Play interactive tour

Edit tour

Analysis Report malware.exe

Overview

General Information

Sample Name:	malware.exe
Analysis ID:	358219
MD5:	2ee5a68ee37af14c612fc4c8a589858a
SHA1:	c27220c28c611908f7cf4e727619aef99decb00b
SHA256:	7e2a3464cd57a807ba4fa1bc0cc9b61fd7ace25fae45a7227bc2184587c9945b
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

Binary contains a suspicious time stamp

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

malware.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\malware.exe' MD5: 2EE5A68EE37AF14C612FC4C8A589858A)

malware.exe (PID: 6536 cmdline: C:\Users\user\Desktop\malware.exe MD5: 2EE5A68EE37AF14C612FC4C8A589858A)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "info@nijos.esJose170458@smtp.ionos.es"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: malware.exe PID: 6380	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: malware.exe PID: 6380	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: malware.exe PID: 6536	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: malware.exe PID: 6536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.malware.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.malware.exe.4374cd0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.malware.exe.4374cd0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.malware.exe.421ba00.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.malware.exe.4277620.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: malware.exe

Avira: detected

Found malware configuration

Show sources

Source: 0.2.malware.exe.4374cd0.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "info@nijos.esJose170458@smtp.ionos.es"}

Multi AV Scanner detection for submitted file

Show sources

Source: malware.exe	Virustotal: Detection: 45%	Perma Link
Source: malware.exe	Metadefender: Detection: 24%	Perma Link
Source: malware.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Show sources

Source: malware.exe

Joe Sandbox ML: detected

Source: 0.2.malware.exe.930000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.2.malware.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: malware.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: malware.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: malware.exe, 00000000.00000002.203861566.00000000058D0000.00000002.00000001.sdmp, malware.exe, 00000003.00000002.461809030.00000000017D0000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\malware.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_02C8CDD8
Source: C:\Users\user\Desktop\malware.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_02C8CDE8

Networking:

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 213.165.67.118:587

Source: Joe Sandbox View

IP Address: 213.165.67.118 213.165.67.118

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 213.165.67.118:587

Source: C:\Users\user\Desktop\malware.exe

Code function: 3_2_0174A09A recv,

3_2_0174A09A

Source: unknown

DNS traffic detected: queries for: smtp.ionos.es

Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: http://eYrjmd.com
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: http://status.geotrust.com0=
Source: malware.exe, 00000003.00000002.465505838.0000000003A2D000.00000004.00000001.sdmp	String found in binary or memory: https://QDDeRKxxql47yvGyut1.co
Source: malware.exe, 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	String found in binary or memory: https://QDDeRKxxql47yvGyut1.com
Source: malware.exe, 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	String found in binary or memory: https://QDDeRKxxql47yvGyut1.com4
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: malware.exe, 00000003.00000002.464733320.00000000035AF000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: malware.exe, 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, malware.exe, 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: malware.exe, 00000000.00000002.200312637.000000000101A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 3.2.malware.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3E7DD5E5u002d64B9u002d4B13u002dBB39u002d9D06C86D75B5u007d/C3653794u002dA817u002d4DEAu002d8ADFu002d8F127CE93D1E.cs

Large array initialization: .cctor: array initializer size 11921

PE file contains section with special chars

Show sources

Source: malware.exe

Static PE information: section name: 7wjw!

PE file has nameless sections

Show sources

Source: malware.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174B0BA NtQuerySystemInformation,		3_2_0174B0BA
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174B089 NtQuerySystemInformation,		3_2_0174B089

Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0093E489	0_2_0093E489
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0093C8B2	0_2_0093C8B2
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009405C2	0_2_009405C2
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00939F78	0_2_00939F78
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C8AEF0	0_2_02C8AEF0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C80B50	0_2_02C80B50
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C800A8	0_2_02C800A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C829D8	0_2_02C829D8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C83D30	0_2_02C83D30
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C8AEE0	0_2_02C8AEE0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C853E0	0_2_02C853E0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C853F0	0_2_02C853F0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C80B3F	0_2_02C80B3F
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C80099	0_2_02C80099
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C829C8	0_2_02C829C8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C851A8	0_2_02C851A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C851A3	0_2_02C851A3
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C83D20	0_2_02C83D20
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009338AA	0_2_009338AA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0093A98D	0_2_0093A98D
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F005C2	3_2_00F005C2
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_057397DC	3_2_057397DC
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0573AF98	3_2_0573AF98
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0573DE28	3_2_0573DE28
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05738488	3_2_05738488
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC98E0	3_2_05EC98E0
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC73C8	3_2_05EC73C8
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC26A8	3_2_05EC26A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC0070	3_2_05EC0070
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC8658	3_2_05EC8658
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC6818	3_2_05EC6818
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_05EC25F8	3_2_05EC25F8

Source: malware.exe	Binary or memory string: OriginalFilename vs malware.exe
Source: malware.exe, 00000000.00000002.205160417.000000000DE40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs malware.exe
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexUHzFnbHwIrwSOMYICulYEVtzBE.exe4 vs malware.exe
Source: malware.exe, 00000000.00000002.203861566.00000000058D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs malware.exe
Source: malware.exe, 00000000.00000002.204525683.0000000009B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs malware.exe
Source: malware.exe, 00000000.00000002.200312637.000000000101A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs malware.exe
Source: malware.exe	Binary or memory string: OriginalFilename vs malware.exe
Source: malware.exe, 00000003.00000002.461809030.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs malware.exe
Source: malware.exe, 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamexUHzFnbHwIrwSOMYICulYEVtzBE.exe4 vs malware.exe
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs malware.exe
Source: malware.exe, 00000003.00000002.461900198.0000000001880000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs malware.exe
Source: malware.exe	Binary or memory string: OriginalFilenameNonVersionableAttribute.exeF vs malware.exe

Source: C:\Users\user\Desktop\malware.exe

Section loaded: security.dll

Jump to behavior

Source: malware.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: malware.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: malware.exe

Static PE information: Section: 7wjw! ZLIB complexity 1.00046164773

Source: 3.2.malware.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.malware.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174AF3E AdjustTokenPrivileges,		3_2_0174AF3E
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_0174AF07 AdjustTokenPrivileges,		3_2_0174AF07

Source: C:\Users\user\Desktop\malware.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\malware.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: malware.exe	Virustotal: Detection: 45%
Source: malware.exe	Metadefender: Detection: 24%
Source: malware.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\malware.exe 'C:\Users\user\Desktop\malware.exe'
Source: unknown	Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe
Source: C:\Users\user\Desktop\malware.exe	Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe	Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: malware.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\malware.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: malware.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: malware.exe, 00000000.00000002.203861566.00000000058D0000.00000002.00000001.sdmp, malware.exe, 00000003.00000002.461809030.00000000017D0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\malware.exe

Unpacked PE file: 0.2.malware.exe.930000.0.unpack 7wjw!:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xDA072381 [Thu Nov 29 19:35:29 2085 UTC]

Source: malware.exe	Static PE information: section name: 7wjw!
Source: malware.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944292 push cs; ret	0_2_0094429C
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0094429E push cs; ret	0_2_009442A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009442BC push cs; ret	0_2_009442F0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009442AA push cs; ret	0_2_009442BA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009442F2 push cs; ret	0_2_00944308
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944B9E push ds; ret	0_2_00944BA2
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00943D9A push es; ret	0_2_00943DBC
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944BBC push ds; ret	0_2_00944BC0
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009441A2 push cs; ret	0_2_00944260
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009441A2 push cs; ret	0_2_0094426C
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944BAA push ds; ret	0_2_00944BBA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_009447C0 push ss; ret	0_2_009447D6
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944B02 push ds; ret	0_2_00944BBA
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0094472A push ss; ret	0_2_0094472E
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_0094477E push ss; ret	0_2_009447BE
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_00944760 push ss; ret	0_2_00944770
Source: C:\Users\user\Desktop\malware.exe	Code function: 0_2_02C890C8 pushad ; retf	0_2_02C890C9
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F042F2 push cs; ret	3_2_00F04308
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F042BC push cs; ret	3_2_00F042F0
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F042AA push cs; ret	3_2_00F042BA
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04292 push cs; ret	3_2_00F0429C
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F0429E push cs; ret	3_2_00F042A8
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F047C0 push ss; ret	3_2_00F047D6
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04BBC push ds; ret	3_2_00F04BC0
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F041A2 push cs; ret	3_2_00F04260
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F041A2 push cs; ret	3_2_00F0426C
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04BAA push ds; ret	3_2_00F04BBA
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F03D9A push es; ret	3_2_00F03DBC
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04B9E push ds; ret	3_2_00F04BA2
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F0477E push ss; ret	3_2_00F047BE
Source: C:\Users\user\Desktop\malware.exe	Code function: 3_2_00F04760 push ss; ret	3_2_00F04770

Source: initial sample	Static PE information: section name: 7wjw! entropy: 7.99674140744
Source: initial sample	Static PE information: section name: .text entropy: 7.85224276661

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\malware.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6380, type: MEMORY

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\Desktop\malware.exe

Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\malware.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\malware.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\malware.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Window / User API: threadDelayed 672

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe TID: 6384	Thread sleep time: -103256s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep count: 672 > 30	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -20160000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe TID: 6764	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\malware.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\malware.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\malware.exe	Last function: Thread delayed

Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: malware.exe, 00000000.00000002.205104429.000000000DDE0000.00000004.00000001.sdmp	Binary or memory string: AQEMuK
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: malware.exe, 00000003.00000002.461473019.00000000015C9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: malware.exe, 00000003.00000002.466127885.0000000005A10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\malware.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\malware.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Code function: 3_2_057330C8 LdrInitializeThunk,

3_2_057330C8

Source: C:\Users\user\Desktop\malware.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\malware.exe

Memory written: C:\Users\user\Desktop\malware.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Process created: C:\Users\user\Desktop\malware.exe C:\Users\user\Desktop\malware.exe

Jump to behavior

Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: malware.exe, 00000003.00000002.461920865.0000000001C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\malware.exe

Code function: 3_2_0174BB16 GetUserNameW,

3_2_0174BB16

Source: C:\Users\user\Desktop\malware.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6380, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 3.2.malware.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.421ba00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4277620.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\malware.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\malware.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6536, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6380, type: MEMORY
Source: Yara match	File source: Process Memory Space: malware.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 3.2.malware.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4374cd0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.421ba00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.malware.exe.4277620.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Input Capture1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Obfuscated Files or Information3	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing14	NTDS	Security Software Discovery221	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion14	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection112	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
malware.exe	45%	Virustotal		Browse
malware.exe	30%	Metadefender		Browse
malware.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
malware.exe	100%	Avira	HEUR/AGEN.1138558
malware.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.malware.exe.930000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
3.2.malware.exe.ef0000.1.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
3.2.malware.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
0.0.malware.exe.930000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
3.0.malware.exe.ef0000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File

Domains

Source	Detection	Scanner	Label	Link
smtp.ionos.es	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://QDDeRKxxql47yvGyut1.com4	0%	Avira URL Cloud	safe
https://QDDeRKxxql47yvGyut1.com	0%	Avira URL Cloud	safe
http://eYrjmd.com	0%	Avira URL Cloud	safe
https://QDDeRKxxql47yvGyut1.co	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.ionos.es	213.165.67.118	true	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://QDDeRKxxql47yvGyut1.com4	malware.exe, 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://QDDeRKxxql47yvGyut1.com	malware.exe, 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://eYrjmd.com	malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://QDDeRKxxql47yvGyut1.co	malware.exe, 00000003.00000002.465505838.0000000003A2D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	malware.exe, 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	malware.exe, 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, malware.exe, 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	malware.exe, 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.165.67.118	unknown	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358219
Start date:	25.02.2021
Start time:	08:57:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	malware.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 228 Number of non-executed functions: 10
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 92.122.145.220, 131.253.33.200, 13.107.22.200, 104.43.193.48, 13.64.90.137, 52.255.188.83, 51.11.168.160, 184.30.20.56, 92.122.213.247, 92.122.213.194, 20.54.26.129, 51.104.139.180 Excluded domains from analysis (whitelisted): www.bing.com, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:58:01	API Interceptor	980x Sleep call for process: malware.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
213.165.67.118	JUSTF11.exe	Get hash	malicious	Browse
	FAC20.exe	Get hash	malicious	Browse
	TRANFl.exe	Get hash	malicious	Browse
	JUSTF2.tar	Get hash	malicious	Browse
	Oroder no 3.exe	Get hash	malicious	Browse
	ORDER0984653.exe	Get hash	malicious	Browse
	34433453-WONDN5-FTBO-9766464.exe	Get hash	malicious	Browse
	Catalogs.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.ionos.es	JUSTF11.exe	Get hash	malicious	Browse	213.165.67.118
	FAC20.exe	Get hash	malicious	Browse	213.165.67.118
	TRANFl.exe	Get hash	malicious	Browse	213.165.67.118
	JUSTF2.tar	Get hash	malicious	Browse	213.165.67.118
	JUST1F1CA.exe	Get hash	malicious	Browse	213.165.67.102
	orders.exe	Get hash	malicious	Browse	213.165.67.102
	Oroder no 3.exe	Get hash	malicious	Browse	213.165.67.102
	ORDER0984653.exe	Get hash	malicious	Browse	213.165.67.118
	ORDER8162020.exe	Get hash	malicious	Browse	213.165.67.102
	4642WOT-T7864-66OBO.exe	Get hash	malicious	Browse	213.165.67.102
	34433453-WONDN5-FTBO-9766464.exe	Get hash	malicious	Browse	213.165.67.118
	Catalogs.exe	Get hash	malicious	Browse	213.165.67.118
	86597599579.exe	Get hash	malicious	Browse	213.165.67.102
	troystealer.exe	Get hash	malicious	Browse	213.165.67.102

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	Betalingsadvies Opmerking.exe	Get hash	malicious	Browse	212.227.15.142
	42#U0438.exe	Get hash	malicious	Browse	212.227.15.142
	WYX-09901.exe	Get hash	malicious	Browse	212.227.15.142
	530000.exe	Get hash	malicious	Browse	82.165.103.72
	raLXirFBY1.exe	Get hash	malicious	Browse	66.175.232.221
	Tyre Order 24th February.xlsx	Get hash	malicious	Browse	217.160.0.201
	HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe	Get hash	malicious	Browse	212.227.17.174
	HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe	Get hash	malicious	Browse	212.227.17.184
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	74.208.173.91
	ohLCullPse.exe	Get hash	malicious	Browse	66.175.232.221
	e-profile.exe	Get hash	malicious	Browse	74.208.88.51
	SecuriteInfo.com.Trojan.Packed2.42850.9624.exe	Get hash	malicious	Browse	198.251.65.112
	JUSTF11.exe	Get hash	malicious	Browse	213.165.67.118
	Nota de aviso de pago.exe	Get hash	malicious	Browse	212.227.15.142
	Drawings.xlsm	Get hash	malicious	Browse	74.208.236.5
	SWIFT COMMERCIAL DUTY 0818J.exe	Get hash	malicious	Browse	74.208.5.2
	Proforma invoice.xlsx	Get hash	malicious	Browse	198.71.50.125
	Purchase Order.exe	Get hash	malicious	Browse	198.71.50.125
	Proforma invoice.exe	Get hash	malicious	Browse	198.71.50.125
	5i8sLcQqHI.dll	Get hash	malicious	Browse	217.160.107.189

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\malware.exe.log Download File
Process:	C:\Users\user\Desktop\malware.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.273573871875595
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3AN0U22v:MLF20NaL3z2p29hJ5g522rW2xAi3AP2I
MD5:	F15C9C88F7D7A8FD8C28FD33A19EEDC1
SHA1:	F703E7360D4958CE7BC5362E8AAC8EA150DACE7C
SHA-256:	C32A5354F545CCE575E77A171272F0A9CBD6CD4501AAB657C893A663D3F0E00E
SHA-512:	B3DE9EE4E585FF1C48AE3DFC19A60039D461FCB551F2BF4E22C59A634270E95EFEC240FB1C420DB6F189354B1AAA90D4DC3F85FFD690D70CC4E5CD595FE10E94
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\27ab8d047396db374abb803b446b76f0\System.Data.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.856223289308941
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	malware.exe
File size:	543232
MD5:	2ee5a68ee37af14c612fc4c8a589858a
SHA1:	c27220c28c611908f7cf4e727619aef99decb00b
SHA256:	7e2a3464cd57a807ba4fa1bc0cc9b61fd7ace25fae45a7227bc2184587c9945b
SHA512:	e58676f9df7185bea043d07910fae75bf9ec82a80e2f6f09227c621ed46b3676bb5535c64368ec81ed229f9b7e37f448e8847a24d2b0be8ef88724849a968082
SSDEEP:	12288:RFq90ghy2fQTVHv0jAJEnz4VUIZLO98cx:RSy2foHv0jCEYbjcx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#................P..`................... ....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48a00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDA072381 [Thu Nov 29 19:35:29 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0048A000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x103c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x640	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8a000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x10000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
7wjw!	0x2000	0xdb84	0xdc00	False	1.00046164773	data	7.99674140744	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0x10000	0x75d30	0x75e00	False	0.888632522534	data	7.85224276661	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x640	0x800	False	0.33984375	data	3.51419264617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x8a000	0x10	0x200	False	0.044921875	data	0.122275881259	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x860a0	0x3b0	data
RT_MANIFEST	0x86450	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Hotplates 2020-2021
Assembly Version	2.0.9.0
InternalName	NonVersionableAttribute.exe
FileVersion	2.0.9.0
CompanyName	Hotplates
LegalTrademarks
Comments	MLT
ProductName	Medical Laboratory
ProductVersion	2.0.9.0
FileDescription	Medical Laboratory
OriginalFilename	NonVersionableAttribute.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 08:59:30.885272026 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:30.930377960 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:30.930645943 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:30.980669022 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:30.981647015 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.026617050 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.026638985 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.026930094 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.072876930 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.117345095 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.168613911 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.168642998 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.168652058 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.168895960 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.179493904 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.224597931 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.264990091 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.291666985 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.336853981 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.336878061 CET	587	49737	213.165.67.118	192.168.2.3
Feb 25, 2021 08:59:31.336990118 CET	49737	587	192.168.2.3	213.165.67.118
Feb 25, 2021 08:59:31.337100983 CET	49737	587	192.168.2.3	213.165.67.118

