cb407c90d76219793d959eeadc95e52f87
Instruction Fuzzy Hash: 53414A74601204DFCB58DB79E54579D7BF6EB8A300F10886AE60AE7380EF3598458B65

Uniqueness

Uniqueness Score: -1.00%

Function 009E2408, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74258be81dfe4a5b34fa13b9b4a6ad5a84909526b2f4c1a17b612240f4cd3176
Instruction ID: 9a561c5d317b5bd80526d83d774a8ac505a8019bc232bfbfd5bc650351a20aa0
Opcode Fuzzy Hash: 74258be81dfe4a5b34fa13b9b4a6ad5a84909526b2f4c1a17b612240f4cd3176
Instruction Fuzzy Hash: 7731AE356013448BCB268B3689447BB7BEEAB88344F248429D806D73A5FB38DD05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00960EA8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420736bde86164bf3a2341bb0f055c8b417274f8e8fa4da3b2677e6f77b67583
Instruction ID: 433e6bcdb7bed14cb247b6c6cb4ff27decc0223e886ed7fadca35126ead73e5c
Opcode Fuzzy Hash: 420736bde86164bf3a2341bb0f055c8b417274f8e8fa4da3b2677e6f77b67583
Instruction Fuzzy Hash: 35419F746042158FCB14DF5CD8D49ABB7B5EF98310B158A69E909DB361C731EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E1EC8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ddf8340fdede0b8eebc751d98d26102a0ae7e5e0983aec46a9db2f7054de59
Instruction ID: 6219d16996d8919000bacd59194be2c403fc747db4319d404e719946f2f1724c
Opcode Fuzzy Hash: e8ddf8340fdede0b8eebc751d98d26102a0ae7e5e0983aec46a9db2f7054de59
Instruction Fuzzy Hash: FE31E231E052499FCF15CFA5D8407EEBBB6EF89304F20842AE501AB790DB719D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009EA710, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476bb08743b1699b25e75fdf684e156724ff3c22dfdb63721f4e40dad8e721b7
Instruction ID: 16c2e550dbba922473ea84adfc3f5a4eb0ca54e06a8351832695be8946a09020
Opcode Fuzzy Hash: 476bb08743b1699b25e75fdf684e156724ff3c22dfdb63721f4e40dad8e721b7
Instruction Fuzzy Hash: CC31AD35B001208FCB15DB3AC950A6E77F6AF88744B25486DE406DB3A1EF35ED05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00960920, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e057f22966345b7ba30e2e3d29f1ca243aadf63f62b2d52deea54aa1d3915b91
Instruction ID: dab5a054c521ab9518b5ab61b484332d089d582f0d56a9d1b504ec9237e83422
Opcode Fuzzy Hash: e057f22966345b7ba30e2e3d29f1ca243aadf63f62b2d52deea54aa1d3915b91
Instruction Fuzzy Hash: E841FD30B083459FDB10CF64C58876BBBB2BB85391F1885B8D88997A82C7789D59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0098A8E1, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecba3a8666a1e9242533797e74ba2ca8ed8ff13160d4e7f1f6bb4a8706fcc0e
Instruction ID: 7ce193683746653506e4014196482f2a10f6a6e29ee9f0a1e0643cec55798f8a
Opcode Fuzzy Hash: 2ecba3a8666a1e9242533797e74ba2ca8ed8ff13160d4e7f1f6bb4a8706fcc0e
Instruction Fuzzy Hash: DC41CC30A04209CFEB14DFA4C940BDEB7B6AF89304F24856AD406EB754DB74AD89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009EBDD0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6860b650e599dacf87aaa642a98aa354c1786158364e1178de4bd3659ba8ad
Instruction ID: 408e649ff45ce9fbdb3d5b5bcc0d0f1b8788bd5232b02107b7dd136b997fd33f
Opcode Fuzzy Hash: 3e6860b650e599dacf87aaa642a98aa354c1786158364e1178de4bd3659ba8ad
Instruction Fuzzy Hash: 6931F6317082108FCB05AB69E8152AE77B6EFC6311F1589BED249CB691EF385D068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 009E25C0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d482116c33b2e91b5700b23147cea8b32c521ebfee32755ad09b432799c9299
Instruction ID: d68feb62f0f8ae4d336db9e61caeaea1131c8a7726bd7900da89fd396784d2e7
Opcode Fuzzy Hash: 7d482116c33b2e91b5700b23147cea8b32c521ebfee32755ad09b432799c9299
Instruction Fuzzy Hash: 57318F31B041198FDB15DF69C840BAAB7BAEF88710F248576D909DB391DB35ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00969E10, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a67aefe9c1ff898270c7f4a0a2bc8334275fd9ea93f6b04ab40a0ed623021d4
Instruction ID: 4134aff4abcead1ef91a121ae6ca407340ff07a49b9081304d21ef039702ac35
Opcode Fuzzy Hash: 3a67aefe9c1ff898270c7f4a0a2bc8334275fd9ea93f6b04ab40a0ed623021d4
Instruction Fuzzy Hash: 3431FB75A00204DFCB15DF68C884AAABBF9EB48325F148469E9099B361D736EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0096AA10, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6e2f3ce016a92ac75fb7d415dedc3c3e94fbf0e0a455e1ec3b2efc088df932
Instruction ID: 95fc7e8c9b770b40df90c1e8e2502fd6c1ba6c307bb10253d41d0464aa5d6c9d
Opcode Fuzzy Hash: aa6e2f3ce016a92ac75fb7d415dedc3c3e94fbf0e0a455e1ec3b2efc088df932
Instruction Fuzzy Hash: 6E314D71B002059BCB04DFA9D8956AEBBB7FB88310B14C42AE916EB354DB749D05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009EAF30, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b913f5a268e1c8cd76556671651c5e791d1619a71e2226b71f27e3c182ea7e44
Instruction ID: 17decb4dd862359b72e57571c42ca18ba25550da0ddd138c54303bfa949b35ca
Opcode Fuzzy Hash: b913f5a268e1c8cd76556671651c5e791d1619a71e2226b71f27e3c182ea7e44
Instruction Fuzzy Hash: D021BFB1B002159FDB119F69C8417AAB7E9EF88350F108875E909DB391D735ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0096B7F8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f437a93e0a4fbeed71f1eb86ff279e067a045557b3d69fb8bf25b3bc3dcffd
Instruction ID: 852336ea9679aaf11ad7575747ac9131d5b2650f3735cddda2d670cdc4b6dc21
Opcode Fuzzy Hash: 39f437a93e0a4fbeed71f1eb86ff279e067a045557b3d69fb8bf25b3bc3dcffd
Instruction Fuzzy Hash: C8317C71A00218DBDF05EBA4C895BEE77B2EF89305F208479D105BB390DF799946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00965E21, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc2a144eaafd45ae60745ccfd16a6ea452d8983c12e21f3e3f79553040f74af
Instruction ID: 8c48aa099294f246bfb91865c5cb9da75cda845ea83283dba172850396aedcf8
Opcode Fuzzy Hash: bbc2a144eaafd45ae60745ccfd16a6ea452d8983c12e21f3e3f79553040f74af
Instruction Fuzzy Hash: 34319A352005109FCB04DB68D850AAD77F6FF89309F2584A9E106DB3B1DB31ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0096D888, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c401baf4b06e6b9a5c3425a81dc1bd89f9bb9c59b979af340203a232680bea9
Instruction ID: bacd079ac3eeff72d7c6c86426ab15d9a5d4d7dedcc4c08a264c0a66b7c86b14
Opcode Fuzzy Hash: 9c401baf4b06e6b9a5c3425a81dc1bd89f9bb9c59b979af340203a232680bea9
Instruction Fuzzy Hash: FD214632B022559FC3159B6DE448A56BBAAFFC5361B0581BBE418CB762CB30DC02C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 009E1D88, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f756605505d3cf78e3f1fedc1be7e0a791b1dfc1de310010651c9f762febd6
Instruction ID: 983eca99312c0a9c5be894ba6ca35be2b7cf59682e91d5cfea69c777d740c833
Opcode Fuzzy Hash: 62f756605505d3cf78e3f1fedc1be7e0a791b1dfc1de310010651c9f762febd6
Instruction Fuzzy Hash: 612189B1B042148FCB44DF3DC841AAE77E6AF89300F1584B9EA09DB3A1DB34DD018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E06DE, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83874a1b3a4099b4195a07b5c3aa47b0cfdd7feb7ee412699775aff08362eb10
Instruction ID: c23293648eff02d0571982892d5a94fd3efd806fe592b17ac75c400a87c9451b
Opcode Fuzzy Hash: 83874a1b3a4099b4195a07b5c3aa47b0cfdd7feb7ee412699775aff08362eb10
Instruction Fuzzy Hash: 34314334A00219DFDF11DF64C984BAEBBB2FF89300F104594EA45AB262C7B5AE90CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009689F8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2430bf2a153cdb1e2ffd63e99d5f4802b809c0f71f5aecbb0cf02b5da7c73951
Instruction ID: 24338ce8e697e101c3ce5d6ef6711530653317428680d84e5804e151d5d0f2a9
Opcode Fuzzy Hash: 2430bf2a153cdb1e2ffd63e99d5f4802b809c0f71f5aecbb0cf02b5da7c73951
Instruction Fuzzy Hash: 3C21F3312183959FC710DF29DC40A8B7BE6AF86308F458D6AE546CBA65CB70ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00960E9B, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f24e616f126d805c75745ea3cdc98870e35db9716dc27a6a2b16634095f709f
Instruction ID: 124d4aa7bff06300c6b362c1532a55113678352c1f89cce22573e4a09467ad8d
Opcode Fuzzy Hash: 3f24e616f126d805c75745ea3cdc98870e35db9716dc27a6a2b16634095f709f
Instruction Fuzzy Hash: EC314D74A006158FCB24DF5CC5D4AABB7B5FF98320B158699E90A9B3A1C735FC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00966B98, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379d482af395c54bd45a439a272a280c1d02dc2c4ab2af3e505b34a06b771492
Instruction ID: 77570eb8c6ce0b5f7528ef54fe5595d601a34999f62de2a0612b4acccc652f59
Opcode Fuzzy Hash: 379d482af395c54bd45a439a272a280c1d02dc2c4ab2af3e505b34a06b771492
Instruction Fuzzy Hash: 942101397151149BDB14DAA9E940AEE7BBAEF88311F10843AE801E7350DF399C00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00987C48, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cd12ad1b6de8e37f0776b9514d68cc55f76064107fd5f025f0a1680e9eaffc
Instruction ID: 3d70fc648502e36164bc4794ddfc622c3caa7e10ecb1ebfcfde55452a2858343
Opcode Fuzzy Hash: 50cd12ad1b6de8e37f0776b9514d68cc55f76064107fd5f025f0a1680e9eaffc
Instruction Fuzzy Hash: 0B216A7A7446158FC714EFA8D884D6AB7BAFFC87617250569E85A8B360CB30EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E1D98, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b058c70b23a08f028d7a4e38983bdc0c0012a134106bc8dd197c52be0ff1ffe
Instruction ID: 8a15a3decdf9afdc86a7831b1afcc8771a856ddd0f4469099c8ce7d74df34a2b
Opcode Fuzzy Hash: 9b058c70b23a08f028d7a4e38983bdc0c0012a134106bc8dd197c52be0ff1ffe
Instruction Fuzzy Hash: CC216A71B042148FCB44EF2DC841AAE77E6EF89750F1184B9EA19DB3A5DB31DD018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0096D7C0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b16b654fc03e5c9bd65d232f3876ec149acc432b1886bb232122e43c3e8f398
Instruction ID: d73fbd80a4e4a8d74675a8a2660a04424104939722b1203a3669c96b173d4fb7
Opcode Fuzzy Hash: 6b16b654fc03e5c9bd65d232f3876ec149acc432b1886bb232122e43c3e8f398
Instruction Fuzzy Hash: 49210C34B02700CBC739DE26D598A2BB3B6BFC5355364886DD4568BB60CB36EC46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00964F33, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5565ecd0e7f13a2d347994ba0342c39ab75bd4841939e821d03dda5a5ac487
Instruction ID: 2546ea21a75bd8e0dee0f150a807bf2e683cdd60ef263e729e12eb5a87c10e09
Opcode Fuzzy Hash: 4e5565ecd0e7f13a2d347994ba0342c39ab75bd4841939e821d03dda5a5ac487
Instruction Fuzzy Hash: E021B371A04109AFDF04EFA8E8017EE77F2EF85305F1185B9D619AB290DB355E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0098D2C8, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337b3460220c57eef47e35ba1a2831e075f12b21a0274f93b6c48383b2c37a93
Instruction ID: 20180292a14227f5d8cea6d36f4b85752963ccda4a9a840a8be2380413f61761
Opcode Fuzzy Hash: 337b3460220c57eef47e35ba1a2831e075f12b21a0274f93b6c48383b2c37a93
Instruction Fuzzy Hash: 5B212B317052145FCB14ABA9E854AAEBBEBEFC5344B04846AF508C7391EB30DC04C792