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 08:57:54.432770967 CET	50200	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:54.482414007 CET	53	50200	8.8.8.8	192.168.2.3
Feb 25, 2021 08:57:54.956418991 CET	51281	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:55.024233103 CET	53	51281	8.8.8.8	192.168.2.3
Feb 25, 2021 08:57:55.177892923 CET	49199	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:55.226635933 CET	53	49199	8.8.8.8	192.168.2.3
Feb 25, 2021 08:57:55.392517090 CET	50620	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:55.444052935 CET	53	50620	8.8.8.8	192.168.2.3
Feb 25, 2021 08:57:57.056886911 CET	64938	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:57.105473042 CET	53	64938	8.8.8.8	192.168.2.3
Feb 25, 2021 08:57:58.407277107 CET	60152	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:58.467240095 CET	53	60152	8.8.8.8	192.168.2.3
Feb 25, 2021 08:57:59.686897993 CET	57544	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:57:59.735665083 CET	53	57544	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:02.530145884 CET	55984	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:02.579716921 CET	53	55984	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:03.326384068 CET	64185	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:03.376665115 CET	53	64185	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:24.511018038 CET	65110	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:25.509896994 CET	65110	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:25.562223911 CET	53	65110	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:26.551956892 CET	58361	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:26.602132082 CET	53	58361	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:29.230931997 CET	63492	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:29.288131952 CET	53	63492	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:29.408329010 CET	60831	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:29.461874008 CET	53	60831	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:30.104022026 CET	60100	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:30.155157089 CET	53	60100	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:31.018234015 CET	53195	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:31.067037106 CET	53	53195	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:31.747823000 CET	50141	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:31.809592009 CET	53	50141	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:31.922199965 CET	53023	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:31.971175909 CET	53	53023	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:33.155597925 CET	49563	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:33.204462051 CET	53	49563	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:35.681423903 CET	51352	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:35.734956980 CET	53	51352	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:36.691859961 CET	59349	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:36.743544102 CET	53	59349	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:37.720766068 CET	57084	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:37.769865036 CET	53	57084	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:39.077197075 CET	58823	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:39.125957966 CET	53	58823	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:39.949260950 CET	57568	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:39.998086929 CET	53	57568	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:43.294401884 CET	50540	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:43.363955975 CET	53	50540	8.8.8.8	192.168.2.3
Feb 25, 2021 08:58:51.368130922 CET	54366	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:58:51.438606024 CET	53	54366	8.8.8.8	192.168.2.3
Feb 25, 2021 08:59:05.859128952 CET	53034	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:59:05.908250093 CET	53	53034	8.8.8.8	192.168.2.3
Feb 25, 2021 08:59:08.623389959 CET	57762	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:59:08.681668043 CET	53	57762	8.8.8.8	192.168.2.3
Feb 25, 2021 08:59:30.794899940 CET	55435	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:59:30.857991934 CET	53	55435	8.8.8.8	192.168.2.3
Feb 25, 2021 08:59:41.252029896 CET	50713	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:59:41.305337906 CET	53	50713	8.8.8.8	192.168.2.3
Feb 25, 2021 08:59:42.680293083 CET	56132	53	192.168.2.3	8.8.8.8
Feb 25, 2021 08:59:42.754112959 CET	53	56132	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 08:59:30.794899940 CET	192.168.2.3	8.8.8.8	0x4cc6	Standard query (0)	smtp.ionos.es	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 08:59:30.857991934 CET	8.8.8.8	192.168.2.3	0x4cc6	No error (0)	smtp.ionos.es		213.165.67.118	A (IP address)	IN (0x0001)
Feb 25, 2021 08:59:30.857991934 CET	8.8.8.8	192.168.2.3	0x4cc6	No error (0)	smtp.ionos.es		213.165.67.102	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 25, 2021 08:59:30.980669022 CET	587	49737	213.165.67.118	192.168.2.3	220 kundenserver.de (mreue107) Nemesis ESMTP Service ready
Feb 25, 2021 08:59:30.981647015 CET	49737	587	192.168.2.3	213.165.67.118	EHLO 506407
Feb 25, 2021 08:59:31.026638985 CET	587	49737	213.165.67.118	192.168.2.3	250-kundenserver.de Hello 506407 [84.17.52.78] 250-8BITMIME 250-AUTH LOGIN PLAIN 250-SIZE 140000000 250 STARTTLS
Feb 25, 2021 08:59:31.026930094 CET	49737	587	192.168.2.3	213.165.67.118	STARTTLS
Feb 25, 2021 08:59:31.072876930 CET	587	49737	213.165.67.118	192.168.2.3	220 OK

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: malware.exe PID: 6380 Parent PID: 5844

General

Start time:	08:57:59
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\malware.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\malware.exe'
Imagebase:	0x930000
File size:	543232 bytes
MD5 hash:	2EE5A68EE37AF14C612FC4C8A589858A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.201606646.000000000335E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.201927296.00000000040B5000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: malware.exe PID: 6536 Parent PID: 6380

General

Start time:	08:58:01
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\malware.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\malware.exe
Imagebase:	0xef0000
File size:	543232 bytes
MD5 hash:	2EE5A68EE37AF14C612FC4C8A589858A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.459799944.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.465412261.00000000039D8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.464476473.0000000003531000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: malware.exe PID: 6380 Parent PID: 5844 malware.exeCOMMON

Executed Functions

Function 02C829D8, Relevance: 11.7, Strings: 9, Instructions: 450COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02C8304F
X1kr, xrefs: 02C82C13
X1kr, xrefs: 02C83041
X1kr, xrefs: 02C83014
X1kr, xrefs: 02C82D8C
X1kr, xrefs: 02C82E99
X1kr, xrefs: 02C82BD5
X1kr, xrefs: 02C82E5B
X1kr, xrefs: 02C82B20

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 0-1978307115
Opcode ID: f763ba32a01402c83e190eaef18e2bb588b17a26c97ddf02e9f3a80d4b43eaad
Instruction ID: 966747e8087942ae716bfb9f3b00c99e5e41ee5ea3e875cc06ffbaefb5e658cf
Opcode Fuzzy Hash: f763ba32a01402c83e190eaef18e2bb588b17a26c97ddf02e9f3a80d4b43eaad
Instruction Fuzzy Hash: BD22C474E002589FEB64DFA9C940B9DBBF2AF88304F14C0AAD509AB255DB709E81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C80B50, Relevance: 10.9, Strings: 8, Instructions: 942COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 02C81090
<, xrefs: 02C80D5D
ll.dl, xrefs: 02C81522, 02C80E18, 02C80E1B, 02C81525
uentin, xrefs: 02C80EEE, 02C80F33, 02C80DB7, 02C80EF1, 02C80F36
ntin, xrefs: 02C81549
(, xrefs: 02C81190
f]Ir, xrefs: 02C81052
f]Ir, xrefs: 02C81071

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: ($<$f]Ir$f]Ir$f]Ir$ll.dl$ntin$uentin
API String ID: 0-262861285
Opcode ID: a9f633c2bb4514ebb406fc0dea62ce4adb4c71484038cd1108f40d5277151893
Instruction ID: 472d16193db7bdb265c32d15de71608b60d5c92c0f42d38aa829fe9148e82bca
Opcode Fuzzy Hash: a9f633c2bb4514ebb406fc0dea62ce4adb4c71484038cd1108f40d5277151893
Instruction Fuzzy Hash: BDA2C1B4E002588FDB14DFA9C980B9DFBF2BF89308F15D199D548AB255D770AA82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C829C8, Relevance: 7.9, Strings: 6, Instructions: 395COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02C82C13
X1kr, xrefs: 02C82D8C
X1kr, xrefs: 02C82E99
X1kr, xrefs: 02C82BD5
X1kr, xrefs: 02C82B20
X1kr, xrefs: 02C82E5B

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 0-2835098271
Opcode ID: 0f610a045fa734fef6be09e6805cf7d2fab228ae0153d0ed943a9d7910401fb6
Instruction ID: 1e6c5158fb7756531a6d5168c05b5e96e285305fe15429b3919124f3e772117c
Opcode Fuzzy Hash: 0f610a045fa734fef6be09e6805cf7d2fab228ae0153d0ed943a9d7910401fb6
Instruction Fuzzy Hash: 1902C574E00258DFEB64DFA9C840B9DBBF2AF88304F14C0AAE509AB255DB755E81DF11

Uniqueness

Uniqueness Score: -1.00%

Function 02C800A8, Relevance: 6.9, Strings: 5, Instructions: 682COMMON

Download Yara Rule

Strings

<, xrefs: 02C801B1
f]Ir, xrefs: 02C80492
f]Ir, xrefs: 02C80471
@, xrefs: 02C80A39
, xrefs: 02C80459

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: $<$@$f]Ir$f]Ir
API String ID: 0-976174673
Opcode ID: 7fbe82e9cafe1654a43ca5d010dbd87b555c4f89111b47553555166dd5432510
Instruction ID: 2acff5ff6f080dcd4938e90466986055821e839fd4795c777c454c2c5d26aa92
Opcode Fuzzy Hash: 7fbe82e9cafe1654a43ca5d010dbd87b555c4f89111b47553555166dd5432510
Instruction Fuzzy Hash: 4672A0B4901259CFDB64DF69C980A9DFBF1BF89318F15D1AAD408AB211D730EA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C80099, Relevance: 5.5, Strings: 4, Instructions: 451COMMON

Download Yara Rule

Strings

<, xrefs: 02C801B1
f]Ir, xrefs: 02C80492
f]Ir, xrefs: 02C80471
@, xrefs: 02C80A39

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: <$@$f]Ir$f]Ir
API String ID: 0-3196433001
Opcode ID: bbdaa1c1542014883cbada2c8831236d3a20ef0c102252225c6942f5e10a0b8b
Instruction ID: 347269fd4ef9e2f3e6bdd08d27fc0bb02b27e03e3b507dc3efe26b08155d1e96
Opcode Fuzzy Hash: bbdaa1c1542014883cbada2c8831236d3a20ef0c102252225c6942f5e10a0b8b
Instruction Fuzzy Hash: C422C1B09012598FEB68DF65C944A9DFBF1BF89319F15C1EAD408AB221D730DA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C80B3F, Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

<, xrefs: 02C80D5D
ll.dl, xrefs: 02C80E18, 02C80E1B
uentin, xrefs: 02C80EEE, 02C80F33, 02C80DB7, 02C80EF1, 02C80F36
ntin, xrefs: 02C80E3C

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: <$ll.dl$ntin$uentin
API String ID: 0-831817644
Opcode ID: c03c8abd955f2b0305f5dd481f8f9de1dc32e26ec0db1a7e16ddceddf42f1056
Instruction ID: 058fdffcddd9d93d147b66563a44ce7e511cfb1445890a8ec0e886797fef8367
Opcode Fuzzy Hash: c03c8abd955f2b0305f5dd481f8f9de1dc32e26ec0db1a7e16ddceddf42f1056
Instruction Fuzzy Hash: 5FD1A3B5E00619CFDB18CFAAC845A9EFBF2BF89304F14C0AAD518AB264D7345A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C83D30, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c591b22e0e931ffeef2df9d6a04e9bd315273fb169bd949386ed357a0521f633
Instruction ID: 732bfa37dcb468f1c0883bba18ca5d5189e1caa9ce768ff07c729744bbb5b8fc
Opcode Fuzzy Hash: c591b22e0e931ffeef2df9d6a04e9bd315273fb169bd949386ed357a0521f633
Instruction Fuzzy Hash: F5B10571D0025CCFDB24EFA6C8447EEBBB2AF89718F14D0A9D409A7290DB745986CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C83D20, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ef0026a5cd4ba8b43a195b9a996e580c1b60a684d16fedbb051372af2be1eb
Instruction ID: 4573b2bc2d350b6854a45e5620623081e35b87713e38a635ee50bc7f6ae9ccce
Opcode Fuzzy Hash: e5ef0026a5cd4ba8b43a195b9a996e580c1b60a684d16fedbb051372af2be1eb
Instruction Fuzzy Hash: A7A12871D00258CFDB24EFA6C8447EEBBB2BF89718F14D0A9D409A7290DB744986CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AEF0, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97eda04c7d832cfed9612db439c09db15f456d45dbb5d7bee7657dc6b856e470
Instruction ID: 08959d9a55bfe9af84250a4458b423447360a142a2e1044b69967ba91dba5c19
Opcode Fuzzy Hash: 97eda04c7d832cfed9612db439c09db15f456d45dbb5d7bee7657dc6b856e470
Instruction Fuzzy Hash: 418104B0D042098FDB04EFAAC984AAEFBF2FF89318F24D11AD414AB255D7349942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AEE0, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8070c6bbe9fc4ab011c9d95f2e295671cdef389d28cd84e9ab90ed6e0a82a13b
Instruction ID: ddc3777fc3171676741622bd797e2bc1bcd65a5159d5a92e2f0ebf9705c946cb
Opcode Fuzzy Hash: 8070c6bbe9fc4ab011c9d95f2e295671cdef389d28cd84e9ab90ed6e0a82a13b
Instruction Fuzzy Hash: 5761F2B0D05209CFDB04DFAAD8446AEBBF2BF89318F24D16AD414AB265E7349942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C822D8, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02C8245D
:@Dr, xrefs: 02C82404

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: bf8cef2036f56a18e134eb97874c615716579298ee40f94454ae5dca9204fa64
Instruction ID: 22b0b50c9f08166984c0073e2c5edfd7c3f739d4a51b1aa5cfaa3eca7f22e752
Opcode Fuzzy Hash: bf8cef2036f56a18e134eb97874c615716579298ee40f94454ae5dca9204fa64
Instruction Fuzzy Hash: 69910270E00258CFDB54DFA9C898BADBBB1BF89314F108069D809AB3A1DB319981DF51

Uniqueness

Uniqueness Score: -1.00%

Function 050D02E9, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050D035D

Memory Dump Source

Source File: 00000000.00000002.203362505.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 82afb5a810338d0695548160dc0a51339bf65951ed300e4f85317d6d86ee0ed9
Instruction ID: fc4630b0bf8bf83c6daebc2d39f33eaf6c94a97992ecd7e585b5d412e483dd98
Opcode Fuzzy Hash: 82afb5a810338d0695548160dc0a51339bf65951ed300e4f85317d6d86ee0ed9
Instruction Fuzzy Hash: 81214A724093C0AFDB228B25DC54A52FFB4EF17210F0985DAED848B163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 050D0322, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050D035D

Memory Dump Source

Source File: 00000000.00000002.203362505.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e497aadb54ab5a0abd42f7d359e94fa1de2b0061ac2fd4849d46961351dabf1e
Instruction ID: 8add3680ff4d0fb82351404c668a15d57330d6224a649dfbc0771451e732f980
Opcode Fuzzy Hash: e497aadb54ab5a0abd42f7d359e94fa1de2b0061ac2fd4849d46961351dabf1e
Instruction Fuzzy Hash: 7D017C31400700DFDB20CF15E848B2AFFE4EF04320F18C09ADE494A212D2B5A418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 02C822C9, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C82404

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 4206a71160e56464eab61fb1b4e091311c218adf1005d5a2fb3cc79c7fa690ba
Instruction ID: b229ad73487c0c08150eb8c0e6d79670d6b09647f201a4f6e3a4beafcedf19e3
Opcode Fuzzy Hash: 4206a71160e56464eab61fb1b4e091311c218adf1005d5a2fb3cc79c7fa690ba
Instruction Fuzzy Hash: 7B71F670E00258CFEB54DFA9C894BADBBF1BF89314F108069D819AB3A1DB719981DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C3E8, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

(, xrefs: 02C8C509

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: d6450fcc53176d1268c4c3e9c286dd072a8302f37f882122db6022eba35e6afa
Instruction ID: d1e66f1f12321d4bad7a1734f2bd09cb858049e10383142ee60be4a92a97fe5e
Opcode Fuzzy Hash: d6450fcc53176d1268c4c3e9c286dd072a8302f37f882122db6022eba35e6afa
Instruction Fuzzy Hash: 1731C174905228CFDB64DF64C958BDDBBB1BB49309F1484EAD409A7291CB359EC0CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C1BE, Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

(, xrefs: 02C8C509

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 356bc6bc23fa9aa432bacc5b782461b9ad57a094a421a4855113ea64d964eef7
Instruction ID: d230d0f32103d839b035c52018028c60b1fdeccb16f9115fae69cdb55b0a1fd0
Opcode Fuzzy Hash: 356bc6bc23fa9aa432bacc5b782461b9ad57a094a421a4855113ea64d964eef7
Instruction Fuzzy Hash: 3E3179749062288FEBA4DF28C884BDDBBB1BB49309F1091EAD44DA3241DB359EC4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C82709, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

T, xrefs: 02C82745

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: dfedafb7cb9e2b27ca196f76b0739d4e151b62ccb82a067b8c37041348dca26c
Instruction ID: 16e483d9b355b4130a3ea590a42d6b046850ceaaa15eb6d6e5e9161ba76d62f8
Opcode Fuzzy Hash: dfedafb7cb9e2b27ca196f76b0739d4e151b62ccb82a067b8c37041348dca26c
Instruction Fuzzy Hash: E52122B4A0020EDFCB05EFA4C880AEEBBB1FF89304F108568D811AB391DB755A05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C82718, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