Uniqueness

Uniqueness Score: -1.00%

Function 00968A08, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64334dcdc7d2470fcc3cc33c5f6c5033cca01217e0138af9333769873b86878d
Instruction ID: 9002ed580edfaae5ab0b57ed981a441b6431cade9b4c46e7bfdbbfb73e26e5c7
Opcode Fuzzy Hash: 64334dcdc7d2470fcc3cc33c5f6c5033cca01217e0138af9333769873b86878d
Instruction Fuzzy Hash: FD21D3302083559FC710DF29DC80A8BBBE6EF85308F45CD29E6468BA65DB70ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00968743, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003f4d6eb09912262931fff835ce2ccdf543b5f40566a02804c66f88ef012858
Instruction ID: 3592bd7c839f40f97a492adea2e5d0e80c6ac1e4647211df2290bf76bbe50962
Opcode Fuzzy Hash: 003f4d6eb09912262931fff835ce2ccdf543b5f40566a02804c66f88ef012858
Instruction Fuzzy Hash: 70212730B042009FDB248BA8D8547EEBBF9AF99315F35015AD402EB3A1CFB08D058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00960A80, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8293f59a74a2843cf3524d03d216b85883d9eabd6d4d818adfefcfb4968a52
Instruction ID: 11c488c6cb17fbf83df3450ca67415fd109b5d22b2ee5899b04f30e9a8e17d44
Opcode Fuzzy Hash: ae8293f59a74a2843cf3524d03d216b85883d9eabd6d4d818adfefcfb4968a52
Instruction Fuzzy Hash: 9B21D471A00218CFCF14DBA4D998AEEB7B5FB88345F108469E406A73A0EB399D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0096C378, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9a57e2ae359210908f9f14bd04feb4ab467eef89a6ca1f8c56333ccab81f40
Instruction ID: cfb09f9991966783428fdd39bedf4b9f34804d1d46584a35f69bcb1f1c352ddd
Opcode Fuzzy Hash: 6d9a57e2ae359210908f9f14bd04feb4ab467eef89a6ca1f8c56333ccab81f40
Instruction Fuzzy Hash: 1811A1777082269BEB155999F841ABFB799EBD4371B10C137F994CA340EA32DC118790