T, xrefs: 02C82745

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 535dd67981ba32ccbdf935c21e312c2266babf27c23bde4c5822cf4653f021e0
Instruction ID: 6e9b307f2eda96856efa89cf06e40589b3f2eb927180899ccf8a0e72d9f1b8c6
Opcode Fuzzy Hash: 535dd67981ba32ccbdf935c21e312c2266babf27c23bde4c5822cf4653f021e0
Instruction Fuzzy Hash: 7B2112B4A0021EDBCB04EFA4C884AEEBBB1FF89304F108568D81467394DB756A05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C84418, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afff98e0a08bc70708b1806d30bc1851f9324be51e8034a9fd228cb8ed00245b
Instruction ID: 2ab4ec5190916c575cabf3ebfdd781a74589c2f2be247985a44bf7259064a98b
Opcode Fuzzy Hash: afff98e0a08bc70708b1806d30bc1851f9324be51e8034a9fd228cb8ed00245b
Instruction Fuzzy Hash: 5A9155B0D0124ACFDB28EFAAC4846ADBBF1FF59329F609659D010BB285D7309941CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BC28, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544e07eaa7d12284b741cfd681cd2e627958e56b2185086463683852000eee3e
Instruction ID: 1326c5138723a2b08c817256d89060e5d635b9052f2bb77e93d600efd8308b6f
Opcode Fuzzy Hash: 544e07eaa7d12284b741cfd681cd2e627958e56b2185086463683852000eee3e
Instruction Fuzzy Hash: 83713474D09249DFCB04EFA9C9546EDBBF2AF4A308F24D16AD819EB265E7701942CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02C84D63, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce4f666f3ca09840894d3c6a2cccdc78cb21477777b4d5aab914be2f9a5e629
Instruction ID: 6ae850dda730911052704de6b5f05e3e8426cdeb298e63757fe18d82c13e7e0b
Opcode Fuzzy Hash: 1ce4f666f3ca09840894d3c6a2cccdc78cb21477777b4d5aab914be2f9a5e629
Instruction Fuzzy Hash: 87912974E10219CFDB20DF64E845BACBBB5FB44714F2085A9E909AB350DB785E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BC38, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6810a7ff9e4f0c2e40776709aa141674f5d842eefa3f26cd967c55db82ed75f
Instruction ID: aad85536df20b311e6d2221abd8b013751d099ee455e5d699bad957b5a1f19f5
Opcode Fuzzy Hash: d6810a7ff9e4f0c2e40776709aa141674f5d842eefa3f26cd967c55db82ed75f
Instruction Fuzzy Hash: 0A61CF74D05209DFCB04EFAAC6846ADBBF6AB89308F20D12AD81AE7255E7745941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C53C, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8822de78eed6501e9e6bc78567dd8d1e35d822b8a8d549f2b3ac26f9d7391e5c
Instruction ID: da9df5404c65bc9152022ce8f9bc0a3be66a2c5bcea3ec4a44b2047dd0b18552
Opcode Fuzzy Hash: 8822de78eed6501e9e6bc78567dd8d1e35d822b8a8d549f2b3ac26f9d7391e5c
Instruction Fuzzy Hash: 8781AE75D00228CFDB68DF65C884BDCBBB1AB49308F1480EAD949A7291DB755BC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C83440, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facdf58f62cff1e828627e29726bd0e88c269d05943b5e927d5a74a021d1568a
Instruction ID: 49766a4703f87fbb23438da9cf22a66389a208186c2ab85b95c9c3c6405bc410
Opcode Fuzzy Hash: facdf58f62cff1e828627e29726bd0e88c269d05943b5e927d5a74a021d1568a
Instruction Fuzzy Hash: 2861F4B4D00258CFDB44EFA9D8486AEBBF2FF89704F20A569D41AA7350DB745A41DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02C83430, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a424bcef8d50631e820d0f958d623d32d97759d329745550e5d67685f988414
Instruction ID: a620052162516d09a4442852b5cc4a11142910ec29c4525131a616a9d84eed70
Opcode Fuzzy Hash: 3a424bcef8d50631e820d0f958d623d32d97759d329745550e5d67685f988414
Instruction Fuzzy Hash: 576116B4D01258CFCB44DFA5D8486AEBBF2FF89704F209569D40AAB350DB745A41DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B6CA, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc3f264ec58c6e13a25a86b8039016c64f7505cb2f46904a68deb8e1f5db36f
Instruction ID: 473276d33362aba570306567c8bec9b61316ae70d804d866f9b4a371e0df37cc
Opcode Fuzzy Hash: ecc3f264ec58c6e13a25a86b8039016c64f7505cb2f46904a68deb8e1f5db36f
Instruction Fuzzy Hash: 1A51F274C1531CCFDB20EFA0D5887ADBBB1BB0A309F209469D009E72A4DB789A85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B228, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40001a0dea630beaf652b02f6b673ff35e2f5c1c1738d81286b4de4b5e872e2
Instruction ID: 360c4b697f6495ab688952da358f2ef9eec268f2f63293f430f20a12658f5161
Opcode Fuzzy Hash: e40001a0dea630beaf652b02f6b673ff35e2f5c1c1738d81286b4de4b5e872e2
Instruction Fuzzy Hash: 195147B0D05608DBDB00EFAAC4447AEBBB6AF4931CF24D159D418B3295DB349A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C81BB1, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897256313814162e2a54e738acbf41e9d4009f186184e473d75b00ef1865cdaa
Instruction ID: 37b3a232973d04b6916e166ad23f7a68bd39497d2b46c9c2718409ea034b0377
Opcode Fuzzy Hash: 897256313814162e2a54e738acbf41e9d4009f186184e473d75b00ef1865cdaa
Instruction Fuzzy Hash: A651D970D01248CFDB55EFB8D5947ADBBF2BF89304F24846AD006AB294DB789982CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C81BC0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91acb5374fd3a8b56b8f8372174af2326d811184ea4f846c1b8c922d3dd61399
Instruction ID: 3b8bccdcdda864b7241582bc3c44bd26085bf09578784dc7fb4f5000ba61934c
Opcode Fuzzy Hash: 91acb5374fd3a8b56b8f8372174af2326d811184ea4f846c1b8c922d3dd61399
Instruction Fuzzy Hash: BF51E970D01248CFDB55EFB8D5947ADBBF2BF88304F14846AD006AB294DB78A982CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C837B8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f915db6c22ff0c541f4bfa416bfa896e4783bab8313f62ef34d679fdd0f62d
Instruction ID: f2c49c5d5945e2e5737e47817292e57c38204973ebd146e7365dd04429f00d45
Opcode Fuzzy Hash: e0f915db6c22ff0c541f4bfa416bfa896e4783bab8313f62ef34d679fdd0f62d
Instruction Fuzzy Hash: C451F7B0D05248DFDB04EFA9D8846AEBBF2BF89718F10E0AAD415B3251DB745945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C81FA1, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca272aa290685c3909b5f520632b6d800416dc0ec69a01d26f499ff37f599cf
Instruction ID: 382f85a24619cc299bfc40be1b93948f131c453dcee33dfc5263b4c1d51f2a6c
Opcode Fuzzy Hash: 7ca272aa290685c3909b5f520632b6d800416dc0ec69a01d26f499ff37f599cf
Instruction Fuzzy Hash: 8951A0B8A00218DFDB10DFA8C484BADBBF1AF4D714F1444A5E902AB3A0D775A950EF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B217, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae8cbba8a36b5b223ddb8e1c18b6b9e81d8a74b887b7588ee07644c9bf05a6
Instruction ID: 79bd4abb31ec12946712ed878b6d508be6a1b553a63937b7b1c93623e4c70a20
Opcode Fuzzy Hash: b1ae8cbba8a36b5b223ddb8e1c18b6b9e81d8a74b887b7588ee07644c9bf05a6
Instruction Fuzzy Hash: 5441F7B0D09608DFDB00EFAAC8447EEBBB5AF4A329F54D169D418B3291DB744A45CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02C81FB0, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aaecdc7e63055cbdcc680f904c316db725028a3a4efba97935203b9e9249ec
Instruction ID: 6d664ef86ebf8d016057c65854e61bed6cab8231ba7ae6d2460c0957deec593f
Opcode Fuzzy Hash: d4aaecdc7e63055cbdcc680f904c316db725028a3a4efba97935203b9e9249ec
Instruction Fuzzy Hash: 3F4191B8E00218DFDB10DFA8C484BADBBF1BB4D714F144495E902AB3A0D735AA50EF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C2C9, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc87bffc64b84a1baa0d1397be98bca1a8864f08c0332d1ab621fc0b2e7274d3
Instruction ID: 2a11df4e5bb23c61a3e70b6b42f5b035f8109cae27d29c7e042707ccab42860a
Opcode Fuzzy Hash: cc87bffc64b84a1baa0d1397be98bca1a8864f08c0332d1ab621fc0b2e7274d3
Instruction Fuzzy Hash: 0151AF74900268CFDB64DF64CC84BEDBBB1AB89319F1481EAD419AB291CB359EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C84B18, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cffcf8cd3eac449a6af8033a4800183ab47de82e781569af42dc4ee932d781e
Instruction ID: 43f3bbcf65eef93637d944bc2544f62010c68196ca61d17e443ac476b22b3065
Opcode Fuzzy Hash: 2cffcf8cd3eac449a6af8033a4800183ab47de82e781569af42dc4ee932d781e
Instruction Fuzzy Hash: BC5147B4900208CFDB54EFA8D884B9CBBF5FB48355F1481AAD809AB350DB749D82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C81A90, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e363fadf3275c09a989493bc78f31ae8726fb3c8bebfbe233b03508325c30e
Instruction ID: bfb188b26e373df207284cc8ce8584504f57cc18b910670db54b7c69615a091c
Opcode Fuzzy Hash: d2e363fadf3275c09a989493bc78f31ae8726fb3c8bebfbe233b03508325c30e
Instruction Fuzzy Hash: 0631C2B1E012489FDF55DFE8C8906DDBBF6BF88304F24802AD41AAB255DB316946DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C818CF, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1776d1120006c97a3cbdaa8e3a3c0e41c9db4652ca6301b25aa6957d436dc9
Instruction ID: 8774870f6b6baaa4a7ee8b16fc2deb125add2a447613b9f1011c53e57f09019c
Opcode Fuzzy Hash: cc1776d1120006c97a3cbdaa8e3a3c0e41c9db4652ca6301b25aa6957d436dc9
Instruction Fuzzy Hash: D5312970E05249DFDB09EFB8C4906AEBBB2AF89304F1484AEC406B7390DB795981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C81AA0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6896636d3d1f4d2f4ec9bf799117f88a4b4023257cf1e53875877142e192173a
Instruction ID: 1622d99b37abf24f08db3a49e1bb68be4f10e06ffd3d70aa3923d7580ff59365
Opcode Fuzzy Hash: 6896636d3d1f4d2f4ec9bf799117f88a4b4023257cf1e53875877142e192173a
Instruction Fuzzy Hash: 1431A2B1E0025C9FDF54DFE9C8506DDBBF6BF88304F14802AD519AB255DB316916CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BFEA, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d2a745681484e2515f152d7c4bb3e5c55ef417188c903a45fb6fa795cb9b20
Instruction ID: a2a4208e1af281e09193ee29068f178e015dc1411f49bba0fff6b8ffbca7c068
Opcode Fuzzy Hash: c0d2a745681484e2515f152d7c4bb3e5c55ef417188c903a45fb6fa795cb9b20
Instruction Fuzzy Hash: 2341BC74D0522C8FDBA4DF64C884BDDBBB1AB49308F1081EAD459AB240CB759F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C84B6E, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a93b21dbe9bc2656262065bb8e1bb2b7e56bd41e23c9bfdc70e66383392df1b
Instruction ID: 2e1a23153b71920d07998562578e2d97bb99a2d9c8b2dc2bc6c8139b22c3b9f7
Opcode Fuzzy Hash: 5a93b21dbe9bc2656262065bb8e1bb2b7e56bd41e23c9bfdc70e66383392df1b
Instruction Fuzzy Hash: AB412874A01209CFDB54EF68D884B9CBBF6FB48305F1081A9E409AB350DB785D81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02C818E0, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be808fad20d68351f363f9283507997bbb1b955e8bf8b726873003e513cfc41
Instruction ID: 3809f5be9b43ad89738bdcc27144ca8dc7cdb81e7b6eb2449b6118adb2f35ec8
Opcode Fuzzy Hash: 5be808fad20d68351f363f9283507997bbb1b955e8bf8b726873003e513cfc41
Instruction Fuzzy Hash: 1A31DA70E01209DFDB58EFB9C5546AEBBB2BF89304F108469C416B7390DB799A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C84904, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4198d6bcad6bd36cd599ffac66d8815f9774ac59ad087606608c71a1746c28
Instruction ID: 1ca0527a9e32e6437621fb1006692c9f47ae62989edc7b3d10ff54dadf4535fb
Opcode Fuzzy Hash: ea4198d6bcad6bd36cd599ffac66d8815f9774ac59ad087606608c71a1746c28
Instruction Fuzzy Hash: D63178B1900288CFCB54EFA8D594A9CBBFAFB45359B44C0AAD8489F225DBB49D40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C83167, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ec53b83256f05663ce67628edb9a5164e22d76374ef3ffa1153cfe0143d536
Instruction ID: 79cb80352d44a52d2fec9af21e22b9dd001e9b296822205544959a91e1002917
Opcode Fuzzy Hash: 74ec53b83256f05663ce67628edb9a5164e22d76374ef3ffa1153cfe0143d536
Instruction Fuzzy Hash: 9421D474E052499FDB04DFA9C490AAEBFF2EF89304F2081A9C805A7361DB795A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C675, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e9489cbe8c0c00a10b3982dca1a6b18860265979dba36855a0763bb49a0f8
Instruction ID: 7cd1f8c9499063a59c7b20c172caf233886ee0cb9abac877ffeab4abbfaa7ac9
Opcode Fuzzy Hash: 9a0e9489cbe8c0c00a10b3982dca1a6b18860265979dba36855a0763bb49a0f8
Instruction Fuzzy Hash: 6D21B770900258CFDB68DF65C984BECB7B5AF85309F5490EAD109AB251CB34AB81CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02C82919, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c6a0a34355930c7376bfb6a6e9380fcd925a5aeac4231ac0c3ed42079c00e2
Instruction ID: 35e898ed9093ec2a7fb35373593668ed7bb97dcd814714ce9253b30baecd703f
Opcode Fuzzy Hash: a0c6a0a34355930c7376bfb6a6e9380fcd925a5aeac4231ac0c3ed42079c00e2
Instruction Fuzzy Hash: 8E21E4B0D052499FCB45DFB8C8809EEBBF1AF4A200F1084AAC805A7391E7345A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B4D8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4976db6749c200b635c1be0dfaf87f48234efa0d7dfcaffc17d3f61b8caccc
Instruction ID: c6927230c9d5c089fe0e372a23c5e55c179c2df5239510d543ca2afa2e1abd33
Opcode Fuzzy Hash: 6d4976db6749c200b635c1be0dfaf87f48234efa0d7dfcaffc17d3f61b8caccc
Instruction Fuzzy Hash: 7D21F7B4D0420ACFCB00DF94C581AEEBBF0BF4A318F10815AD416A7251D7359E41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C80006, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4987c62db2a4738ceb356ea7eb7e815b542bd45efae49a378af8ac60e1457c08
Instruction ID: 8853dd1fb809fa7ee736edca0d67b16e01317a9bb386d49706408b127e87416c
Opcode Fuzzy Hash: 4987c62db2a4738ceb356ea7eb7e815b542bd45efae49a378af8ac60e1457c08
Instruction Fuzzy Hash: F711D3A144E3C49FD3035B746C660943FB0AE1321571A80EBD8C5CB1B3D3694A4ADB72

Uniqueness

Uniqueness Score: -1.00%

Function 02C83B60, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fd5aa2775908796f007e736ab8bbf81c9338578eb8520e6050b77cb856e893
Instruction ID: 188fe526d51ea47599c90e0ce2f240973262f8dd6baf79ec83f7bb784a556605
Opcode Fuzzy Hash: 40fd5aa2775908796f007e736ab8bbf81c9338578eb8520e6050b77cb856e893
Instruction Fuzzy Hash: C72117B4D04289DFCF04EFA5D8445EEBFB1FB8A304F1091AAD801A7251DB384A42DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C83178, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b108a8aa210fe1b461758a45d0ab0126fe20d9a2df1d8b0170cd2f52cc2d62f
Instruction ID: f4de169168d7db90e1fdca68608fafd8b89414dc90d69dda974d432f049db496
Opcode Fuzzy Hash: 4b108a8aa210fe1b461758a45d0ab0126fe20d9a2df1d8b0170cd2f52cc2d62f
Instruction Fuzzy Hash: 7921A274E002099FDB08DFA9C544AAEBBF2EF88304F2080A9D805A7351DB795E41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C81E27, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4d19e9dfdb433c9745ed20d377271de00b399081bd67b4a23a3b4279fdb6e3
Instruction ID: 9fb4f709b58df45c8ff06a6ef69cbc59e6cb624e518f2e0bd296db50ac583028
Opcode Fuzzy Hash: 5d4d19e9dfdb433c9745ed20d377271de00b399081bd67b4a23a3b4279fdb6e3
Instruction Fuzzy Hash: B0214770A0020ADFCB40EFA4D88549C7BB1FF45304B184169D902AB3A6DFB85E42EB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B4E8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea90b4a8d8c85ffe1c1ea3b299e680733ca25bd9127292e771d8c65bd8c56ebe
Instruction ID: dc9cf6a69af842ffc3bb827aa325629e832b6a05103b3412ff51b2960ee75daf
Opcode Fuzzy Hash: ea90b4a8d8c85ffe1c1ea3b299e680733ca25bd9127292e771d8c65bd8c56ebe
Instruction Fuzzy Hash: 7021C4B4E04209CFCB04DF99C585AAEBBF0BF49304F108069D806A7350DB34AE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C83B70, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e53185f9198202a9f226882b0e44b147959530ba0939bee3332330d4b60e2cf
Instruction ID: 5ef683c5266cc9c5370e47ee8d7567195685950a7f281aa9b56ff768075209ac
Opcode Fuzzy Hash: 3e53185f9198202a9f226882b0e44b147959530ba0939bee3332330d4b60e2cf
Instruction Fuzzy Hash: 1811E2B4D0425DDFCB04EFAAD8545AEBBB1FB88304F1092AAD801B3350DB385A42DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C82928, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afec87fe78f5285efbd7746e31a2ea59879b34195fbfaff83a30c9e8a6d48bb
Instruction ID: 63fe204c743b8e9bd7617a09d4d8ddcabb98bc261a39b7d1b9a4392664a56cb1
Opcode Fuzzy Hash: 5afec87fe78f5285efbd7746e31a2ea59879b34195fbfaff83a30c9e8a6d48bb
Instruction Fuzzy Hash: 811196B4E01619DFCB44DFA8C9849EEBBF1BF49301F10856AD805A7394DB319A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02C81E38, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7d9024d80a29e7dc24da528f178758db174385b52dc0470c8daee3c540ba19
Instruction ID: 552bdf6c6f69d9ffb9c87fb5a9a3e89e8a58085ae8bb6433373516b81cc414ca
Opcode Fuzzy Hash: 5a7d9024d80a29e7dc24da528f178758db174385b52dc0470c8daee3c540ba19
Instruction Fuzzy Hash: EA113A70A0020EDFCB44EFA8D88549D7B71FB45704B184168E902AB365DFB45E02EB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AD88, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3f113273d66b1f5c84c84f01f74cde551f797757fa7857e22994daee2ec673
Instruction ID: 3ec48e9d486604664a98df74ee188e488ff611889ce7dc57ea3db1420fc0216b
Opcode Fuzzy Hash: 1b3f113273d66b1f5c84c84f01f74cde551f797757fa7857e22994daee2ec673
Instruction Fuzzy Hash: 041115B4D08249DFCB05DFA9C8855AEBFB1AF89304F2080AAD805A7351EA745A42DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C81F08, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5210fd402eba6c97b87ee36e1a812ae25ca6353810cb71a92e5f3fa0db4ab7
Instruction ID: 44b3648f768fdb42e35b38c4d003bc329e03d2f1b4404f10ca536a2464e7b3e9
Opcode Fuzzy Hash: 2e5210fd402eba6c97b87ee36e1a812ae25ca6353810cb71a92e5f3fa0db4ab7
Instruction Fuzzy Hash: 2B018C7090A248DFCB05DFB4D5819A9BBF4AF4B304F1444EAD849A77A1C7725E42DB01

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AD98, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f501bc9562157ab367093b06148508bbb68b43a71ae2ef372bf9d00d80692de
Instruction ID: 8d792c5312a90ae058e91d32950cfff14d6e39e811be3335734b834aa868a434
Opcode Fuzzy Hash: 8f501bc9562157ab367093b06148508bbb68b43a71ae2ef372bf9d00d80692de
Instruction Fuzzy Hash: 7B01E5B4D04209DFCB44EFA9C4455AEBBB6FF88304F2080AAD905A3350EB745E41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C81D90, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dc0f60fad73ebc8d5b2637cfad8e5daa7785e90a27839421be626c41ad5e8b
Instruction ID: ac63d179c467e008496926412964dda5aa0f9605ce2cd499c4d5b0be9e337a9b
Opcode Fuzzy Hash: 29dc0f60fad73ebc8d5b2637cfad8e5daa7785e90a27839421be626c41ad5e8b
Instruction Fuzzy Hash: 90F0FF30D40249CFDB64AF78C4857EFBBF1AF4A308F14082EC401B2280D6B50942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C124, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedc59d62675d1f0b905f5a880693209d538f2f689fc871d993f02828c6f952d
Instruction ID: 7e4cb6f619f6a858cf3da4825b2b7757e9043df907c0e40e68b1f5c87c0331b5
Opcode Fuzzy Hash: cedc59d62675d1f0b905f5a880693209d538f2f689fc871d993f02828c6f952d
Instruction Fuzzy Hash: 8811B334900268CFDB64DF64DC90BEDB7B1AB49355F1486DAC449AB291CB3A9EC2CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C82120, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf5bd16cb38d0f2c25f5ed6a9ab09d812374abb8dc1e1a9eb7fef0ae0f3b101
Instruction ID: c01e2001da4c0783d0314faa6e6cd09b35bf35f6cd6d45fc6409725c85c06d50
Opcode Fuzzy Hash: aaf5bd16cb38d0f2c25f5ed6a9ab09d812374abb8dc1e1a9eb7fef0ae0f3b101
Instruction Fuzzy Hash: 96F05E38A422489FD708DBB0C590AEF7377DF86204F249898884623381CA788F01EA55

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BB87, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccc01b6cf4a74c3b52e5123efb84a5d3e6ad326e647c6cbfb66fe345642e981
Instruction ID: 7adbcd3dd6d3e45ff10ddb4ab6f9df888d7aef4b097bd259fe3561c32183ec2f
Opcode Fuzzy Hash: bccc01b6cf4a74c3b52e5123efb84a5d3e6ad326e647c6cbfb66fe345642e981
Instruction Fuzzy Hash: 10F05834945249EFC701EFA0D915AAD7BB5EB47309B2081EAC809A3265CB791E83CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C83358, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f0963017326b630431c4b033f23c8064dfffedfe70668a8699f018546fecb3
Instruction ID: a99adbd69878c4351e5bccf50cf0a341e525626ede55496925bee3c9e564894a
Opcode Fuzzy Hash: e2f0963017326b630431c4b033f23c8064dfffedfe70668a8699f018546fecb3
Instruction Fuzzy Hash: 81F08270409358DFC705DF70D9444A8BFB4FB47315F20A1AADC4997261CB724A56EB10

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BF7E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683a30dc2009f69add853629ed1bcb51cc90a766ee00b9ac96c396d64783103b
Instruction ID: 28cd848b3299e91a92b6602f61eb59a2358e998e0cada34e5487f10accbfeca0
Opcode Fuzzy Hash: 683a30dc2009f69add853629ed1bcb51cc90a766ee00b9ac96c396d64783103b
Instruction Fuzzy Hash: B1011471908218DFDB14CF54D891BD9BBB4AB19308F1085DBE188AB182C7B5AB81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02C81DA0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739c4f16df76c8f0fe293f0ad11ceb6b7d682075bda346f7cb7988d61bc2ce35
Instruction ID: cfacfa37515f840561d8ca37a861e04c6961fdfb97c443135e0a67e2fb0b97d0
Opcode Fuzzy Hash: 739c4f16df76c8f0fe293f0ad11ceb6b7d682075bda346f7cb7988d61bc2ce35
Instruction Fuzzy Hash: A1F08C70D002099BEB58AFB9C859BEFFBF5AB49714F14582AC405B3280DAB559408BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02C82128, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae79941bb314d7f88a1de3a4c94bd73416517ccd1e810bd8eaa20da4e95cc12
Instruction ID: 7ddcf7940f87396738ed14e262cdb07519aaadfd622b265ae69f986fdc96a721
Opcode Fuzzy Hash: 6ae79941bb314d7f88a1de3a4c94bd73416517ccd1e810bd8eaa20da4e95cc12
Instruction Fuzzy Hash: 3BF0AC38A422089BD708DBF1C550BAFB3ABDF96604F649854980523384CE759F41A996

Uniqueness

Uniqueness Score: -1.00%

Function 02C82180, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccdf6d6fed87d2160b0b8190ef37ad2fd863c5ec0e8d74e99df1c1f744a6b50
Instruction ID: 33ecb9a1a53f2d6bb3ea2136dd6bfca68818092d57a4da1dd155c6ed93f600c4
Opcode Fuzzy Hash: 7ccdf6d6fed87d2160b0b8190ef37ad2fd863c5ec0e8d74e99df1c1f744a6b50
Instruction Fuzzy Hash: 48F0F474946388DFCB01DFB4C85459EBFB1EF06205F2446EEC801AB262D7768A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C82269, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9682e7bed1e07504ab276fcc74e236d219942176140df414fd4048f1052e798
Instruction ID: 5add97dbdc8bd4df569936a10dc37e235da0546a3c351d9b4382121df034bfac
Opcode Fuzzy Hash: f9682e7bed1e07504ab276fcc74e236d219942176140df414fd4048f1052e798
Instruction Fuzzy Hash: 2EF0CFB8E05249EFCB00EBA8C584A9DBFF0FB49214B248699DC05A7312D371AE41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BBE0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9fbc23751bcbf7346be2f1fda57927763448e8a87cc5924a37c93d691f0e48
Instruction ID: da62ac78333651c7f9126549186bb7a31539180b7e4d4c0f1f3213217093ef68
Opcode Fuzzy Hash: 1c9fbc23751bcbf7346be2f1fda57927763448e8a87cc5924a37c93d691f0e48
Instruction Fuzzy Hash: 25F0A930849249EFCB11DBA0C9052E87BB0AB0624CF2081E6D818E2252CA390B83CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C827F8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62b4359a052e0dbf59817b39b55afc29300d95be111e0752970c8aa47c99ccd
Instruction ID: 26d413c7f6b431fdf54aa1a7b74ff59dd2388f66ac152d8e48ce23f4aad7f14b
Opcode Fuzzy Hash: c62b4359a052e0dbf59817b39b55afc29300d95be111e0752970c8aa47c99ccd
Instruction Fuzzy Hash: 5DF01778D09348EFCB01EFA4D458958BBB0EF4A305B1084EADC0597361D7384E55DF42

Uniqueness

Uniqueness Score: -1.00%

Function 02C81F51, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dc280d379e29d1d71677c051053de261e80bf67b93be7632ddde23fe2dca97
Instruction ID: 83c941da43fb1721f3d2f0ac6235e713a8814bb4666b2bf095d7528d3cfaa3c6
Opcode Fuzzy Hash: 35dc280d379e29d1d71677c051053de261e80bf67b93be7632ddde23fe2dca97
Instruction Fuzzy Hash: F9F0587090A388DFCB06EFB4D540598BFF0AB4A205B2481EAD84597261D37A0A56DB01

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C0F0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8be9b510b2e0a968300a4059be370dd254200af90a00340cec4324a3a82bbd6
Instruction ID: d7f8e4e3fb7fc24ab6e82e4b4d1043515e3b8a3b6bb0fcb63d0e0c3a235e4970
Opcode Fuzzy Hash: e8be9b510b2e0a968300a4059be370dd254200af90a00340cec4324a3a82bbd6
Instruction Fuzzy Hash: F5F0C4349142688BCB68EF24DC907ECB771AB95319F1091DAC4496B291CB395EC1CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02C82270, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f136ea350b95e12e49c2804a7f96f0ae25e33f624118219ad9628259d413d776
Instruction ID: b0cde08f343f87de42a9653143681bedbc6c3047b595daa50f1402fd4843c1f1
Opcode Fuzzy Hash: f136ea350b95e12e49c2804a7f96f0ae25e33f624118219ad9628259d413d776
Instruction Fuzzy Hash: B9F0A4B8A01209EFCB00EF98C58499DBBF4FB49214F108595DC04A7311D770AE41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C81A3F, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ee61715e2daa3c5d4df6ac4a0690fbba71866f6e3288196f881edc882452ca
Instruction ID: a1397eb18409d0fc93c706fe4170da77936338f0f35b453c3bb106bc80a0e50e
Opcode Fuzzy Hash: 75ee61715e2daa3c5d4df6ac4a0690fbba71866f6e3288196f881edc882452ca
Instruction Fuzzy Hash: C1F058B0D05358CFCB06DFB8C84129CBFB0EF06200F0085EAC414A7261D7798A46CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02C833E7, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbb9e372af61a8f8a8d1e69aadb9772cd80e1f969d512f05a47cd9dbe67ca79
Instruction ID: eb7b373063985e3da3b95340e6ec49e19e6227afbf6c51be52bd2931834de72f
Opcode Fuzzy Hash: 1fbb9e372af61a8f8a8d1e69aadb9772cd80e1f969d512f05a47cd9dbe67ca79
Instruction Fuzzy Hash: A4F0A93084A388DFCB02DFB0985459C7F71EB87308F2082EEC88057662CB720986EB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C84868, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bc16fa54db669eb478cd90b4026ff478745a727bd7fea24da2038b08f91160
Instruction ID: 2a9e90e5534be559ee79e6b3944ed13595b78a41713839eb7a2575fc0d75dfde
Opcode Fuzzy Hash: 86bc16fa54db669eb478cd90b4026ff478745a727bd7fea24da2038b08f91160
Instruction Fuzzy Hash: AFF08C31D0A288EFCB16DFA4D4106DCBFB5AF46214F10C1EADC8097251C7350A55DF41

Uniqueness

Uniqueness Score: -1.00%

Function 02C83769, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e71a750e4270ad5f0c729ba45b6ebce3b9dc5b9209204cb53f4c20c4512b5c
Instruction ID: b0ede3ba755b7836563e31eb84f4489f88db4f3ca52554fb0a78efa7dda6bdec
Opcode Fuzzy Hash: b8e71a750e4270ad5f0c729ba45b6ebce3b9dc5b9209204cb53f4c20c4512b5c
Instruction Fuzzy Hash: 58E09270C0A388CFCB02EBB4A8041ECBFB0EB0B209F2052EAC84097261EB754546CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C84829, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48581e4454321b2384ae46e2d7ce324155be26bc296fe6133942085bba286ffb
Instruction ID: df9cf87db7da5ed6259e02670479745f9cb4286381167a3b6d3e59a7bc715f16
Opcode Fuzzy Hash: 48581e4454321b2384ae46e2d7ce324155be26bc296fe6133942085bba286ffb
Instruction Fuzzy Hash: 2AE06D3090A388CFC706EBB4C44069C7FB4AF4B209F1541EDC8449B662D7760945CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02C83368, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663bc79fd9f103c2a6279bf28f3e788e4c5830fcfcfe68c6d9493bf06e1c0051
Instruction ID: e41e071107e28b53e13c58b5ce293adb7ecd9beed96cc19a658b6a58e7fb64db
Opcode Fuzzy Hash: 663bc79fd9f103c2a6279bf28f3e788e4c5830fcfcfe68c6d9493bf06e1c0051
Instruction Fuzzy Hash: 78E0127080525CEBC704EF60D9045ADBB79FB87705F10A199DC0923250CF719A52EA54

Uniqueness

Uniqueness Score: -1.00%

Function 02C83B18, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab42af5bddcc20c59f00122a192bb9e8933f1b6751080b9d96eca0c0c2264b23
Instruction ID: 66f212022388ac55950283d09c4f3a9da8fae4e3dab662a27e22f26cf074d285
Opcode Fuzzy Hash: ab42af5bddcc20c59f00122a192bb9e8933f1b6751080b9d96eca0c0c2264b23
Instruction Fuzzy Hash: DAF030B0D4A248DFCB01DBA8D4415ADBFB1EF86204F1081EAC84497251C7750646DF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C83CE0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624f263240c7cc256395138305f55938010d6255b763b3eac2fc91b2cb0a0279
Instruction ID: 37316b8954435bf49fdb6662c659d6c0db96cc36605bc91190be66a914e6f02d
Opcode Fuzzy Hash: 624f263240c7cc256395138305f55938010d6255b763b3eac2fc91b2cb0a0279
Instruction Fuzzy Hash: B2E06D7084A388DFCB02EBB498501987FB0AB07619F1011EAC84597262D7754546DB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C82808, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c10965b036d42ad62c9906c9c92c9a7ea4d6adb53981e7094a9f4a8de900956
Instruction ID: 4216b31e84d991f47c1ad06d6b54a2867fe24de6ba685a104796f936b1eb0155
Opcode Fuzzy Hash: 4c10965b036d42ad62c9906c9c92c9a7ea4d6adb53981e7094a9f4a8de900956
Instruction Fuzzy Hash: FDF09278D04208EFDB04EFA9D5889ADBBB5EB5A305F1080AADC05A3361D7355A54EF42

Uniqueness

Uniqueness Score: -1.00%

Function 02C84247, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e95218c22657311b74abf71913b5701c5df2d104bc32a65d172e69e4b49115
Instruction ID: 99689ddbbbdfd9930d24558c2014390250e1ba09282cc235bf1dac7952270659
Opcode Fuzzy Hash: e8e95218c22657311b74abf71913b5701c5df2d104bc32a65d172e69e4b49115
Instruction Fuzzy Hash: 96E06D70C4E385DFCB12DB78845459CBFB0AB53218F1001DFC84197262D7750959CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02C847E9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafa986ef694fdd886bfbc01cb377e610985b2398fa5c7759ef87dc0b9b09510
Instruction ID: 030530a172d95e6454a2102542b290c01b962e3802a5ef9da59f4f292561eec6
Opcode Fuzzy Hash: eafa986ef694fdd886bfbc01cb377e610985b2398fa5c7759ef87dc0b9b09510
Instruction Fuzzy Hash: 2DE09AB0E8A3C89FCB02DBB48802A9C7FB09F02204F0041A9C800A7291EBF44A05DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CCC8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b0ef0202693757b3d187268c94bff1d217c6cc10ad6d1b0d16a657a5b7a992
Instruction ID: badf86d6fd0c8d11832226d3e3b9e12d0993e1448c89c21acf1ae31e63441b34
Opcode Fuzzy Hash: 82b0ef0202693757b3d187268c94bff1d217c6cc10ad6d1b0d16a657a5b7a992
Instruction Fuzzy Hash: E7F0157490420CEFCB04DF98D940AADBBB5FB49304F20C09AED0893361C7329A61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B1D9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344df545c8302eb19d76f88ae398eefdc11ff87af3d8e78437388faf013987af
Instruction ID: a608b02e10993d2b6387f0239756a4c421214c3f9657ec342b0c743d14306ee9
Opcode Fuzzy Hash: 344df545c8302eb19d76f88ae398eefdc11ff87af3d8e78437388faf013987af
Instruction Fuzzy Hash: CDE0D87064A385DFC302EBB4C8010E83BB09F1B208B1400E6C408D7252D6755A43CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02C82190, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d01c873ba9fa7a1bd9fb6dd35601e7a031b1c4ec91d4372ed89c6402e25cae0
Instruction ID: b733ff18f5e05cdb9da86b6084d2b85a706d563857adf0901cbf08d2f59fcba7
Opcode Fuzzy Hash: 6d01c873ba9fa7a1bd9fb6dd35601e7a031b1c4ec91d4372ed89c6402e25cae0
Instruction Fuzzy Hash: CFF015B4D0120CEFCB04EFB8C8485AEBBB4EB05204F2049A9C811A3310D7309A40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C85158, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2bd18bda3721d6cb8fea1e564e764d28272823a0cb6a6681c4133996db62fc
Instruction ID: 37452d029cbf34473eb8ed9cbb651cb8f6a6ec451645ea6c2936d9e3ef6a1754
Opcode Fuzzy Hash: db2bd18bda3721d6cb8fea1e564e764d28272823a0cb6a6681c4133996db62fc
Instruction Fuzzy Hash: B7E0D8715AA3C59FC712D7F8C4050A83FF0EB0321976544EAD895C7252D6790A03CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BB98, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd821caa46287cb169f1b6f8709dc41a4722ccd90f4835cefad46d996bf4720
Instruction ID: 91f034a21b81e0aaf879e7b8ecb1efaf974928f261bb850998da696bfce3350c
Opcode Fuzzy Hash: fdd821caa46287cb169f1b6f8709dc41a4722ccd90f4835cefad46d996bf4720
Instruction Fuzzy Hash: B8E01274D04208EBC704EFA4E4459ADBB79EB85309F20C1A9D80563354DB785E42DF85