Uniqueness

Uniqueness Score: -1.00%

Function 00960399, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f86e3c11af7974e7928432d0e9a38906da045c287fee7f862980e3cfc7a464
Instruction ID: 6d1c3f07d4b4bff0525e1dfdd15ee2a0a25fb4eda4aeb4e958e13e2b79552417
Opcode Fuzzy Hash: 39f86e3c11af7974e7928432d0e9a38906da045c287fee7f862980e3cfc7a464
Instruction Fuzzy Hash: 171190366082549FCB11CFA8C8D099E7BB9EF8A3253194597E449DF352D731EC418BE4

Uniqueness

Uniqueness Score: -1.00%

Function 009E1CE1, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183ee42b5168fac4ef0919228dcf0923c05f27459b0ec8236fa078b47a47eadc
Instruction ID: bd4a95a467ee8c1c32a59f89f3a3e542b6eb96aa53cd1742d86269d7c9e8775c
Opcode Fuzzy Hash: 183ee42b5168fac4ef0919228dcf0923c05f27459b0ec8236fa078b47a47eadc
Instruction Fuzzy Hash: 9D1102327041144FDB06ABB98C506AF7BEBEFCA618B24447AE105CB3A1DF718C068790

Uniqueness

Uniqueness Score: -1.00%

Function 009E9CC2, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90610579830ab4ef447c9dc81a9cb1862f0fb4c685aa10875b64ee08b788366
Instruction ID: 192c34427c1f7cc1bed1c6007af08be6f3958b2c8c96c2e4f042efd83a78e4b2
Opcode Fuzzy Hash: c90610579830ab4ef447c9dc81a9cb1862f0fb4c685aa10875b64ee08b788366
Instruction Fuzzy Hash: 07312935A01729CFCB25EF21D888698B772FF4A315F1045E9E60AA7620DB356EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 009EA700, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a4962a65e83fcd725f5975ae658e016529786b79ee895a5b2e2494a8aabeab
Instruction ID: 264bdb0448a457f33680681897845f9df09258108f86eaf4807cfe69c1f0020b
Opcode Fuzzy Hash: 79a4962a65e83fcd725f5975ae658e016529786b79ee895a5b2e2494a8aabeab
Instruction Fuzzy Hash: AB112031B052908FCB15CA7689142BEBBB2AF84244B2444AED401DB3B0EB358E05C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 009E1CF0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00decd680949353dac81e058fe9b484d35af01c9f27397478291fc867cc947c6
Instruction ID: e301ab4740c9a2806a3014ae2e9792dde376ffe74875d1164f5d75e1a4e9d8e3
Opcode Fuzzy Hash: 00decd680949353dac81e058fe9b484d35af01c9f27397478291fc867cc947c6
Instruction Fuzzy Hash: F00180317105245FDB19AABA8C50AAF76EFAFC9618B20443AE506CB3A0DF719C029794