Uniqueness

Uniqueness Score: -1.00%

Function 02C84328, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fed9c3b2116c1215b7199c6956a1aee2158d347ccba48433fdabb478f1b5a4
Instruction ID: 17d8fe45a439f460a6eec0b50ca156ba65f193199216f332d3b7bf4ed326285a
Opcode Fuzzy Hash: 06fed9c3b2116c1215b7199c6956a1aee2158d347ccba48433fdabb478f1b5a4
Instruction Fuzzy Hash: B0E0E5B4C45209EFCF14EFA4E4456EDBFB0EB5A308F1082AAC809A3311C7711A42DF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C81A00, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fafb4cac3a4f67cb95ab7091b60d6d52715212267fd4b6aa36bfc340798d42d
Instruction ID: 8955d12a0dfca2956538bc185acb0aaa31f4a72d5a9b0cb946f5485b8f5b1b5a
Opcode Fuzzy Hash: 6fafb4cac3a4f67cb95ab7091b60d6d52715212267fd4b6aa36bfc340798d42d
Instruction Fuzzy Hash: F6E0DF7490A244CFCB11CB78D8946A87BF4AF12208B2400EED80797362C7795E54DB12

Uniqueness

Uniqueness Score: -1.00%

Function 02C81F60, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e0969250ecbdb8261d1fe9862405e4d9c88080f5870f9a38d5055caa044823
Instruction ID: 31d01d8b2833b76ff02422b45a61fca7ec8cc6136b49f712eabcb0cdc928c2d9
Opcode Fuzzy Hash: 61e0969250ecbdb8261d1fe9862405e4d9c88080f5870f9a38d5055caa044823
Instruction Fuzzy Hash: 93E0DF74904308DFCB04EFA8D60059CB7F4EB45304F1080A9C80893300D7715E42DB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C84878, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e96d217548c6209743d1f7dac7333a84c9786cc9a4270c68cef0ddf957d591
Instruction ID: d219d0f4465d694c19bc6d75e1c5fe384732f2aea15d571731e196eede05b704
Opcode Fuzzy Hash: b5e96d217548c6209743d1f7dac7333a84c9786cc9a4270c68cef0ddf957d591
Instruction Fuzzy Hash: 58E01275C0524CEBCB28EFA4E800AADFBB9AB48304F10C1A9EC4456310CB316A65EF80

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CD60, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756d6d4c95a47d2e7181781d030b6e0c3c0933577203897a2874fd3724f59922
Instruction ID: 196a1c7ebd9521e1fb1678f5ee1ab7aa26caca7bc412236cf669487ef0c307d9
Opcode Fuzzy Hash: 756d6d4c95a47d2e7181781d030b6e0c3c0933577203897a2874fd3724f59922
Instruction Fuzzy Hash: 2EE0ED74904208ABC704EF94D4406ACBBB4AB4A204F10C0AAD84453341D6359B51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C81A50, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12abca0da4c36fccff1501fe86bfe540fab2cb3cf4b1b11bc45235eafe7a7f2
Instruction ID: 3f8b201f3a79fe06fab74728b2a55b24ee6340e6a876e3d73e27de4d1004501b
Opcode Fuzzy Hash: a12abca0da4c36fccff1501fe86bfe540fab2cb3cf4b1b11bc45235eafe7a7f2
Instruction Fuzzy Hash: 8CE0E5B0D01219DFCB04EFA8C4446ADBBB5AB45204F1045A9C818A7350DB75AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C8752B, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e98172cda93ac2489f256fdb50f9b4f0c258e177cfd396e0ff5df775a908be7
Instruction ID: 7f9dc8394a81326b292e15b810aa8d4d6f07d7d76ea1ca9ee931842c3adea8a4
Opcode Fuzzy Hash: 6e98172cda93ac2489f256fdb50f9b4f0c258e177cfd396e0ff5df775a908be7
Instruction Fuzzy Hash: BAF05AB8D8622D8FCB60DF29C8886C8BBB0AB69300F2081D6981DA7311D6305EC1CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AEA8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4824f793b9b76f08b354dedc3d950663ebcb5726b4711ea7815dcdc1acc72362
Instruction ID: 2e37ca6ab11c804dbb440911001443e3573d01474242ef6c8d643f2d26112934
Opcode Fuzzy Hash: 4824f793b9b76f08b354dedc3d950663ebcb5726b4711ea7815dcdc1acc72362
Instruction Fuzzy Hash: 0CE08C70D4820CFFCB00EFA8D4486ACBBB8EB85304F10C0AAC80463300D7702A51EF80

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AEA3, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ff7a6cdb901d30a51d0131ef143e0a2a6b8e2218a74440cb2593f6f8b2ef7d
Instruction ID: f1526d15ec5e6281f0542d5e7e18cd5dc7fc92d9a235962d5decfa20b16f8614
Opcode Fuzzy Hash: 96ff7a6cdb901d30a51d0131ef143e0a2a6b8e2218a74440cb2593f6f8b2ef7d
Instruction Fuzzy Hash: B2E046B0D4520CEFCB04EFA8D448AACBBB4EB8A304F2081BAD80463300D7701A55EF40

Uniqueness

Uniqueness Score: -1.00%

Function 02C833F8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fe6c1323b683c9ef37553bc021c5cbb407e5cd136a5707120822a2b29b31a5
Instruction ID: 1da86d360a845c9c6bbf1708a9c6464594604bf1ad69fbdce3e6146b8b9cb19d
Opcode Fuzzy Hash: c3fe6c1323b683c9ef37553bc021c5cbb407e5cd136a5707120822a2b29b31a5
Instruction Fuzzy Hash: 66E08C7080520CEBCB04EFA0D8045ADBF38BB86305F1091A8D80413310DB705A51FA95

Uniqueness

Uniqueness Score: -1.00%

Function 02C83B28, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3f0c48f287f6f899ac6224878c1b86579c280962a76df398d2e836caca40f
Instruction ID: 03f33ba6c75011e963d948e188aa959d6e4b66d7d5a74f7c1f80ceed86cb7bc0
Opcode Fuzzy Hash: e8a3f0c48f287f6f899ac6224878c1b86579c280962a76df398d2e836caca40f
Instruction Fuzzy Hash: B2E0ECB4D0520CEBCB04EFA4D5456AEFBB8FB49704F1091E9D80463350DB705A41EF95

Uniqueness

Uniqueness Score: -1.00%

Function 02C84330, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80131eb6cc29de0f4a05f82270d2e4600bae05cbf7986e5c95f5570cf15d048f
Instruction ID: 4096167424217ad340174cfb973ef01310608494ebd50abd7c81386771b4cd9d
Opcode Fuzzy Hash: 80131eb6cc29de0f4a05f82270d2e4600bae05cbf7986e5c95f5570cf15d048f
Instruction Fuzzy Hash: 5CE0ECB4D0520DEBCB14EFA4E4456AEBBB4EB59308F1081A9DC0863350DB706A41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C7C2, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853bc6acd93f1cc7e2c8bf0eb155bf4cdcf8a35feb1ef473552d0983fad4e0f3
Instruction ID: d0209da71488e8850834fa976b20a0ae8d0954dc5dda0b698abd2b69867a27c1
Opcode Fuzzy Hash: 853bc6acd93f1cc7e2c8bf0eb155bf4cdcf8a35feb1ef473552d0983fad4e0f3
Instruction Fuzzy Hash: 5FE0C234904228CFDB64DF14E880BE8BBB1AB15318F5084EAC889A7241CB399BC2DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CDA9, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53e3a3aaa62216e44e80405499e9f0a511d49ee62dd4369f241e2626c77d7a5
Instruction ID: f92b808654ee3503e3d747b0fb570891fd29f55f711c90464aeed6108a6dc18b
Opcode Fuzzy Hash: b53e3a3aaa62216e44e80405499e9f0a511d49ee62dd4369f241e2626c77d7a5
Instruction Fuzzy Hash: 6AD0A7B084720CDBC704F764E840AAA7B2DA74270CF10545AD40413251AFB55A00E964

Uniqueness

Uniqueness Score: -1.00%

Function 02C84258, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320420c90185e6fba8bf8df78575c8246243e4cc12657fa77a6695bf08ef64f6
Instruction ID: 9664b32b01f2cf8295a1544ff8efdd9d93bd8a672d91b6b9d7cdd76afe81a307
Opcode Fuzzy Hash: 320420c90185e6fba8bf8df78575c8246243e4cc12657fa77a6695bf08ef64f6
Instruction Fuzzy Hash: 23D05E70D0930CDFCB14EBA8D4016ADBBB8AB46309F1041A9CC0423251DB705A40DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C81E1D, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4990a9794a09181fedfc7d18956c7b957566125b37cd4d6433d702ad6a6f24f9
Instruction ID: a83ac9a37ab739eae3ba4810100460f2c8d7508753aa7aa5e9b456d69c6af05d
Opcode Fuzzy Hash: 4990a9794a09181fedfc7d18956c7b957566125b37cd4d6433d702ad6a6f24f9
Instruction Fuzzy Hash: 85D0173AD00208CFCB009FA8E0442ECB7B1EB8A329F248426C218A2200C3318555CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C847F8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74964b851d33045e0108aa6955fa73f071e8ccdc13fc9e0aa57b1245f76aa013
Instruction ID: 21cb57e890034c3f7ee3af21e1ebb60aafa51be035769e4024a02aaf3433757a
Opcode Fuzzy Hash: 74964b851d33045e0108aa6955fa73f071e8ccdc13fc9e0aa57b1245f76aa013
Instruction Fuzzy Hash: F7D05EB0C5628CDBCB14EBA8D5016ACBFB8AF05609F1081A9C80463250EB715A44DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C83778, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c860b074db77a350c61de81f3ddc9465e9cb54b8f3a64a9234ea57d6d6bef58
Instruction ID: ab50a6bb762e091d3c159d24f202baff96f5b076a8d4ef3b281d7af2b1215a78
Opcode Fuzzy Hash: 0c860b074db77a350c61de81f3ddc9465e9cb54b8f3a64a9234ea57d6d6bef58
Instruction Fuzzy Hash: BED017B0C0524CDBCB00EBA4E9096ACBBB8AB0A609F2051A8CC0463250EB70AA41DA91

Uniqueness

Uniqueness Score: -1.00%

Function 02C83CF0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b103521efe70415568553de21952e753ce561df6c2cfa846dfd2f78beac1212c
Instruction ID: 13cfc3e2d4b30ef3db1efd61ec4b0c61b25b610bf783517cbbef2532bbbc8825
Opcode Fuzzy Hash: b103521efe70415568553de21952e753ce561df6c2cfa846dfd2f78beac1212c
Instruction Fuzzy Hash: 0ED05E70C1530CDBC700FFA4E8056ACBFB8EB46A09F1051E9D84463350EBB45A55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C84838, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dfc10c408bef5fdb8d5c51ba81864b8091a482a23376a1a55be947e928d4ac
Instruction ID: 938efe49a08a6aade7b7da72f5771e5b8df50b5f222046d36095c15373681308
Opcode Fuzzy Hash: f1dfc10c408bef5fdb8d5c51ba81864b8091a482a23376a1a55be947e928d4ac
Instruction Fuzzy Hash: 75E01774D05288DFC714EFA8D4456ACBBB8BF09209F1041E8D85897361DB71AA45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B1E8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc70274095fff674cb0b149a1c39e3e51b98da1aca056d009e9a8d31431c8396
Instruction ID: 0c3a06df343e86ace8266278eac111546c804db33a89da433cb71db301cdf9d4
Opcode Fuzzy Hash: bc70274095fff674cb0b149a1c39e3e51b98da1aca056d009e9a8d31431c8396
Instruction Fuzzy Hash: 1AD05B7081530CEBC700EFA4D8496AC7B74A745209F1041A5C80493350D7705E54DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C85168, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a75dda08beaba88afb1f0bfac2facb25513da80de248bbf2055e0c83d446ff7
Instruction ID: 1996e1954f8b09ff5f303314794c237a306bba637a5ab623fafa057d39381688
Opcode Fuzzy Hash: 2a75dda08beaba88afb1f0bfac2facb25513da80de248bbf2055e0c83d446ff7
Instruction Fuzzy Hash: CED02E7082520CEFCB00EFA8D8092BCBBB8EB02309F2000A8C80423300DBB01B50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CDB0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c6312dc7fe00a818e237157ad309a5623457af3ce9dc1318f4e80c6f10d05c
Instruction ID: 319f34fac731a8e134b717296800d3ff23f51076aa8598cb709ece3314e55e33
Opcode Fuzzy Hash: 54c6312dc7fe00a818e237157ad309a5623457af3ce9dc1318f4e80c6f10d05c
Instruction Fuzzy Hash: 4ED022B088720CDBC308FBA4E800BAABB3CAB42608F00409AC80813350AFB15B00E9A4

Uniqueness

Uniqueness Score: -1.00%

Function 02C81A10, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24b7ab413fb9b6ddf30c4346b2c386dd30c0cc310fee32b75f093c80a2a9609
Instruction ID: 7bab9a1ab15a96be27ed720b4e4aecdbffc873e7f255e9cba9888571f37ab455
Opcode Fuzzy Hash: b24b7ab413fb9b6ddf30c4346b2c386dd30c0cc310fee32b75f093c80a2a9609
Instruction Fuzzy Hash: C8D05E74900208DFD704EF98D94476877ECEF05208F1000ADD80A57310DB75AE50DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C81DFD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c7d5f977057f39c2b149044ddd104ec8c4110937f48398deefe6a282e0cd5a
Instruction ID: dfe86ca70de871269122c86be56fbe17a63f056fe1eabf47a3641e1ba934b210
Opcode Fuzzy Hash: a8c7d5f977057f39c2b149044ddd104ec8c4110937f48398deefe6a282e0cd5a
Instruction Fuzzy Hash: CAD0C93AE41208DF8B009FE8E4400DCF775EB8A229B209566C614B3310C7319455CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C80070, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdd684548bbf954207adba4d45059434b4fc5a274694f1775b8a0b5998243ab
Instruction ID: 85d863426261943de7375d67706dcf6283736a8d039cdfb04d33e1746302882e
Opcode Fuzzy Hash: 5bdd684548bbf954207adba4d45059434b4fc5a274694f1775b8a0b5998243ab
Instruction Fuzzy Hash: 0EC002B050160C8FD2153BA4FD0D3A977A8AB5370AF608121F60A815718BA69A95EAE6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C851A8, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02C852E1
`5kr, xrefs: 02C8539D
:@Dr, xrefs: 02C852C4
f]Ir, xrefs: 02C851F8

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: f7959e54ec46a81f5fcc9dd760bacf849872d59fa183741744d40363aaee9304
Instruction ID: 6f0f8688d140be011581e78c94a27aff7f6a7d5c1bcebf24f66d09fcaecf7d41
Opcode Fuzzy Hash: f7959e54ec46a81f5fcc9dd760bacf849872d59fa183741744d40363aaee9304
Instruction Fuzzy Hash: 16513DB1A01209DFEB44EFAAEC8579DBBF6FB85348F14C029D104A7264DFF418068B95

Uniqueness

Uniqueness Score: -1.00%

Function 02C851A3, Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02C852E1
`5kr, xrefs: 02C8539D
:@Dr, xrefs: 02C852C4
f]Ir, xrefs: 02C851F8

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: b12d60909ab1a0ece0d3f6e40d9f8caa72d006ad352dde633251f3540f8d9ea7
Instruction ID: 5bfc5bb52d9389e73252de9ce55f0204fe7b4d70ea21a1528226c6f517c5a25f
Opcode Fuzzy Hash: b12d60909ab1a0ece0d3f6e40d9f8caa72d006ad352dde633251f3540f8d9ea7
Instruction Fuzzy Hash: E5513EB1E01209DFDB44EFA9E98579DBBF6FF85348F14C029D104A7264DFB418468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0093E489, Relevance: 2.8, Instructions: 2817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199748529.0000000000932000.00000040.00020000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.199741579.0000000000930000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.199766556.0000000000941000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0c5d11a2e0f5fc31556ca76401d6b33ab870ceda8659a1f456a16399f35dc8
Instruction ID: 02e3a755b73f0c2a884a8df63fff9af363fb2e90db95fac6f7817c5a6a2313eb
Opcode Fuzzy Hash: 2b0c5d11a2e0f5fc31556ca76401d6b33ab870ceda8659a1f456a16399f35dc8
Instruction Fuzzy Hash: 6E23882140E7C29FDB038B7899316E6BFB5AE1332471E44D7C4C08F5A3E219196ADB76

Uniqueness

Uniqueness Score: -1.00%

Function 0093C8B2, Relevance: 2.0, Instructions: 1952COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199748529.0000000000932000.00000040.00020000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.199741579.0000000000930000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.199766556.0000000000941000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9c1d7442ebf642348b9aa1072dde7dc975cbfdbb86025bbbfb5b6d5b3bbc07
Instruction ID: 0cce50086e08d30a572a8ed95457766db8b22108723f00fc4c246be928cc54b5
Opcode Fuzzy Hash: 4c9c1d7442ebf642348b9aa1072dde7dc975cbfdbb86025bbbfb5b6d5b3bbc07
Instruction Fuzzy Hash: C9E2776140EBC25FD7038BB858325E6BFB5AE5322470E44D7D4C18F5A3E2141E2AEB76

Uniqueness

Uniqueness Score: -1.00%

Function 02C853F0, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

), xrefs: 02C887C0

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: a8b3074e3f2799692500959451e4e8764d6dcc0993dea903e9f26f315bb31c64
Instruction ID: ad67f741d3c765742b3a0674779bf2d8f01ba9db81ce01f5046da8f26a08e327
Opcode Fuzzy Hash: a8b3074e3f2799692500959451e4e8764d6dcc0993dea903e9f26f315bb31c64
Instruction Fuzzy Hash: 34519CB1E046688BEB28CF6BCD4069DFBF3AFC5204F14C5AAC54CAB215DB305982CE54

Uniqueness

Uniqueness Score: -1.00%

Function 00939F78, Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199748529.0000000000932000.00000040.00020000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.199741579.0000000000930000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.199766556.0000000000941000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6363642d71274b44cc089c6148a856e030bbde6360210a7d48e03788e1d1ad3
Instruction ID: 52720fb24e4942c91da69fcee0190c6ca2d22b660aa1813e565ff433ecbe71b2
Opcode Fuzzy Hash: b6363642d71274b44cc089c6148a856e030bbde6360210a7d48e03788e1d1ad3
Instruction Fuzzy Hash: AC527A6200EBC25FDB134B746D716E2BFB5AE53224B0E44C7C4C18F5A3E21519AADB72

Uniqueness

Uniqueness Score: -1.00%

Function 009405C2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.199748529.0000000000932000.00000040.00020000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.199741579.0000000000930000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.199766556.0000000000941000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6419b381869062f547d014dcc0742e34b6a3f9e1c5ffcd670b0e38c6086ee0e2
Instruction ID: 22eb9b27c85361e31746253333108120de7509593ff0739f39a082ad3b13edbb
Opcode Fuzzy Hash: 6419b381869062f547d014dcc0742e34b6a3f9e1c5ffcd670b0e38c6086ee0e2
Instruction Fuzzy Hash: 82A18C2008E7C25FCB638F7148B91D2BFF1AE1722436D1ADFD8C44A483E2AC559AD746

Uniqueness

Uniqueness Score: -1.00%

Function 02C853E0, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ab66157cae7c990d10be3301b66b65c888abd44705f043d8f97264b01176d6
Instruction ID: 9e9c44fe14fa9c73deaea1e62eda5e6507362bf2a9c35b378b329486b811401a
Opcode Fuzzy Hash: 14ab66157cae7c990d10be3301b66b65c888abd44705f043d8f97264b01176d6
Instruction Fuzzy Hash: 5D4111B1E056588BEB5CCF6B8D4069EFAF3AFC9304F14C5BA850CAA264EB314546CF15

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CDD8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a907adf46c1e50c9c5d99cd91eb1bb9207adfed7c5bad914c09ade82bf5995
Instruction ID: b830f9cb693ac403a593679dbf4c366fde9c056a38aaf843efaed13db04e2a56
Opcode Fuzzy Hash: 73a907adf46c1e50c9c5d99cd91eb1bb9207adfed7c5bad914c09ade82bf5995
Instruction Fuzzy Hash: BB115871D002598ECB04DFA9D885BEEBFF0AF4A304F14942AE404F3240C7748A44CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CDE8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.200495137.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de447a927153e5ad44f52c7ac9f4c65582f214088454e56cd53767bed2c7761
Instruction ID: 2b0817c0ef8e21604d41a5a11ba2aba4a014705a3682ecbdbc072ab63f19f62c
Opcode Fuzzy Hash: 5de447a927153e5ad44f52c7ac9f4c65582f214088454e56cd53767bed2c7761
Instruction Fuzzy Hash: 4711F571D042599EDB18DFAAC844BEEBBF4AF4A304F14946AE405B3250D7348A44DFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: malware.exe PID: 6536 Parent PID: 6380 malware.exeCOMMON

Executed Functions

Function 05EC6818, Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05EC6F6D

Strings

X1kr, xrefs: 05EC70C0
X1kr, xrefs: 05EC7051
X1kr, xrefs: 05EC7172
X1kr, xrefs: 05EC692E
X1kr, xrefs: 05EC6E3A
X1kr, xrefs: 05EC7027
X1kr, xrefs: 05EC70EF
X1kr, xrefs: 05EC6EB6
X1kr, xrefs: 05EC6E90
X1kr, xrefs: 05EC68F6
X1kr, xrefs: 05EC699A
X1kr, xrefs: 05EC6E59

Memory Dump Source

Source File: 00000003.00000002.466403052.0000000005EC0000.00000040.00000001.sdmp, Offset: 05EC0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 2994545307-2965069383
Opcode ID: a75050efc538e1d3ceb93196ac976fbb21dade0eafd9eda3ea552953a81bbe48
Instruction ID: 3ac3e4e1e5a4f036d901c937b526d7656de7f7b6ef63f4b1d63e996923197498
Opcode Fuzzy Hash: a75050efc538e1d3ceb93196ac976fbb21dade0eafd9eda3ea552953a81bbe48
Instruction Fuzzy Hash: 2D623F31A002158FDB65DF68C944BDEBBF2BF89300F1585E9E90AAB265EB719D41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 057330C8, Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1217libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05733320

Strings

:@Dr, xrefs: 0573458A
:@Dr, xrefs: 057333B1
:@Dr, xrefs: 057349AE

Memory Dump Source

Source File: 00000003.00000002.465788556.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr$:@Dr$:@Dr
API String ID: 2994545307-1395999109
Opcode ID: 38b655b59ca058285909bbe0daf0f5a72bea45fd25c4d8bb7bd23d0727751035
Instruction ID: 7c515277942cbfa94b5996f43aae5ad7e049a578ae970620123184f6348cbe07
Opcode Fuzzy Hash: 38b655b59ca058285909bbe0daf0f5a72bea45fd25c4d8bb7bd23d0727751035
Instruction Fuzzy Hash: 6EC2B774A01628CFCB65DF68DC58A9ABBB2FB49312F1081E6D409E3355EB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0174AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0174AF87

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 75251e26c199781a336aaed6769de63d58c125d2db98d0e292148ceb8f83a6ad
Instruction ID: 80df962c93609561c6b3144dd1d2996729d7f4692fefc14dde94f83c3de55694
Opcode Fuzzy Hash: 75251e26c199781a336aaed6769de63d58c125d2db98d0e292148ceb8f83a6ad
Instruction Fuzzy Hash: C4219FB5509784AFEB238F25DC40B52BFB4EF06210F08859AE9858F5A3D371D918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0174B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0174B0F5

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6db7177182380865e524478b15c90649de4c71a921fa28634785d7b712df7f96
Instruction ID: 796691f3c137d4fa1247ea273d7e552be71bc6065d034a35d216d44dc1d5db61
Opcode Fuzzy Hash: 6db7177182380865e524478b15c90649de4c71a921fa28634785d7b712df7f96
Instruction Fuzzy Hash: 7D118E72409384AFDB228F24DC45A62FFB4EF06314F0984DAE9848B163D275A919DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0174AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0174AF87

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4a17acc00574d633ca81e411c3e675b9c45a082fa8a0e2be73e02ca2dd1b00ea
Instruction ID: bf4056dcf5803c8dea3d1671e2af44a783dfb9a042693a536283b25047230af8
Opcode Fuzzy Hash: 4a17acc00574d633ca81e411c3e675b9c45a082fa8a0e2be73e02ca2dd1b00ea
Instruction Fuzzy Hash: AA117C755006049FEB21CF69D884B66FFE4EF04320F08C9AAEE4A8B652D371E418DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174BB16, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0174BB66

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f96761f14cb81cad6e5d1542dddea5c4d0b93ad101ea77c2f68b3bc5f8feb87a
Instruction ID: 0657f94ea1b645c3478e2b88f25e334a05b8f5ca56aa266de1d15d464d9b87a5
Opcode Fuzzy Hash: f96761f14cb81cad6e5d1542dddea5c4d0b93ad101ea77c2f68b3bc5f8feb87a
Instruction Fuzzy Hash: 7A01A271500600ABD210DF16DC86F36FBA8FB88B20F14815AED084B741E331F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0174A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0174A0D5

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 8ca894d33ecc2487beb626f61772a282b8036bdfea69f96e14d234c2ebcca033
Instruction ID: 88989b41af27a28db56081fa497cbe5ecb539c5d8ca3ead19031ae6fbfd0c34c
Opcode Fuzzy Hash: 8ca894d33ecc2487beb626f61772a282b8036bdfea69f96e14d234c2ebcca033
Instruction Fuzzy Hash: 3801BC71804640DFDB21CF59D884B66FFA0EF44320F18C4AAEE4A8B612D3B5A418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0174B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0174B0F5

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 84586a656a5da3a13f6fa95c85b0f10fe44cc521da222db58fd20b592e028f5a
Instruction ID: e988ee73f87f89009bfd33ef9024aa0bd3803515de850ef9db475d2a59a63758
Opcode Fuzzy Hash: 84586a656a5da3a13f6fa95c85b0f10fe44cc521da222db58fd20b592e028f5a
Instruction Fuzzy Hash: FE018B31400644DFDB218F59D884B26FFA0EF08320F18C49ADE894B612C3B5E828CB72

Uniqueness

Uniqueness Score: -1.00%

Function 057330F8, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 690libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05733320

Strings

:@Dr, xrefs: 057333B1

Memory Dump Source

Source File: 00000003.00000002.465788556.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 2a4e994d28126e81ba189f4a320e451a11e0fb9267293e060de6e68250ca8a33
Instruction ID: cadde0fc26042e0fded154b27704699e2a003442862bbbd3d51b699b21207710
Opcode Fuzzy Hash: 2a4e994d28126e81ba189f4a320e451a11e0fb9267293e060de6e68250ca8a33
Instruction Fuzzy Hash: DB72B474A10628CFCB65DF68DC48A9ABBB2FB49311F4091E6E809E3355EB315E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0573314C, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 680libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05733320

Strings

:@Dr, xrefs: 057333B1

Memory Dump Source

Source File: 00000003.00000002.465788556.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 0b035c284a27f48be6bb155ad31335b7c54f5df294500fdb768d7823b6411383
Instruction ID: 544336111d0046fa9ab3da5686cc91ee4f86b02f2d834db1e89b0a4888d8bd54
Opcode Fuzzy Hash: 0b035c284a27f48be6bb155ad31335b7c54f5df294500fdb768d7823b6411383
Instruction Fuzzy Hash: 3D72B474A10628CFCB65DF68DC48A9ABBB2FB49311F4091E6E909E3355EB315E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 057331A0, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 668libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05733320

Strings

:@Dr, xrefs: 057333B1

Memory Dump Source

Source File: 00000003.00000002.465788556.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: ba9f5477fa3344ba6a40d2cca53ca0479a6d93098bfbea04eff7cced21a560aa
Instruction ID: ffd41d09191261c55d3899997deed6eab6a4290e17d0303305ceb95ad8d24a07
Opcode Fuzzy Hash: ba9f5477fa3344ba6a40d2cca53ca0479a6d93098bfbea04eff7cced21a560aa
Instruction Fuzzy Hash: 5D72B474A10628CFCB65DF68DC48A9ABBB2FB49311F4091E6E909E3355EB315E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 057331EB, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 660libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05733320

Strings

:@Dr, xrefs: 057333B1

Memory Dump Source

Source File: 00000003.00000002.465788556.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 29df1671aa866a5083e5b53655c70c0e7b992e3e390679416c80048bd0a18906
Instruction ID: 99e37b17589b817e9bd9c9770a3738d80d8891472f0399a502256cc8ce156de0
Opcode Fuzzy Hash: 29df1671aa866a5083e5b53655c70c0e7b992e3e390679416c80048bd0a18906
Instruction Fuzzy Hash: 1072B474A11628CFCB65DF68DC48A9ABBB2FB49311F4091E6E909E3355EB315E81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 05EC4EB0, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05EC4EF0

Memory Dump Source

Source File: 00000003.00000002.466403052.0000000005EC0000.00000040.00000001.sdmp, Offset: 05EC0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 906bc47bde0a8f58e5eb7e5e5ee556fbf55bafd5078d4e6c5ef95bd66636e98a
Instruction ID: e1ba7e50fdb1d80f85f001684d15a5bbdb5e8aa9da3b0838bd16a937c9088393
Opcode Fuzzy Hash: 906bc47bde0a8f58e5eb7e5e5ee556fbf55bafd5078d4e6c5ef95bd66636e98a
Instruction Fuzzy Hash: 5C712930A00305DBDB14DFB8D558AAEBFF2BF84315F14996AD446AB354EB74E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06743C90, Relevance: 1.7, APIs: 1, Instructions: 173libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06743D4D

Memory Dump Source

Source File: 00000003.00000002.466848664.0000000006740000.00000040.00000001.sdmp, Offset: 06740000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 414171d8a844dd591d4a29372857526a33594e57c7a66004897f47a4aeabc68f
Instruction ID: 4ec34786abeb29d9becb23cbc14686ee30fd0ffb07a0a1bacb638b286ce57d78
Opcode Fuzzy Hash: 414171d8a844dd591d4a29372857526a33594e57c7a66004897f47a4aeabc68f
Instruction Fuzzy Hash: 29516270B002459FDB50ABB4D848AAEBBF6FF84314F208569E549DB285EF75DC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 06743CE8, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06743D4D

Memory Dump Source

Source File: 00000003.00000002.466848664.0000000006740000.00000040.00000001.sdmp, Offset: 06740000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddbdac8f3ea9ed2a2de24050541800af15fa0ad48a3c3d85422e5d0a004907be
Instruction ID: 16e3c275d0cb8be6ae61b6786f6eccaa2b63292c2edd3fb99e1ff57e186f2ee0
Opcode Fuzzy Hash: ddbdac8f3ea9ed2a2de24050541800af15fa0ad48a3c3d85422e5d0a004907be
Instruction Fuzzy Hash: B9514171B002059FDB54EBB4D848AAEBBB6FF88214F208569E50ADB244EF719C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0601219D, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 060122AD

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3870eb0fb856c77c56bca5a5f07756391758dbcbc8b3ecf0c5f5843c309a95ff
Instruction ID: 1cee44402d87353bd4294a117b02eb037d0e1d15683808286c0ecb767abd282d
Opcode Fuzzy Hash: 3870eb0fb856c77c56bca5a5f07756391758dbcbc8b3ecf0c5f5843c309a95ff
Instruction Fuzzy Hash: BA41C571549380AFE7128B25DC45F66FFB8EF46210F1884DBEA849F193D265A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 06011C2D, Relevance: 1.6, APIs: 1, Instructions: 111networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 06011CF6

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b842eb74a63450d3c59360bacfcece8e380e2ada73d18ae9645a449131738c36
Instruction ID: 03279f26506661bc62da11c7adb0638038b1732d398c78fe6042d1a86a7e913c
Opcode Fuzzy Hash: b842eb74a63450d3c59360bacfcece8e380e2ada73d18ae9645a449131738c36
Instruction Fuzzy Hash: D1416B714097C0AFD7638B619C54B56BFB4AF07210F1989DBE9C58F1A3C265A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0601102E, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 060110D9

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1b24a5d8880773d95ebf96f916baac2033c8696e4ceb3efc6183e302b8a888f7
Instruction ID: ab48047f29fddebe4523f35905797c583adeee825f4a96d3556552c7606ebc99
Opcode Fuzzy Hash: 1b24a5d8880773d95ebf96f916baac2033c8696e4ceb3efc6183e302b8a888f7
Instruction Fuzzy Hash: 0E319E719493C06FE7138B259C51BA6BFB8DF47220F0980DBE984CF1A3D2686909C772

Uniqueness

Uniqueness Score: -1.00%

Function 06012A07, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 06012ADB

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: fe1b8effec2fed3183e6226af149fdb8303e1ce69a7b8814b9ae2c164583a813
Instruction ID: 25ec62264a0fc3d50d41f63c13dca8d3a7e08650eb3ee4b8fc512152e49c0e61
Opcode Fuzzy Hash: fe1b8effec2fed3183e6226af149fdb8303e1ce69a7b8814b9ae2c164583a813
Instruction Fuzzy Hash: 2F31A371404340AFE7228B61CC85FA6BFACEF46710F14899AFA849F182D375A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06012CB9, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012D6D

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 1dfe50868026c2c6c554c08da76b14d266966878a8064e2e66be7cb7b57eaa38
Instruction ID: 95210284361a4e7981621f72d7dc53044827b5cadcba11bcc4e834485ff91e55
Opcode Fuzzy Hash: 1dfe50868026c2c6c554c08da76b14d266966878a8064e2e66be7cb7b57eaa38
Instruction Fuzzy Hash: 19319075404780AFEB228F21DC40FA6BFF8EF06310F08859BE9848B162D334A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06010DF4, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 06010E95

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3b8fc0f4e785055465054696d0257f7989ed78708abeb0fde14f392147683751
Instruction ID: 2e0bef41a6c7e66f117f5cfa8cc1bf38da47c77fbf549aac1bcdcc0efecf2931
Opcode Fuzzy Hash: 3b8fc0f4e785055465054696d0257f7989ed78708abeb0fde14f392147683751
Instruction Fuzzy Hash: F0317C71544340AFE722CF65CC44F66BFE8EF45610F0884AEE9858B252D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 0174A989

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 88c5c94a383c4955ab5208a2bdad52ef8c00e2cdff04d8abd095f2a4f3bd418d
Instruction ID: 5150b08c99eae65e6fdfa8732a230f9cbda22a136c8bf6de55dba3bbbd5d828e
Opcode Fuzzy Hash: 88c5c94a383c4955ab5208a2bdad52ef8c00e2cdff04d8abd095f2a4f3bd418d
Instruction Fuzzy Hash: BC31B476404344AFE7228B24CC84F67FFBCEF06310F08859BE9859B152D364A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0601153B, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 060115F0

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 57046da879070f93a50befaf15a28b8fe1536860f84c325391eb664a66d057ae
Instruction ID: e86f1ef920e1803a391fcd9cb7f88a2ffc5074e831bcdb2fb962ab74cd113aea
Opcode Fuzzy Hash: 57046da879070f93a50befaf15a28b8fe1536860f84c325391eb664a66d057ae
Instruction Fuzzy Hash: 3431B371508384AFEB22CF64DC44F96BFF8AF06310F08849AE9859F153D364A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0601206C, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 06012103