Uniqueness

Uniqueness Score: -1.00%

Function 00966DD7, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45bf6ccd2bf855074905337aa76142a598960c82d082e12d86bbd167767abf1
Instruction ID: 0c5b91dbf13413269d39fe98a830b77dc77fee4c1f5c5e25f10b6ae05575e713
Opcode Fuzzy Hash: d45bf6ccd2bf855074905337aa76142a598960c82d082e12d86bbd167767abf1
Instruction Fuzzy Hash: 5F218E35600114DFDB01AFA4E844BAEBBB6EF85302F1581B9F445AB391CB39DE51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009EAD50, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd85ece61d5a88e6ee1124fbedaf04ddb6e7e979b2a6adcf2c289ead1e76fe2
Instruction ID: 9ca191b8a97a0a042016f2c717207447c6f7a005ed34101d95d21aa5051d58c4
Opcode Fuzzy Hash: dbd85ece61d5a88e6ee1124fbedaf04ddb6e7e979b2a6adcf2c289ead1e76fe2
Instruction Fuzzy Hash: 6A119375A00154DFC715DF68C455A9EBBB6EF8D310F10806DE501AB3A1CB75AD41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0096BDF0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c4e04e9e3ea32b780344bdbab369b8b24c668305fd3bd2624ecdbd7a0ba094
Instruction ID: 667d5dd1b8b3a59cd2c7d26b8a33c3d92a4c76df435ce7205beb40e474696c40
Opcode Fuzzy Hash: 68c4e04e9e3ea32b780344bdbab369b8b24c668305fd3bd2624ecdbd7a0ba094
Instruction Fuzzy Hash: 4511CE71A082548FCF25CFA9C8044DABBF6EF89300B1589AED585E7351E735AC94CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00965D78, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c67bea8e66bd4555008d8c361e4d473f5b9e917291400df63b2c0349d3acd4c
Instruction ID: 1368fae853b529bed821d747eb0c8aa1be0ef2fb6f0b0894fd4a0d4871b798e3
Opcode Fuzzy Hash: 5c67bea8e66bd4555008d8c361e4d473f5b9e917291400df63b2c0349d3acd4c
Instruction Fuzzy Hash: 0B11C274A046548BCF14ABB898193EE7BB6EB89346F0109B9C90ADB2C1EB3449408BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00964F38, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85beed05e067fc7dc14486ab1f5e5a95f1916d3ec9e3c10bb295474360589db9
Instruction ID: c95088fc790e6d798034886e1ccdf77be6c336fc33be810f42444e26058ffe09
Opcode Fuzzy Hash: 85beed05e067fc7dc14486ab1f5e5a95f1916d3ec9e3c10bb295474360589db9
Instruction Fuzzy Hash: 7B118F70A04109AFDF04EFA8E405BAE77B2EF85304F1186B9C259AB795DF345E058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098D2B8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba1f0806b6a0a6153f25c1b0c830a772a67e1b36d91f7a65921db2a77636c9f
Instruction ID: 138689c92b73ed399378f5b3893efac971620dcd62efa4fef42226ee96229a61
Opcode Fuzzy Hash: 8ba1f0806b6a0a6153f25c1b0c830a772a67e1b36d91f7a65921db2a77636c9f
Instruction Fuzzy Hash: 481186317041045FCB14EF99C854A9EBBEAEF95354B04846AE408DB351D730DD15C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00968750, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfd8afa5d3a7e8aff44ffb06ff9017b525a12ed147d737a7d14af5ec638f54f
Instruction ID: 99c47f271c992dab1778c7a523f0c8b5e780c9e88d39261d5d60e1b551f3be51
Opcode Fuzzy Hash: 8cfd8afa5d3a7e8aff44ffb06ff9017b525a12ed147d737a7d14af5ec638f54f
Instruction Fuzzy Hash: E111DF30B001049FD7149BA9D458BEEBBF9AF8C714F254059E501E77A0CFB49C05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098FF50, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc135e8037761ae6178a227bf9551a7bd35b5b6aaeaa1c02ab76ec97b512591
Instruction ID: d24c9137b77d3402dc93aacae70cf44bea2bc9785b314526bd7444f7570e767e
Opcode Fuzzy Hash: 6fc135e8037761ae6178a227bf9551a7bd35b5b6aaeaa1c02ab76ec97b512591
Instruction Fuzzy Hash: F1019A72208215AFC714DA6DD880E9AFBAAFB893503028276F659C7710D770ED05CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009EAD60, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434fd168e6889e11895fe668edb3818f0b03a76fe41ff59007b4e4303a81b5da
Instruction ID: 38973d3b4222936c6c9ef81545337dd31db4980832910388ccce7ce303be19b8
Opcode Fuzzy Hash: 434fd168e6889e11895fe668edb3818f0b03a76fe41ff59007b4e4303a81b5da
Instruction Fuzzy Hash: CF119E75A00204DFCB15DF69C494A9EB7F6EF88301F108069E502AB3A1CB75AC41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009603B0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee466dccda97bfd1d421e311bf9a00f44f76dc818599434c3d39e9ee07278cc
Instruction ID: dc8e79be776d7e9974ec0a52f6e128800fb5543f705f3020db3007158ca15a4b
Opcode Fuzzy Hash: 1ee466dccda97bfd1d421e311bf9a00f44f76dc818599434c3d39e9ee07278cc
Instruction Fuzzy Hash: 2901D1329086649FC711CF29D8C085ABFB8EF8A36572945E7E809CB313D320AC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00983177, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3329066aca5ec442730c9df50d3eea597d2ed6cfd09ef0b873b947a9d688979c
Instruction ID: 51072fc2c2e2ac06ca06e77b5e3fd316ae43710be3b0bbf0a701fab9e16477c6
Opcode Fuzzy Hash: 3329066aca5ec442730c9df50d3eea597d2ed6cfd09ef0b873b947a9d688979c
Instruction Fuzzy Hash: 721165B8B042059FC704DF58D891DAAFBB9FB89310F1485A9E909AB351C731FC41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00960040, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaf7f5e132009db3f352f62f494304b4126b7401a3429b32eab39875e960215
Instruction ID: 29f92bbcd3d89a4a40968e3d30c593313d3d7b871efe1f50f3542d3d7ac222d9
Opcode Fuzzy Hash: aaaf7f5e132009db3f352f62f494304b4126b7401a3429b32eab39875e960215
Instruction Fuzzy Hash: 8401AD353042008F8B259BA9D080AAA73EEEFC971571804AAE109CB754DB72DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00964B30, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7537bf96b78524650984328eaeb4a593968ed0f77f1440984878f05629f70a60
Instruction ID: 98bb5df1d9ca5498d5d6ba3f40a005d0f6e849f0949b7241c12008da82e45218
Opcode Fuzzy Hash: 7537bf96b78524650984328eaeb4a593968ed0f77f1440984878f05629f70a60
Instruction Fuzzy Hash: A9016D70A002199BDB15DBA9D840BAEBBF9AF89304F04407AD908E7241DB749A01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0096C2F8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aeaa19cf4739ba7e29de5c2ddcdc19dd8fb1c342419f562672215d1f5923dca
Instruction ID: 0c0cf8c6ca9fd432cf8c221c873970fd26389123651ba6d7c5d430d7786898bc
Opcode Fuzzy Hash: 6aeaa19cf4739ba7e29de5c2ddcdc19dd8fb1c342419f562672215d1f5923dca
Instruction Fuzzy Hash: EE016272B04208AFDB14DA6EE404AAEB7EDDB98360F04C07BF859C7350EA75D901CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0098C600, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd964784ad7db79c985092a3862d2d85e9c5a7c4d1187108fe3c11802fe649e0
Instruction ID: adc423ec282aae9ee8642af6d8c72b7f371af2652b47f2d877102f41a87a6f73
Opcode Fuzzy Hash: dd964784ad7db79c985092a3862d2d85e9c5a7c4d1187108fe3c11802fe649e0
Instruction Fuzzy Hash: F6014E313082016BD710661D9C517AA7B9AAFC0355F144439E5448B781DF74DC1883E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.526223620.0000000000A2D000.00000040.00000001.sdmp, Offset: 00A2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6755220039f3ec4bf0d4e0cd430054d89219d97a86255c721dd4a7246761a07
Instruction ID: fdbd8b0684ff8445c9eb377cc2127554fd1f21c4bad96cb8ce666a03b6b3350b
Opcode Fuzzy Hash: a6755220039f3ec4bf0d4e0cd430054d89219d97a86255c721dd4a7246761a07
Instruction Fuzzy Hash: 3501F77140C350AAE7104B19EC84B67BB98EF41364F188469ED065B293C3799D05C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0096C208, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fd332499fc8639aa2823998a1eef21df6667ac482b806e97bf94dbdf3321f1
Instruction ID: ec52c2ff1398a7847bec53886f2165e58cbba366c7b6452de9b5548fa8e415a8
Opcode Fuzzy Hash: b6fd332499fc8639aa2823998a1eef21df6667ac482b806e97bf94dbdf3321f1
Instruction Fuzzy Hash: BA014832D1461A9ACB04DBA8DC404DEF772EFC5311F128626E61137160EBB12A4ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0098D250, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e208fde7f9e93d0b636ac948dfcbf16a28cc3f28cce469597ee4d3c8371350
Instruction ID: f23d8beb153667467ef4f610173ca06e943ed7277934679de8ac5d9231010d88
Opcode Fuzzy Hash: 77e208fde7f9e93d0b636ac948dfcbf16a28cc3f28cce469597ee4d3c8371350
Instruction Fuzzy Hash: E0F096353042145B9B18E6DA9854FABF7DFEFD9264714C439E51DC7791EA30DC018390

Uniqueness

Uniqueness Score: -1.00%

Function 009E1EB8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4b25ec3b1ba222c45795155a66b3e8de8e17b4926662d8d794af66855e8538
Instruction ID: dc2fe0c04803a35ae4ea41fb2eadfeac042c863332b2ef85c5a7696459057bb3
Opcode Fuzzy Hash: fc4b25ec3b1ba222c45795155a66b3e8de8e17b4926662d8d794af66855e8538
Instruction Fuzzy Hash: 81F0BB72A001089FDF058EA5DC449EF7BBAEB4C350F00842AF615D7340D6319D269B50

Uniqueness

Uniqueness Score: -1.00%

Function 0096EB02, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23af26ee7cdc6c620245db67a86a3e61b0b8c392fdfd9366aa41c197b27f8ef
Instruction ID: 4fc541daf8fe9c78a46f108002c1c93e5f0046d2c08cfb6a8903a908a53f1697
Opcode Fuzzy Hash: a23af26ee7cdc6c620245db67a86a3e61b0b8c392fdfd9366aa41c197b27f8ef
Instruction Fuzzy Hash: CB01EF79B10208CFCB14CFA9E484AADB3B6FF88314F104565E9029B3A4D774AD52DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D01C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.526223620.0000000000A2D000.00000040.00000001.sdmp, Offset: 00A2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af48ea75cb02f83f0dffd4335720b79e25e428835f87952dc30377ff5db991f4
Instruction ID: 42f91056a5fad90fb7488c29a2988a6eeb7bead61d6fa27c7d53bff3302754bb
Opcode Fuzzy Hash: af48ea75cb02f83f0dffd4335720b79e25e428835f87952dc30377ff5db991f4
Instruction Fuzzy Hash: BBF0C271408294AEE7108B19DC84BA2FF98EF42724F18C46AED495B292C3799C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0096C288, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff3fa096fec08747532ac066eb877c763427edadd4f374f574fe487d60871ab
Instruction ID: b32ac4305ca192390336137cf5fd0dc55785a3d90f008b35b2f09bb0ad207d4d
Opcode Fuzzy Hash: 3ff3fa096fec08747532ac066eb877c763427edadd4f374f574fe487d60871ab
Instruction Fuzzy Hash: B7F05C327043023BC31286BDA8115BE779DDFC2360301467AF458CBA40EF64DC0547E2