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c5484b63eed1b4ab7cdef5ff77bda53502acaa4db5a2ede060754d678136cd23
Instruction ID: d8717a7e79989f21996fb3352da0ab395f408ecf0b4125de535f516f1f4f28e3
Opcode Fuzzy Hash: c5484b63eed1b4ab7cdef5ff77bda53502acaa4db5a2ede060754d678136cd23
Instruction Fuzzy Hash: 6631BF72504344AFE722CB64DC45F67BFE8EF46320F0884AAE984DB252D264A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174AA8C

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: adf50c6180e0ec96d90bc3eb1ba12997b1cbe00224ea86cc80597912c03c17dc
Instruction ID: 22c12662139992c4540382bdbe862306224d0289d19da9ae00f9953492a07121
Opcode Fuzzy Hash: adf50c6180e0ec96d90bc3eb1ba12997b1cbe00224ea86cc80597912c03c17dc
Instruction Fuzzy Hash: DC318171505784AFE722CB25CC84F62FFB8EF06310F18849AE9858B253D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06012304, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 060123B6

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 101dc6e4a7f6aa4d3fa529f2bb58fd41ae5c2bf2bcff5ecc8b10b5fd62bf5f1d
Instruction ID: eaa3aa9133d3128e9fb4d43488c78eb5277a1c335975cfdd724a0bedd5e6bab3
Opcode Fuzzy Hash: 101dc6e4a7f6aa4d3fa529f2bb58fd41ae5c2bf2bcff5ecc8b10b5fd62bf5f1d
Instruction Fuzzy Hash: E931B4B2404780AFE722CB55DC45F96FFF8EF06320F04859AE9849B253D375A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06011F6E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012018

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d3003d941ae3800dc3d0c3e751b3418a4717d51bb9488257baa04fea2f8e9f8f
Instruction ID: 2aeb0faecf1c51b5c42a36bfeb2b9f79eb162c97b6c45c7542fd3acd35b057b0
Opcode Fuzzy Hash: d3003d941ae3800dc3d0c3e751b3418a4717d51bb9488257baa04fea2f8e9f8f
Instruction Fuzzy Hash: 6C318072509380AFD7228B65DC40F92BFF8EF06310F0884DBEA859B163D265A949C771

Uniqueness

Uniqueness Score: -1.00%

Function 06012DB7, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012E5E

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 22e8cdfe37c4e13acce0333b75de5b6e482551167ab4b0ca5381c9e66342365e
Instruction ID: be4a98e5a0f13a785ef08e895de55409fac4b1492092e99de9671cc460f0576d
Opcode Fuzzy Hash: 22e8cdfe37c4e13acce0333b75de5b6e482551167ab4b0ca5381c9e66342365e
Instruction Fuzzy Hash: CC31BF72409384AFE7128B25DC50F96BFB8EF07314F0884DBEA849F153D224A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B21C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174B2B0

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 0616f0040e9e9074fb2aa5a65260d8d8d27535b883d82950a6ffb8540d45ffaf
Instruction ID: 69af51db8b898eead9c2c3de2c7d0de94b5ba48074ec75756974e97dacf0b4fe
Opcode Fuzzy Hash: 0616f0040e9e9074fb2aa5a65260d8d8d27535b883d82950a6ffb8540d45ffaf
Instruction Fuzzy Hash: F421B172509380AFE7128B25DC45F96BFB8EF47320F0884EBE984DF193D264A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 060126B0, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012744

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 7648c40b0f6db45e4606a820511974c6e2a60536891f39692396262238184b2f
Instruction ID: 52ba17e32bcda507993ec395deb4680ec8bb1d239d4f0e071030e83edb00c738
Opcode Fuzzy Hash: 7648c40b0f6db45e4606a820511974c6e2a60536891f39692396262238184b2f
Instruction Fuzzy Hash: E12137B1404384AFE712CB54DC85F66BFA8EF42320F0984DBE9449F193D2745945C771

Uniqueness

Uniqueness Score: -1.00%

Function 060125B9, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 06012659

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7425090f6979a1f1434a31c6731dbf5bd2da7a0007f95929964995cff3b4ca02
Instruction ID: bf2416e519243d8c58ac4929dff75607a5283f2d00b6cb63b403f65f3db826c6
Opcode Fuzzy Hash: 7425090f6979a1f1434a31c6731dbf5bd2da7a0007f95929964995cff3b4ca02
Instruction Fuzzy Hash: C531B1B1509384AFE712CF25CC84F56FFE8EF06210F08849AE9849F292D364E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174B309, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 0174B3B6

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 5017b0260f2a5355a92fcc7da8216ab36ca7c07e0ea26f3aa6cc134fd1cb94f1
Instruction ID: ab8d6b76da8dd81ac23eff2db4d6d1e2f95c52ee2a8b5c68dd8e8ea4a770768b
Opcode Fuzzy Hash: 5017b0260f2a5355a92fcc7da8216ab36ca7c07e0ea26f3aa6cc134fd1cb94f1
Instruction Fuzzy Hash: B031937154D3C05FD7138B618C55B66BFB4EF87610F1980CBD984CF2A3D6246919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06012A36, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 06012ADB

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: f776117c5e3918175c869390c8c36947c190f0ea0515709d5935db29bafd51e5
Instruction ID: 78b5e9097f4b1118e650fa3a8d02c76c8f0277f387c26c935da014a872db27ee
Opcode Fuzzy Hash: f776117c5e3918175c869390c8c36947c190f0ea0515709d5935db29bafd51e5
Instruction Fuzzy Hash: 7921E271500304BFFB21DF64DC85FAAFBACEF44710F10895AFE459A181D6B4A5498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06011452, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 060114E6

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a53158f21927b56d6858719759ced2998c00eef8517050ea52dece635c74ae42
Instruction ID: 2688fe71769ee1b75b961c23252c23e8fa33ca5513bc62294f0f848409aa22a8
Opcode Fuzzy Hash: a53158f21927b56d6858719759ced2998c00eef8517050ea52dece635c74ae42
Instruction Fuzzy Hash: 4021A0B2404340AFEB218F65DC44F6AFFA8EF45710F08849AEE449B252D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174B711, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174B7A2

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 566fac9b057221c7e413861989f7a1d2041d04007c05173d0fd95fcc8a1d5900
Instruction ID: 9f4ec628402b9f6a945606e5458e258fbdb094ae8587e4d829b5d968804e9a9d
Opcode Fuzzy Hash: 566fac9b057221c7e413861989f7a1d2041d04007c05173d0fd95fcc8a1d5900
Instruction Fuzzy Hash: 4B219F71505384AFE722CB65CC45F66FFA8EF46320F0884ABEA45DB252D364E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B808, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0174B8AE

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 0d62587c025b54aebbe3e725a236a3a07924d1b8de444b2614ef88f908bb526e
Instruction ID: dddc881faa404547077daa22e95613537331ac22256fd2657674a96954e03553
Opcode Fuzzy Hash: 0d62587c025b54aebbe3e725a236a3a07924d1b8de444b2614ef88f908bb526e
Instruction Fuzzy Hash: EF21A0714093C0AFD3128B65CC55F66BFB4EF87610F1984DBE9848B1A3D624A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 06012794, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0601281D

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 77af8eff42e9849ee9e097d5b724b4c6aa38bc0401b27b4e4e8224ee769bb83b
Instruction ID: 8065c5d9afcd7655ff0330613b35a479e86ad8d0bc5072a9286238b39cc47171
Opcode Fuzzy Hash: 77af8eff42e9849ee9e097d5b724b4c6aa38bc0401b27b4e4e8224ee769bb83b
Instruction Fuzzy Hash: 8321C471505340AFEB228F25DC44FA7FFB8EF46310F08849BEA459F152C275A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06011380, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E2C,?,?), ref: 06011426

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: f0a93991b05cfb7c5af37ce5df4a483e19f0daaa39a20e1f52c17da991eb1561
Instruction ID: 9b5f8ee8d90499e0c540124283d8c3f19aa731b40b8808dafffdc2298c9cf8c7
Opcode Fuzzy Hash: f0a93991b05cfb7c5af37ce5df4a483e19f0daaa39a20e1f52c17da991eb1561
Instruction Fuzzy Hash: 7221917540E3C06FC3138B358C55A21BFB4EF87A10F1D80CFD8848B6A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06013CF7, Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06013D7E

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: ec1689f4189f09652a60d1dc41c25fe82d97ee9562a27407d767ee270750fb06
Instruction ID: 42476c6b68c3204d380f0dbdb5563235a32f72b58a234c3361de361b1bf425c6
Opcode Fuzzy Hash: ec1689f4189f09652a60d1dc41c25fe82d97ee9562a27407d767ee270750fb06
Instruction Fuzzy Hash: 1221B271508380AFE7118F25DC44F66FFB8EF46310F08849BED849F152C264A844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06010E16, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 06010E95

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e642e6f9154412033bbfbf09e12e4a2a95ccad06638acc4a30f8aa75ad02a3d
Instruction ID: 9ab5e9ab48f8da85a07f779789da00ef1f6a5390e37c979e97288204a73c0853
Opcode Fuzzy Hash: 2e642e6f9154412033bbfbf09e12e4a2a95ccad06638acc4a30f8aa75ad02a3d
Instruction Fuzzy Hash: EF21AC71900200AFE761DF66CC84F6AFFE8EF08310F14846AEA858B252E771E944CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06012092, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 06012103

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: b0233124962baaf26678ea10ff89d3000388176c50ee99552377dfb08d2a059a
Instruction ID: 277dab2448281612a8513072ac46ea06fd66a6420a83488f7bd674c2c2945c28
Opcode Fuzzy Hash: b0233124962baaf26678ea10ff89d3000388176c50ee99552377dfb08d2a059a
Instruction Fuzzy Hash: 4E21BE72540304AFEB60DB29DC85F6ABBACEF54720F14846AEE44DB242D660A5498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0601069C, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E2C), ref: 06010737

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4aeb326a266e721d21415cc02f25e08fec21d6ae41a9edb2ea6e4385124ba255
Instruction ID: 2387bc300bca772260b9632614ec6022a0bd09147f251fcbaf60bd0d7a00251c
Opcode Fuzzy Hash: 4aeb326a266e721d21415cc02f25e08fec21d6ae41a9edb2ea6e4385124ba255
Instruction Fuzzy Hash: CA21C871445380AFE7228B24CC45FA6FFB8DF46720F1484DAED855F192C2656949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B570, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 0174B60A

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1ea8ccd786dcb6df8ccab3eafd2a33a7b62f6653b0473336bbff7d0369f0e3b1
Instruction ID: ea4956bc4b1bca451f8dc9c2f14be778fda471d22dae673e1c1514590604c392
Opcode Fuzzy Hash: 1ea8ccd786dcb6df8ccab3eafd2a33a7b62f6653b0473336bbff7d0369f0e3b1
Instruction Fuzzy Hash: 6D21D6754093C06FD3138B258C51B62BFB4EF87A10F0981CBE9848B653D2256919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 06012BE6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012C6F

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 4e08553144f0b3bbc38dcc7f73d42372e5f7ffaefc23b148b8c0d8fff26ab8b8
Instruction ID: 7cc82b693d9850a241faf244928f224fae71ea5c9e38cf6443d8a3501198db40
Opcode Fuzzy Hash: 4e08553144f0b3bbc38dcc7f73d42372e5f7ffaefc23b148b8c0d8fff26ab8b8
Instruction Fuzzy Hash: 9D21B371409384AFE7128B64DC84F96BFB8EF46310F1884DBEA849F153D264A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 06011D4F, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 06011DCC

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: f0d43447ec63eb2ffc094f65b458b70325949fded918019001929fee90a2a2e0
Instruction ID: 19ce9e878e370d9d60e6c6e1c090f158a829ca7bd6708f3eb78b66c0abc3ab15
Opcode Fuzzy Hash: f0d43447ec63eb2ffc094f65b458b70325949fded918019001929fee90a2a2e0
Instruction Fuzzy Hash: 48219C315493C09FDB128F64D884A56BFB0EF07320F1D84DADA848F163C225A959DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 0174A989

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: eb6c52850aab75dec16e1bf8a910adad577fc3399bc192c63f52fc8f677f9907
Instruction ID: a924df992af13a50c12e37c9c9cced2ec34f34e1d686046d8828ba4e9ed2a5f6
Opcode Fuzzy Hash: eb6c52850aab75dec16e1bf8a910adad577fc3399bc192c63f52fc8f677f9907
Instruction Fuzzy Hash: 1C21AE76500604AFE7219B59CC84FABFBECEF14710F14895BEE459B242D760E4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06011472, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 060114E6

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8944615883e92bff909d427e6c75c451ba8bdab679d12cad5e4384446dc02c1f
Instruction ID: f27e7a7827ab5a3479db15c3aae8d629780567440fb05290f3d56b995f5a7864
Opcode Fuzzy Hash: 8944615883e92bff909d427e6c75c451ba8bdab679d12cad5e4384446dc02c1f
Instruction Fuzzy Hash: 64219D72940204EFFB209F65DC45F6AFFA8EF44720F1488AAEE459B241D674A4088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 06012EA8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012F3D

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 66374d1511b47b5ade123386b492f31ad37e423270f0fe0b32e1095cbff3b2f8
Instruction ID: 94f57076868b867a741bc9162ddb38ccbc41272849258602cb85cb965b29e6b9
Opcode Fuzzy Hash: 66374d1511b47b5ade123386b492f31ad37e423270f0fe0b32e1095cbff3b2f8
Instruction Fuzzy Hash: 4721C871409384AFD7228F15DC45F66FFB8EF06314F09849FEA849B153C265A519CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B636, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174B6B2

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: bf95d9b039b98b26ca9f11d99852c5ab802648c260793009c0916070e4936710
Instruction ID: b16ad2bc8a87c89aa388960c8597f64cca49c7918ea828a7ec8500c12c9bea58
Opcode Fuzzy Hash: bf95d9b039b98b26ca9f11d99852c5ab802648c260793009c0916070e4936710
Instruction Fuzzy Hash: 64219272505380AFE7228F65DC45F67FFB8EF46320F1884ABEA45DB152C264A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06013DDE, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06013E66

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 087fb3a72946c47c97b4e6802aab7f7c7fdefd15d2425ba16c8ca911b62c9f05
Instruction ID: 9f44f106a4868f258e8fec4d260844d01d53ddfa50a1efbc45cecad26a2264f2
Opcode Fuzzy Hash: 087fb3a72946c47c97b4e6802aab7f7c7fdefd15d2425ba16c8ca911b62c9f05
Instruction Fuzzy Hash: E9218071408384AFE7228F65DC44F66FFB8EF46310F1885ABEE849F152D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 060125E6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 06012659

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3a7f5e9d232cd3449c855b422d9e45f8a6fdb6734671ce6beb57a667303a9c94
Instruction ID: cc54c280855ce2519ce7bbe8bab5cb2617792523978fc8f2452a140ac3d67885
Opcode Fuzzy Hash: 3a7f5e9d232cd3449c855b422d9e45f8a6fdb6734671ce6beb57a667303a9c94
Instruction Fuzzy Hash: 7C21A971900244AFF760DB25C884B6AFFE8EF04620F14846AEE889B282D670E945CA75

Uniqueness

Uniqueness Score: -1.00%

Function 06012CF2, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012D6D

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 9c86e41f155a28e6556e07f81af5209710831b44e56e5ed65fd40145146c75e2
Instruction ID: ce1fcedde4e280f98cda79b1d311b861e1e5b065500619f86315cd8c79bfc4a4
Opcode Fuzzy Hash: 9c86e41f155a28e6556e07f81af5209710831b44e56e5ed65fd40145146c75e2
Instruction Fuzzy Hash: DB217975500604AFEB618F55DC80FA6FFE8EF09710F14896AEE458B261D270E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0174AD6A

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3aea02583102509aa0089b4a7b4c39e0e8bbf5947d9f2c15ed1cb83916a1e153
Instruction ID: 12210158558b92ff378b5f7906b03e3b399c296fd372e0b63c4dd3cb06f7238e
Opcode Fuzzy Hash: 3aea02583102509aa0089b4a7b4c39e0e8bbf5947d9f2c15ed1cb83916a1e153
Instruction Fuzzy Hash: BE21B0B25493805FE7128B25DC85B92BFF8EF46210F0984EAD985CF263D234D848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 060111F6, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06011275

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2950e7dcd7073972b223b8e5108f074e85fa48266390fa574b20bbac110dd2f6
Instruction ID: f7a260838f73f21c3c2248e0afae54f2351bd11bd874227ab93af1f4395147fd
Opcode Fuzzy Hash: 2950e7dcd7073972b223b8e5108f074e85fa48266390fa574b20bbac110dd2f6
Instruction Fuzzy Hash: 97219272409340AFDB228F55DC44F57FFB8EF46310F18859BEA449B152C264A418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06012F7A, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 06012FFE

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: a3b8c79d0af17b4317ba9c933b41058c76470a4ebd42b97d99c40afd68f148b1
Instruction ID: 5591bcfc3f6ab6d89cad3348e3c710efab633a39bb44d0d0454a725654f44965
Opcode Fuzzy Hash: a3b8c79d0af17b4317ba9c933b41058c76470a4ebd42b97d99c40afd68f148b1
Instruction Fuzzy Hash: 5B21AC724093C0AFDB228F60C884A92FFF4EF06210F0984DEE9858F123D271A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0601157E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 060115F0

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 340b1a9524aaec925072fcc18f781282e05d599b06740e113b3c0b97010382cc
Instruction ID: f303f87c99f47537cabef53e6b3ca28ac9619e9fad41e6075d29e12a6ec66f24
Opcode Fuzzy Hash: 340b1a9524aaec925072fcc18f781282e05d599b06740e113b3c0b97010382cc
Instruction Fuzzy Hash: 93216DB1900204AEEB60CF65DC80F67BBE8EF05710F1884AAEE459B251D671E504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0174AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174AA8C