Uniqueness

Uniqueness Score: -1.00%

Function 0096F4F8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7606298af4c536cdaa889772b2f4ac5cdd6559f0061dab2a9e97e4b7fbaaa7fc
Instruction ID: 4962591e5dcfcb7edbb82174008db25612a1cb290882eb4abed7928f05399363
Opcode Fuzzy Hash: 7606298af4c536cdaa889772b2f4ac5cdd6559f0061dab2a9e97e4b7fbaaa7fc
Instruction Fuzzy Hash: 95F05E32E002499BDF14DBA4C4649EFBBB9AB84304F11883AE513A7780EF746909C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0096D7B1, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77105367639c7178095acf8d07408f56163846039b7acb9fbdb981f64ea17e29
Instruction ID: 192798932397ccafbfb68bb60c567287e3322281500f419a6c0b58b8cf285594
Opcode Fuzzy Hash: 77105367639c7178095acf8d07408f56163846039b7acb9fbdb981f64ea17e29
Instruction Fuzzy Hash: 81F01D75706740CBC3298A26D44441BBBB6BFC9355324C5BAE15A87761CA31E842CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0098E437, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a766a55a0a75f4385f874f2d80523d2be3850d24b6bcb3a8f29a71fec38995
Instruction ID: a18f39252b9dff10350567e31bdd7aba1859553c9cada140cdef703192809f33
Opcode Fuzzy Hash: 93a766a55a0a75f4385f874f2d80523d2be3850d24b6bcb3a8f29a71fec38995
Instruction Fuzzy Hash: E9F06D35700349CFCF15DF64E8C48AAB7F1FF453107504999D99A9B256C735E915CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00989637, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec249859401a9da969b8a1fb91a1b858ea8f4fe896947ac789768b81761e4f69
Instruction ID: 95dee1b5ac2b540805125c1f6a637750fe08404451a6232cdedeac335ed92929
Opcode Fuzzy Hash: ec249859401a9da969b8a1fb91a1b858ea8f4fe896947ac789768b81761e4f69
Instruction Fuzzy Hash: 2FF03C31A00218DFDF95DFA4D880BADB7B6BB84314F1480AAE40497350DB359995CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0098962E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec249859401a9da969b8a1fb91a1b858ea8f4fe896947ac789768b81761e4f69
Instruction ID: 95dee1b5ac2b540805125c1f6a637750fe08404451a6232cdedeac335ed92929
Opcode Fuzzy Hash: ec249859401a9da969b8a1fb91a1b858ea8f4fe896947ac789768b81761e4f69
Instruction Fuzzy Hash: 2FF03C31A00218DFDF95DFA4D880BADB7B6BB84314F1480AAE40497350DB359995CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00960A70, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4a76703c7ea449a38e65d6b1f52cfefcc3b4ea8da3887d4a00263035264bd1
Instruction ID: cb4522f9cf2918c7412866e5210fb40a21b6ae58666199b06c01ad5df00ddb4b
Opcode Fuzzy Hash: 9b4a76703c7ea449a38e65d6b1f52cfefcc3b4ea8da3887d4a00263035264bd1
Instruction Fuzzy Hash: 4EF02B3A7102449FCF10CA6DD488ACB7BE5EBD8361F0080BAE6448BB55DB71AD9587E1

Uniqueness

Uniqueness Score: -1.00%

Function 00987C40, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb5be24de26e230240953a6cd586cffbff40534376919d920037cc8243ab75d
Instruction ID: c10f5845dd853e1d5f1eca0da611c14eceb33921f2b0001a510f50d7b39884a3
Opcode Fuzzy Hash: 4cb5be24de26e230240953a6cd586cffbff40534376919d920037cc8243ab75d
Instruction Fuzzy Hash: ECE0D876B042246FD700DAADEC45DAFBBAEEFCA760B100416F109D7360CE319C0087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0096C298, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9deb116aba26f1dfc4f01f41cb807fc2643b2f974fb502311c27c8f5936475
Instruction ID: 54e94b59b91c05e88d491d4a8da3063c088ad4a969a6c6e8c35286d8f6f30187
Opcode Fuzzy Hash: 8c9deb116aba26f1dfc4f01f41cb807fc2643b2f974fb502311c27c8f5936475
Instruction Fuzzy Hash: 74E0D83270071227871296AD9810ABE739EDFC1364741493AE958CBB00EF64EC1547D5

Uniqueness

Uniqueness Score: -1.00%

Function 0098F088, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004903ca666b9fbe11416cb775a456a832f570a7970c2b7b678c7f5403279b48
Instruction ID: bb3f83e99d5955ef720a5730d0c4556cea3c2c80a44d21f9c894a563327dc3ff
Opcode Fuzzy Hash: 004903ca666b9fbe11416cb775a456a832f570a7970c2b7b678c7f5403279b48
Instruction Fuzzy Hash: C2F0A272509249BFDF03CFA48C108EF7F77AF45240B058496F944C7162D2318A25A751

Uniqueness

Uniqueness Score: -1.00%

Function 0098922F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0c9d76cf684700e0369d4ff29d84a8a367c6c22dbe73ed843f371e2512cc1f
Instruction ID: 7864ff7a7a18a10261b443f09860d9fddd01aef930f5f34f8584fa7f3d09cf3a
Opcode Fuzzy Hash: ba0c9d76cf684700e0369d4ff29d84a8a367c6c22dbe73ed843f371e2512cc1f
Instruction Fuzzy Hash: 61F0DF7204018EBFDF124F90DC05FEA3F6AFF49309F098165FA5455061CA36D572AB60

Uniqueness

Uniqueness Score: -1.00%

Function 0096C377, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0476f5eb76e597030b685f084eb874c225f51b7243c2fc40ec4e74798ed4dd58
Instruction ID: 8f561a6918baf955cf8f0374be02be752a875788ce156057df46215aa9a2fbda
Opcode Fuzzy Hash: 0476f5eb76e597030b685f084eb874c225f51b7243c2fc40ec4e74798ed4dd58
Instruction Fuzzy Hash: ABE08677A04229ABDB250949A801EABBB1EEBD5771F14C027FC9857700DA359C40C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00968D6F, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ea6678f84c2faa03825943c12b8e83042331466868a26976579acb4b2b3a58
Instruction ID: 1b26a2f13f24d4e6f52789de7a771b210f8ad1251f92508d61e795b96ce173ed
Opcode Fuzzy Hash: e9ea6678f84c2faa03825943c12b8e83042331466868a26976579acb4b2b3a58
Instruction Fuzzy Hash: 4CF0BC79A511049FCB08CF69E890D99B7B6FF98324B2244A6E501CF3B2DB31ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0096AAE6, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c29274c8ffa2737214309f3319cee5215e14f183e7afbc3acaf5ce62c0ed81
Instruction ID: be66cd14f6961c5857969e12eac82cf8d31f9eeada0dd2a4e48812b3ddb52c26
Opcode Fuzzy Hash: a5c29274c8ffa2737214309f3319cee5215e14f183e7afbc3acaf5ce62c0ed81
Instruction Fuzzy Hash: EBF0157AB00108DFCB04CFA4D8809DDBBB6FB98324B24C169E905A7260C7359D61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00989240, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114b2906884e084dec58f931324e7079226ce4267ccc989d2d7df7b0ebe300af
Instruction ID: 1639cc289c221afc4d7cb3583c3be675f91f1851c6120d4c3d0ced90e2ba83e2
Opcode Fuzzy Hash: 114b2906884e084dec58f931324e7079226ce4267ccc989d2d7df7b0ebe300af
Instruction Fuzzy Hash: 77F0C27200014EBFDF128F91CC01FEA3F6AEB8C315F048151FA5494064C636D570EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0098F098, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf5ab053b131e1e46fc0a1fe2b00827545e1ffea6e69e47bd6cc3ba1cd88015
Instruction ID: c2316d6f88b53518b11ca334490e1908aaf7071ff7d21238099498c420d9f235
Opcode Fuzzy Hash: ccf5ab053b131e1e46fc0a1fe2b00827545e1ffea6e69e47bd6cc3ba1cd88015
Instruction Fuzzy Hash: 43E0927290110DFF9F01DEA18D01DAF7BBAEB48240F01C465BE0492120E6328A35ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0098A211, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7729182afba10450a3433463790e60a01f726193eba0ee0b05412f83035c2a1c
Instruction ID: 44e5477f00b03df082dbdfe6bf25471ab8362c8b08fd112107b213aff4022979
Opcode Fuzzy Hash: 7729182afba10450a3433463790e60a01f726193eba0ee0b05412f83035c2a1c
Instruction Fuzzy Hash: F2F0A535E01228CFDB64AB65E988B9DB7B2FF88311F0041E5E91997355DB315E95CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00980278, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078890df30ad710709d5fc69f7056f1bd1e5a803d7edc9af1ffcdcaf62be9267
Instruction ID: e525c8db688be371e7200f94e0600b6a66ec114584148e7b381cfe008f456cd7
Opcode Fuzzy Hash: 078890df30ad710709d5fc69f7056f1bd1e5a803d7edc9af1ffcdcaf62be9267
Instruction Fuzzy Hash: 05E0723222034003C76422E8F40C3B277CC4FC2325F0842B9E9ADC2BC1DEA0EC468380

Uniqueness

Uniqueness Score: -1.00%

Function 0096A51C, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ee0bd0c834790b338c94fc7f425cf4b1b87011cb28f1b4eec591f677c2b793
Instruction ID: 194d79c1e36e18b802ffc37095b41c3a265f70419a473bf124ee2374d717be0b
Opcode Fuzzy Hash: 73ee0bd0c834790b338c94fc7f425cf4b1b87011cb28f1b4eec591f677c2b793
Instruction Fuzzy Hash: 69E0C2E380D2D09FE30283685C220B8BF34DD6322134904D7D482DB8A3E1199619E733

Uniqueness

Uniqueness Score: -1.00%

Function 009EBEB8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1ce5dd906659959be762c4f365dc1c968ec8add5a45ae295eb2232395bf8ed
Instruction ID: 202db761c36508025a130fb92199112a2f286a53f8546f6e84baae910b24c7a5
Opcode Fuzzy Hash: de1ce5dd906659959be762c4f365dc1c968ec8add5a45ae295eb2232395bf8ed
Instruction Fuzzy Hash: 8BD0A7323141500BC314019C74091FB7BDB87CC731728407FF04DC374489650C238791

Uniqueness

Uniqueness Score: -1.00%

Function 009EB708, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e58025bb8b9fae46b02287c51e2466f75c33a741b0fd85f3d08c782e8f3084
Instruction ID: bc5bf945ac7da36d11a2a5d0c9691c9ddc896576fe5a25eb2da6a66e46548342
Opcode Fuzzy Hash: f0e58025bb8b9fae46b02287c51e2466f75c33a741b0fd85f3d08c782e8f3084
Instruction Fuzzy Hash: 96D0123231016467C704118EB4096BB77DFDBCD731B24403BF50EC33418EA96C1256E5

Uniqueness

Uniqueness Score: -1.00%

Function 00983B6F, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f30f98001cc6172bffd2cba35783f6243bdb1062380d59217d44ea243a7f173
Instruction ID: 1384f42240c24c400c9e9646ff881d62bd779f3b1c20664c933a01ebd9bdb53c
Opcode Fuzzy Hash: 3f30f98001cc6172bffd2cba35783f6243bdb1062380d59217d44ea243a7f173
Instruction Fuzzy Hash: 7DD0A75420E3852BC622A579AC59736BF6D9F42624F28409DE88482101FD1B88148367

Uniqueness

Uniqueness Score: -1.00%

Function 009EAD31, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1a92b66d6fce279a9f3fe049f19c4b59c3e656cb556a2fb759ff8f4474d453
Instruction ID: 27a31a538923db5a375b77da069e66de5116d45e97ce8c03c4eb88473f874fe4
Opcode Fuzzy Hash: 4a1a92b66d6fce279a9f3fe049f19c4b59c3e656cb556a2fb759ff8f4474d453
Instruction Fuzzy Hash: DDD012B515A2905FC346CB74E854C813F759E4E11431582DBF18DCB573C22ADA1F8721

Uniqueness

Uniqueness Score: -1.00%

Function 0098ACD0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523894292.0000000000980000.00000040.00000001.sdmp, Offset: 00980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0d30fdbc1d0ef9be9ddda1d053bc7278fb6b17bc1eb7a7aa4a409a5464e4a0
Instruction ID: 0741417e8fe964cafb57c3571965944cab325f25bcc8cfb680f03a83197db5d3
Opcode Fuzzy Hash: 6b0d30fdbc1d0ef9be9ddda1d053bc7278fb6b17bc1eb7a7aa4a409a5464e4a0
Instruction Fuzzy Hash: 7EB0120F57D59546D20101243C221F23F04CF42002B34448288C4DCC42D00A499751D7

Uniqueness

Uniqueness Score: -1.00%

Function 0096A4D7, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.523222434.0000000000960000.00000040.00000001.sdmp, Offset: 00960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bcb62f22914cdde0ac6e3e4ca75b9336ba88888a23bd8676a477d9f47fc270
Instruction ID: b35c2c3012d3b605a025c89a94a8cc081e7e9c5f19f0fdd70cd303312ef7b802
Opcode Fuzzy Hash: 79bcb62f22914cdde0ac6e3e4ca75b9336ba88888a23bd8676a477d9f47fc270
Instruction Fuzzy Hash: FFB09237A04008D9DB00CA84B4417EDF724E7A0325F204427D21161400933502789AA2

Uniqueness

Uniqueness Score: -1.00%

Function 009EAD40, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.525083973.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: POinv00393.exe PID: 6464 Parent PID: 3388 POinv00393.exeCOMMON

Executed Functions

Function 03518108, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0586992de7b1471d79c4902da70637530fdd773b30296bd801394f5854d477
Instruction ID: 14bbbcb674e9ee06c99483575873704f4f2e33f4a2afa00aa803545ec6471333
Opcode Fuzzy Hash: bd0586992de7b1471d79c4902da70637530fdd773b30296bd801394f5854d477
Instruction Fuzzy Hash: D4124E31A00119DFDB24DFA8E884AAEBBF6FF88304F198469E815AB365D734DD51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 035127A2, Relevance: 4.7, Strings: 1, Instructions: 3433COMMON