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7fcf733f97acfa82329f1d9f401585ad3b6565d04faea69fb34a5bb885c16f63
Instruction ID: 352449451c1765bc4d6d8b9af208395460ba1d687f56934d081faee433fc8464
Opcode Fuzzy Hash: 7fcf733f97acfa82329f1d9f401585ad3b6565d04faea69fb34a5bb885c16f63
Instruction Fuzzy Hash: 95215E71640604AFE721CF19CD84F67FBECEF05710F18846AEA469B252D764EA09CA71

Uniqueness

Uniqueness Score: -1.00%

Function 06012242, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 060122AD

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ae564b5304384f799613ee077767a2199645fb93f48551a3184295ce9a5dad24
Instruction ID: b55635b7c0faa5d61539711a06fd5407e48c2d64ff939c218e019751e0bd06a9
Opcode Fuzzy Hash: ae564b5304384f799613ee077767a2199645fb93f48551a3184295ce9a5dad24
Instruction Fuzzy Hash: 7921AC71900200AFE720DF65CD85B6AFFE8EF44320F14846AEE858F242D671E944CA76

Uniqueness

Uniqueness Score: -1.00%

Function 06011A87, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06011B08

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 6a08cbd182e132239ade838d91e7111f9a2e522486c44d94cef976f319958925
Instruction ID: 6e619e5ee8b2864a32514b9888c5a9fc3abda6de100a5a1715a27d7cb00ffece
Opcode Fuzzy Hash: 6a08cbd182e132239ade838d91e7111f9a2e522486c44d94cef976f319958925
Instruction Fuzzy Hash: 5521A571408384AFE7128B15DC84F56FFB8EF46310F1884DBEE849F253D265A555CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174AFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0174B040

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 383a7702cb4e9bc9ead1f9a7802a111525188f3dd5252b8c4014541d2ac5698a
Instruction ID: 5cd567b518add9d152aba2932abceb9e741782633fe36a92802aa748d56e468e
Opcode Fuzzy Hash: 383a7702cb4e9bc9ead1f9a7802a111525188f3dd5252b8c4014541d2ac5698a
Instruction Fuzzy Hash: E321C3725093C09FDB138F25DC94A92BFB4AF47324F0984DAED858F263D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0174AC3B, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0174ACA8

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3f21a19fa083e22df32809491b8e8508adeb0e3c2b362ce1840fb7728f4802fc
Instruction ID: f2dfceaea8cf6c0a886818ec14df64db5ab9cb244fde22661bd721f6125342c8
Opcode Fuzzy Hash: 3f21a19fa083e22df32809491b8e8508adeb0e3c2b362ce1840fb7728f4802fc
Instruction Fuzzy Hash: B921C07140E3C0AFDB138B25DC91692BFB4EF07220F0984DBED858F163C2659948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 06012342, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 060123B6

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c8afac83f54c20a52d481b64854208e1c3112ba44970411805b59d7ce537c6cd
Instruction ID: 7d33aa5c9843ba92b787c264d8512344e3b9de92c52c9b97b325026f64e586d7
Opcode Fuzzy Hash: c8afac83f54c20a52d481b64854208e1c3112ba44970411805b59d7ce537c6cd
Instruction Fuzzy Hash: AA21AE71500200EFE721CF55DD85FAAFFE8EF08320F14845AEA849B241D771A549CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 06011C8A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 06011CF6

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: c1cfdf27ba9987e26edf3cc37278bdd125d6e09f838320bb043855fe15a2b139
Instruction ID: d0944622100efdb18526837b2fc02c7f0a94fd866cb2882b7e5ea1e5d1ede8cc
Opcode Fuzzy Hash: c1cfdf27ba9987e26edf3cc37278bdd125d6e09f838320bb043855fe15a2b139
Instruction Fuzzy Hash: C021CF71400200AFE721DF65DC44B66FFE9EF04310F1488AAEE858A652C371A405CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0174AAFB, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0174AB7E

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 3e2a01fc75ff18f5da37f3d52167242c0d4911631c0efecdbfc0403f0424db13
Instruction ID: 9d15d8bae997c17aa25944deb41a569f25e1d4b3c6b10018279d79c93e346b09
Opcode Fuzzy Hash: 3e2a01fc75ff18f5da37f3d52167242c0d4911631c0efecdbfc0403f0424db13
Instruction Fuzzy Hash: 2921A5715093806FD3128B25CC41F72BFB8EF87620F1981DAED848B653D225A915CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0174B73E, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174B7A2

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: c4d47a04071e9e5801dd49ddeec2bdbd11ee0edc4d33f5897848f26f2ab1a35d
Instruction ID: 8f563e4c8176a2988293edf226ec37436dc6850814b0e0b6e819d814e47e3362
Opcode Fuzzy Hash: c4d47a04071e9e5801dd49ddeec2bdbd11ee0edc4d33f5897848f26f2ab1a35d
Instruction Fuzzy Hash: 6F116D71500204AFEB21CF69DC85F6AFBA8EF45310F1888ABEE45DB251D774E9048B71

Uniqueness

Uniqueness Score: -1.00%

Function 06011FA6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012018

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 45c4bd43d632463c12e156bd1c0f7e9d37eb8c7e8532007ca49f96069444c26c
Instruction ID: 23f7fed6c324e886e0e5f904ddda808fb9734fe9b92d46ad5e4a374aa310b4a9
Opcode Fuzzy Hash: 45c4bd43d632463c12e156bd1c0f7e9d37eb8c7e8532007ca49f96069444c26c
Instruction Fuzzy Hash: A111AC72540604AEEB61CF15CC80F67FFE8EF04710F18856AEA459B262D7A4E548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 060127BE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0601281D

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 4522dbea7705254848365b0e8452f69191e02dc11b4dd03f779d6b86f158e370
Instruction ID: 7060ab23a02c31b0a6b5c622e55545d3595a6826dd46e21b760c773ef8935599
Opcode Fuzzy Hash: 4522dbea7705254848365b0e8452f69191e02dc11b4dd03f779d6b86f158e370
Instruction Fuzzy Hash: 2411BE71500200AFEB218F65DC80BAABFA8EF05720F14846AEA458A251C6B0A5558BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06013D22, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06013D7E

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: ef1bde3460fa4d973008b0772d213e7b7a3a28593e0a1dd8a79ccd3ea92d6d09
Instruction ID: 0bfe5ec90b09101941987215cb4649202ec1daead665f9775257baf50067a161
Opcode Fuzzy Hash: ef1bde3460fa4d973008b0772d213e7b7a3a28593e0a1dd8a79ccd3ea92d6d09
Instruction Fuzzy Hash: 3111C471500600AFEB608F25DC85F6BFFA8EF45320F14846BEE459F241D674A404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06012DFA, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012E5E

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 1b10be85486715a269d5e5abed994b67363f0bc153dd40aa96644f936174d5ac
Instruction ID: 111dd2183e47100e02855b06385d31018d08ad2c61e0c8e81d3a874be9fb3661
Opcode Fuzzy Hash: 1b10be85486715a269d5e5abed994b67363f0bc153dd40aa96644f936174d5ac
Instruction Fuzzy Hash: 60119072400204AEEB21CF65DC84FABFFECEF45320F14886BEE459B241D674A6458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0174B656, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174B6B2

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 018b75c7300eb840670b89606a8eaadd32f675162a0496a0bb170dda4f3f59f9
Instruction ID: 7ed13048c95bc12beec2a2428a0afbb972751751cf73d6583a3a2eb1a8960692
Opcode Fuzzy Hash: 018b75c7300eb840670b89606a8eaadd32f675162a0496a0bb170dda4f3f59f9
Instruction Fuzzy Hash: 28119071500204AFEB218F69DC85B6AFBA8EF45320F14846BEE459B251D674E8048B72

Uniqueness

Uniqueness Score: -1.00%

Function 0174A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0174A8A8

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 38f7b18a425d7bd8dca34c063962c61ffcb8c43a40c1b41b2010ab420db7a6d3
Instruction ID: f3d2b2c4360fdf8a6ef82d960426cea3679383046fe629ccc2bffb58d0c82ca8
Opcode Fuzzy Hash: 38f7b18a425d7bd8dca34c063962c61ffcb8c43a40c1b41b2010ab420db7a6d3
Instruction Fuzzy Hash: 85218C7140D3C4AFE7138B258C94662BFB4DF07220F0984DBDD858F1A3D2695909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0174B25A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 0174B2B0

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c4e67648325bb6b9a52c35c6f685d261d441aec49b57af427af9679334481f6b
Instruction ID: 811a5a10e88c00e231aca3ddac3b8f0db4734cbb1ee72161ce948a59ba18949e
Opcode Fuzzy Hash: c4e67648325bb6b9a52c35c6f685d261d441aec49b57af427af9679334481f6b
Instruction Fuzzy Hash: CB11A371504204AFEB118F29DC85B6BFBA8EF45320F1484ABEE05DB241D674E8058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0174A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174A7F6

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a4062dfd3b24496e8657a33fb757492d7cbbe9237d0380b8efc4a6ddb441688
Instruction ID: 5e999ed534e3814d3112666ca0ca945e5253a621d0bd40a755a82f2d576e2191
Opcode Fuzzy Hash: 3a4062dfd3b24496e8657a33fb757492d7cbbe9237d0380b8efc4a6ddb441688
Instruction Fuzzy Hash: 0711A272449380AFDB238F54DC44A62FFF8EF4A210F08849AEE858B163D275A419DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06011216, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06011275

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 236f5cb1dcf76839dc57d7ab70d9caa73a2cfc0d6994fc63fb71d694616fcc72
Instruction ID: 0250a993d1bf43888aafb1ebc810b40114f8e9a5467639f8793ac3d426a61ce2
Opcode Fuzzy Hash: 236f5cb1dcf76839dc57d7ab70d9caa73a2cfc0d6994fc63fb71d694616fcc72
Instruction Fuzzy Hash: 1111BF71404604EFEB618F55DC80F6AFFA8EF45320F1485ABEE499B251C274A819CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0174BAEE, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0174BB66

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6111b12edd228e13e71bce2e89edcdbcc59fbe870805b63550b8b7daf554901a
Instruction ID: cdd7475af8213e2c9eafc5d7210353a83e3efa2d5c95714ba74b7f937c9bb5ed
Opcode Fuzzy Hash: 6111b12edd228e13e71bce2e89edcdbcc59fbe870805b63550b8b7daf554901a
Instruction Fuzzy Hash: 6E11C4715093806FD311CB65CC45F66FFB8EF86620F19819BED488B693D324B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06013E0A, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06013E66

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 021d9e5c90e88e7b61f441cad81e0d4b7b544ba22aee8c4f263692abd474155c
Instruction ID: 7fe11adc90571030bb308df66349298e5d751b0fd15f40c5305e912b82e20d18
Opcode Fuzzy Hash: 021d9e5c90e88e7b61f441cad81e0d4b7b544ba22aee8c4f263692abd474155c
Instruction Fuzzy Hash: AA11BF71800204AEEB218F15DC80F6AFFE8EF45320F14846BEE449B241D274A9088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06011839, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 06011898

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6d9de0fdf23c90c5769e1c14e9ca901c155365507ccf6e0e7cee9c33f7aea71d
Instruction ID: d9caa2753959e8ce35072c65fc629a35aedf78a8dae7e79e2c723cf40d5c6075
Opcode Fuzzy Hash: 6d9de0fdf23c90c5769e1c14e9ca901c155365507ccf6e0e7cee9c33f7aea71d
Instruction Fuzzy Hash: E4117C714093C4AFDB168B65D844A96BFF4EF47220F0884EADD858F163C275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06012C16, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012C6F

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: bc96168d1d926b97701e23746b2d1034034d85d0deb664207055f84db871abe2
Instruction ID: 44e5df9191952bb12b9170498751cf8f8c75dc7d1e4436ddb41faf7a58dc1ecd
Opcode Fuzzy Hash: bc96168d1d926b97701e23746b2d1034034d85d0deb664207055f84db871abe2
Instruction Fuzzy Hash: FE11E371400204AFEB20CF14DC80FAAFFA8EF45320F14C86BEE059F241D674A5458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05EC4EA0, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05EC4EF0

Memory Dump Source

Source File: 00000003.00000002.466403052.0000000005EC0000.00000040.00000001.sdmp, Offset: 05EC0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5480f61b77933b71c2303aa5d8e8090ccfd319a343bfb3fd55b4c7b666bd6a3d
Instruction ID: 3aa582533351722eb04e614428808275bdcd653ba609505d0bd8be87de35abc4
Opcode Fuzzy Hash: 5480f61b77933b71c2303aa5d8e8090ccfd319a343bfb3fd55b4c7b666bd6a3d
Instruction Fuzzy Hash: 80212730A00319DFDB14DFA8D458AAEBBB2FF49315F10956AE401A7250EB35A882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 060126EE, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012744

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: a8145b4abab7984af1b17994b205f7dcf4827c98173ac6913c1123fc61380251
Instruction ID: b5a91feb99a0948e47989c0b855118af0fa6ad963dd9d778bb68f05aa9650b3a
Opcode Fuzzy Hash: a8145b4abab7984af1b17994b205f7dcf4827c98173ac6913c1123fc61380251
Instruction Fuzzy Hash: DB11C271400204AFEB61CF15DC84B6BFFA8EF45320F1484ABEE449F241D674A5458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 060106CE, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E2C), ref: 06010737

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88f8824ad6c603e4f9a80e09a1da00abbda176303ce065db24d52611fc999b0e
Instruction ID: 9242dcac742d86804e46bdc6997a8e28c5b798d3dddc93f809bf3657a2d188e9
Opcode Fuzzy Hash: 88f8824ad6c603e4f9a80e09a1da00abbda176303ce065db24d52611fc999b0e
Instruction Fuzzy Hash: A7110231900600EEF7209B14DC81F6AFFA8DF05720F24845BEE455E281C6B5A588CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 06012EDE, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06012F3D

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 150fe541dbc9881bc8194f07fd035318412327422a19e2c45f73846aadfbad10
Instruction ID: 1f1fd4af93c22e3a820d6b8abf961117a44ffbd595c8082a095679ca63ad0cca
Opcode Fuzzy Hash: 150fe541dbc9881bc8194f07fd035318412327422a19e2c45f73846aadfbad10
Instruction Fuzzy Hash: A711EC31440600EEEB208F15DC80F6BFFE8EF05720F1484ABEE459A251C2B0A549CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0174A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0174A0D5

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 51b07b988d215f23d7f25bb647e68d12eefa42a524967e131f823de928e67a7e
Instruction ID: ff8d5e54459fced0ed17cec905a740405154443d835a073bebb04d8139267cdb
Opcode Fuzzy Hash: 51b07b988d215f23d7f25bb647e68d12eefa42a524967e131f823de928e67a7e
Instruction Fuzzy Hash: 6D118F71409380AFDB22CF15DC44B56FFB4EF46224F18C4AAEE858B553C275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06011AB2, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 06011B08

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 6c48325b66d2575268e5049d2baed83d452f275e7e28dd8b4b6c1e50ec04cdbd
Instruction ID: e37c5e4fa1d7a11d05703d31fde65dd0f77325cb3e976fcf4ab5919cc8f6f17c
Opcode Fuzzy Hash: 6c48325b66d2575268e5049d2baed83d452f275e7e28dd8b4b6c1e50ec04cdbd
Instruction Fuzzy Hash: D801AD71500604AEEB609F15DC85F6BFFA8EF05720F1484ABEE449B342D6A4A4498AB2

Uniqueness

Uniqueness Score: -1.00%

Function 0174AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0174AD6A

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 373d9aa730d020b745b7016bf49c984fc7d34ab47bde773d9553ebe1cd4281d7
Instruction ID: e50408042b76e795ef2580380165bec468362dca1e679d87741ad4e6ca5db6d3
Opcode Fuzzy Hash: 373d9aa730d020b745b7016bf49c984fc7d34ab47bde773d9553ebe1cd4281d7
Instruction Fuzzy Hash: 2F118EB1A402009FEB60CF29D884766FFE8EF44221F08C4AADD8ACB246D774E444CE71

Uniqueness

Uniqueness Score: -1.00%

Function 06011086, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,CDB6BE16,00000000,00000000,00000000,00000000), ref: 060110D9

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0cbeaff2115ba4a82868677eb2b18594790ad84c5c73c275d2d977af7c2dfdba
Instruction ID: 3ac269ee6a3c38722449b24b62c3deca18887869018c8996baa5fa9c22d13be3
Opcode Fuzzy Hash: 0cbeaff2115ba4a82868677eb2b18594790ad84c5c73c275d2d977af7c2dfdba
Instruction Fuzzy Hash: A501C071900604AEE760CB15DC85F6BFFA8DF05720F14C49BEE049F241D6A4A5498AB2

Uniqueness

Uniqueness Score: -1.00%

Function 06010FA0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 06010FF4

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 43aed95b8f30d0198e325b1a1d8a6fda4ea224ba676df3eaa26358e32bbe383c
Instruction ID: 745faa863c5350795b2658dc473c9d2cae03b967a7978a52901b1f6c0a6fe1df
Opcode Fuzzy Hash: 43aed95b8f30d0198e325b1a1d8a6fda4ea224ba676df3eaa26358e32bbe383c
Instruction Fuzzy Hash: 0511C2719093C09FD7128F25DC84B52FFB4DF06220F0880DAED858F253D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06012FB2, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 06012FFE

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: e6e31808d06fc67ff3ee718e9aa7f8812da860d90e046a2fb20d8f2bb1118abb
Instruction ID: c621f1215c4aef0f398a603c59d26a7b5a88b47b83ca2f8593c34b17fa6324b0
Opcode Fuzzy Hash: e6e31808d06fc67ff3ee718e9aa7f8812da860d90e046a2fb20d8f2bb1118abb
Instruction Fuzzy Hash: 00115A328406449FEB61CF55D884B66FFE4EF08310F0885AADE498F622D271E558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0174B366, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,00000E2C,?,?), ref: 0174B3B6

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d5da9e97b1e41f0f6bb1040df851349cd02acbcf6872a340bab1ecbcce6dfceb
Instruction ID: f85467c43e31a0ecfa25b679e71759034d3dcbf95b324d8c9573db5d9ab12c1d
Opcode Fuzzy Hash: d5da9e97b1e41f0f6