Download Yara Rule

Strings

W, xrefs: 03514789

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 0a50c248e350b5e4b10fa5cf44f922fa0713bfa73d1d213de52b8dcb11bb801a
Instruction ID: 33b363c42bc34ffea4648f1aa15ed2cf0751beca3fb5cfab744e1abfe007643f
Opcode Fuzzy Hash: 0a50c248e350b5e4b10fa5cf44f922fa0713bfa73d1d213de52b8dcb11bb801a
Instruction Fuzzy Hash: 1B130A7154E3C48FC713CB648CA96D57FB4EF07211B0941EBD884DB2A3D62C695ADB22

Uniqueness

Uniqueness Score: -1.00%

Function 0351A140, Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40cf946c5624cb41bb313338cf4d0a3bf2e908428afce33fa636dfb084d2805
Instruction ID: 4842b53cb44f85dab380091670ca6526229c096ae9a0f45c37b450e2093f839a
Opcode Fuzzy Hash: a40cf946c5624cb41bb313338cf4d0a3bf2e908428afce33fa636dfb084d2805
Instruction Fuzzy Hash: F7525030A0511DDFEB25DBA4D850BAEB7B2FF84308F1184A9C60A6B3A4DB359E41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 03518730, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce57c97d1ea637b55e66e27c37c046cf7dbf90313cc9a8d7135580ffc16bb40
Instruction ID: 0ba03a7debc4980ca3347ff3864d6da2b7a2ba3628b626186fe58f247c85fecf
Opcode Fuzzy Hash: 7ce57c97d1ea637b55e66e27c37c046cf7dbf90313cc9a8d7135580ffc16bb40
Instruction Fuzzy Hash: 02325C35A002099FDB24DF68E884A9EB7F6FF89314F1585A9E819DB3A1D730EC51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 035153D0, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790486afe2ed6bbd2415953847f721323054fdcdd80777bf8980337e70079557
Instruction ID: 71c64ccdd0ac1208aead09652f52c418c1f1d2926a6dff18b16dcb096a8fc7d8
Opcode Fuzzy Hash: 790486afe2ed6bbd2415953847f721323054fdcdd80777bf8980337e70079557
Instruction Fuzzy Hash: 6BB1B034B04109DFCB14DFA8D850BAEBBB2FB88305F218899D905AB755DB38AD11CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0351F012, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fded8892dfa22fcf2f4b17f9c3715bb960ed7847bd5124b0743af91b06d44829
Instruction ID: c35e181023920eacdc6b28dd8ec463bb5f7b936217953122d8c6bcc93a867d21
Opcode Fuzzy Hash: fded8892dfa22fcf2f4b17f9c3715bb960ed7847bd5124b0743af91b06d44829
Instruction Fuzzy Hash: 31813D34B012109FDB55BBB0E8187AD37B2FB89316F149468E9039B3A9CF799C51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0351F067, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4357c89e3f5c71f0e58c7bbb651fed27ee703a96df7d04d7e40c1609d4026e
Instruction ID: b7f7b1d52c19198bda0c52069cc7b376c4791896bba5e2fecc7662f27d975d61
Opcode Fuzzy Hash: 8c4357c89e3f5c71f0e58c7bbb651fed27ee703a96df7d04d7e40c1609d4026e
Instruction Fuzzy Hash: 55715E34B01210CFDB45BBB4E8186AC77B2FB89316B149469E8039B3A9CF799C51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0351F0C7, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7f7eb4f995988777b96c4b15ad9ddf1c5874a9db68dbab645220628ca4da0e
Instruction ID: 908dfc5db203175f706520fa6ce867b945f44710247f51c3c1e9a1694bb92a72
Opcode Fuzzy Hash: cf7f7eb4f995988777b96c4b15ad9ddf1c5874a9db68dbab645220628ca4da0e
Instruction Fuzzy Hash: EB612C38B02210CFCB45BBB4E8185AC77B2FB89316B149069E80797769CF799C56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0351F0EA, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084f3d9bd5d0488126033eb78ea55f6576bc793c883c369c24e6cfa4077e5363
Instruction ID: bbb6b5913487fe8c891c83aec41b78c9771b69640edb3318dea25efeb7d03d89
Opcode Fuzzy Hash: 084f3d9bd5d0488126033eb78ea55f6576bc793c883c369c24e6cfa4077e5363
Instruction Fuzzy Hash: 83611E38B01210CFCB45BBB4E8185AC77B2FB89316B149069E807977A9CF799C56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0351F109, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58104d3ba109737ca57df4aee03df968f2ac6d447546768350da64abacf8a947
Instruction ID: 64a588b122a2bcbfc5b4503f4cf3bef21ff7c43d77bb9f29dcfbcb44b703ae7a
Opcode Fuzzy Hash: 58104d3ba109737ca57df4aee03df968f2ac6d447546768350da64abacf8a947
Instruction Fuzzy Hash: 88612E38B01210CFCB45BBB4E8185AC77B2FB89316B149069E807977A9CF799C56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0351F122, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2550de792fc0a5a26ba46840048a293abdb3a70480f3ac545075e39355e07e4
Instruction ID: 34ba55db7a338038bdea3a9a06fb44473714190ea7daf738a7799cacdc6b6311
Opcode Fuzzy Hash: b2550de792fc0a5a26ba46840048a293abdb3a70480f3ac545075e39355e07e4
Instruction Fuzzy Hash: B4614D38B01210CFCB45BBB4E8185AC77B2FB89316B149069E807977A9CF799C56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0351F1FA, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463d000e0adf7c9a0b2183c5ef90aaaf3679db7d82aa1ab28f942bfb9c19b1e1
Instruction ID: 1b99ecd4b4d4c900e4345924a299488f65edcef7a4088fa68be836bb16395290
Opcode Fuzzy Hash: 463d000e0adf7c9a0b2183c5ef90aaaf3679db7d82aa1ab28f942bfb9c19b1e1
Instruction Fuzzy Hash: 4A41E738B02210DFCB45ABA0E4085AC7BB2FB893137149069E8039736DCB795C62CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03515278, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01fedd8b11165847fdc56f09172ac4944daea5fa357f90f0e73b6d8b3a1d6e9
Instruction ID: 97daf64ea13affd23ec7b703fac54f1b8119c92e0f5d80565b1c5ed51d2043f4
Opcode Fuzzy Hash: c01fedd8b11165847fdc56f09172ac4944daea5fa357f90f0e73b6d8b3a1d6e9
Instruction Fuzzy Hash: DC31C234B001159BDB69EBB8541037F72A7BBC6314B288928C51ADF7D4EF74CC524791

Uniqueness

Uniqueness Score: -1.00%

Function 0351F238, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81624642843868cfbe8a3b0371a2f3cf846633e482b5fb885f8855ee3b83587d
Instruction ID: 54d393cd7d225c8305119ae302918c6e7a61476b2505abe1d5c4ef5ac195626e
Opcode Fuzzy Hash: 81624642843868cfbe8a3b0371a2f3cf846633e482b5fb885f8855ee3b83587d
Instruction Fuzzy Hash: FD41EA39B022109FCB457BA4F5085A83BB2FB8932371490A8E8079776DCB795C66CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03516378, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abba2d13abb507c8891beb95f8d1a9c2abee4de8723a15aadf13606a25c9458
Instruction ID: 3cdcb179350eb480d486f93584d9e6ad4589e6544ae7daa7d8de3b60a5ec7493
Opcode Fuzzy Hash: 0abba2d13abb507c8891beb95f8d1a9c2abee4de8723a15aadf13606a25c9458
Instruction Fuzzy Hash: 273181353001099FEB15DF64E894AAE7BA6FF88311F048029FD069B364CB79DD21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0351D288, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33ff9ca656e47f44cc759ad01a816a56c8b9b772cd19e68f0b956abfcdaee8b
Instruction ID: 303250faca92a7cdce22445e59f93cc2482b34b40ebb4038261c36bd0c0fabf1
Opcode Fuzzy Hash: c33ff9ca656e47f44cc759ad01a816a56c8b9b772cd19e68f0b956abfcdaee8b
Instruction Fuzzy Hash: C5314E3520010AAFDF16DF64E8949BEBBB6FB88301F048429FD159B260CB35D971DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0351A021, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d3727371e9c5d631e59072c4c85a27d70325f77719fc818b4547043a97dcbb
Instruction ID: de36e963a59f7cbc47fae74acd0b504b9ac2952431da778ba7f6e48b4ffeb140
Opcode Fuzzy Hash: a1d3727371e9c5d631e59072c4c85a27d70325f77719fc818b4547043a97dcbb
Instruction Fuzzy Hash: B1212B393052548FEB16D735B89497E37AABFC461872C407AD902CF7B4EB29CC119341

Uniqueness

Uniqueness Score: -1.00%

Function 0351A030, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4c9cc9dee2294b64ed0e0e89cdf1a42509274abcfc8c6fe01597a7a9624c37
Instruction ID: 4dad3b17b4039b848be5575434f4d82cd1a6e696d804e0f7b94418a85e9fdae8
Opcode Fuzzy Hash: fa4c9cc9dee2294b64ed0e0e89cdf1a42509274abcfc8c6fe01597a7a9624c37
Instruction Fuzzy Hash: 6C21D7383051544BFB169A39B89467E729BFFC4618F28807AD902CF7A4EF7ACC519781

Uniqueness

Uniqueness Score: -1.00%

Function 035157D8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac73ae500ca80e28696df18848255e7a24e9ac15bd08f24173869a5900328374
Instruction ID: bea234ee3f88b5f44725cdf5254f965c7df416c613973e018143f41ed29b606b
Opcode Fuzzy Hash: ac73ae500ca80e28696df18848255e7a24e9ac15bd08f24173869a5900328374
Instruction Fuzzy Hash: 0E218034A0010CAFEB14EBB8E854BEEB7B6FFC9310F144939D502A7294EB708855CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03519360, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a360e53af565db2aa6632b1dd26fc61f4a18994ea1a2e59c22290b37e3433783
Instruction ID: 28b30cb94312b7d86327820034efdb480d85327c00cb8680b4f47e49093df3ac
Opcode Fuzzy Hash: a360e53af565db2aa6632b1dd26fc61f4a18994ea1a2e59c22290b37e3433783
Instruction Fuzzy Hash: C121923AA002059FDB14DF58DC94ADEBBB5FF4C320F184069E911AB3A5DB71AC10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0351F2D0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b277d44a0cd79518b95555f67d6d818bcb3a861cbb4ff81ea2ba04c667a582
Instruction ID: 54b727bcaacb1c6a2b6383a8de4bb46ec2fb14ff869992a32d87fcb7f5aa9bb9
Opcode Fuzzy Hash: b3b277d44a0cd79518b95555f67d6d818bcb3a861cbb4ff81ea2ba04c667a582
Instruction Fuzzy Hash: 7D21C439B026209FDB466BA4F5080AC3BB2FB4922331490A4E8179736DCBB85C618F95

Uniqueness

Uniqueness Score: -1.00%

Function 0351F2E9, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e932213fb0c7cfc2d76f2f31ebb8ad20dd2b5fe046906cca8c232040eaed57
Instruction ID: 702111d36cc414088cbac4daf777b7acbbb65ef696dc9661a03e6e3358a9a739
Opcode Fuzzy Hash: c8e932213fb0c7cfc2d76f2f31ebb8ad20dd2b5fe046906cca8c232040eaed57
Instruction Fuzzy Hash: E221A439B026209FDB466BA4F5080AC3BB2FB4922371590A4E8179736DCBB85D618E95

Uniqueness

Uniqueness Score: -1.00%

Function 03518102, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0d064d513c989cae8be7e85339a75c742a2102ed6d5b50883adbe6460d0426
Instruction ID: 2b2d518f0013021781fff3377799e4db021274ef1f3f6003003a75c6f06f2154
Opcode Fuzzy Hash: 9d0d064d513c989cae8be7e85339a75c742a2102ed6d5b50883adbe6460d0426
Instruction Fuzzy Hash: 51219D31900208DFDB24CF54D844FAEB7F6FB48310F08C16AE9198B620D374A954CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03519370, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e279455d4000f084dce2b12a1e3d204c4a14f7482f2e56df0410a9b3c4bd3c
Instruction ID: 781a8a83c215a8c41ecc2715a56956328a8999b511954c63877103670769da4f
Opcode Fuzzy Hash: a8e279455d4000f084dce2b12a1e3d204c4a14f7482f2e56df0410a9b3c4bd3c
Instruction Fuzzy Hash: C8113D35B002049FDB14DF55D954ADEBBFAFB8C710F144469E916A7394DB71AC10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0351F7C0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c50130a5a6032975b908c9a98367facb5b7a6cdc9a98f2c86d6673e29039990
Instruction ID: bac4cd9c79957bfb4913788b480e1acfe8c0bc76b8f468d482c602a6532d7e53
Opcode Fuzzy Hash: 4c50130a5a6032975b908c9a98367facb5b7a6cdc9a98f2c86d6673e29039990
Instruction Fuzzy Hash: 4A11BC35901204AFCF04EBA4E8189DDBB72FF8A320F258615E40667271DB7499A9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0351D392, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5d989172251ae307cc03769e5a54770a8115adfe606419ada6398381912a0e
Instruction ID: fdbe5779cdcccc2aa34d2101073ae844af2f0bdd507d4dae85b894a9423189d2
Opcode Fuzzy Hash: 0d5d989172251ae307cc03769e5a54770a8115adfe606419ada6398381912a0e
Instruction Fuzzy Hash: DD01A7326041096FDB11CE65DC51AEF7FB6FBC9350F188065F904C7260CB319921EB94

Uniqueness

Uniqueness Score: -1.00%

Function 0351D3A0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a35a23dae8f1f54828b566a70de9ca9eb777f44bdaae64133219b422af3981
Instruction ID: f1086a544c3560149a42c9784300f4579227e3b21156763c7767460ecfd91f1f
Opcode Fuzzy Hash: 64a35a23dae8f1f54828b566a70de9ca9eb777f44bdaae64133219b422af3981
Instruction Fuzzy Hash: 0401D6327001196BEB15DE65A810AAF7BEBFBC8650F14802AF504DB290CF719D2197D4

Uniqueness

Uniqueness Score: -1.00%

Function 0351F7D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.600328213.0000000003510000.00000040.00000001.sdmp, Offset: 03510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3f70c8b9dcb5fb67b3bd9e3effcdc7a49cc4f903386033cbb628fad5ff2e4f
Instruction ID: cda9adda5aea7d120ac33b9791e24fb1d7b7f3e7b0c700a283c577a4030aa6cf
Opcode Fuzzy Hash: af3f70c8b9dcb5fb67b3bd9e3effcdc7a49cc4f903386033cbb628fad5ff2e4f
Instruction Fuzzy Hash: B0118B35D00308AFCF04DBA4E8089DDBBB1FF89321F108659E5166B2A0DB7599A9CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report POinv00393.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre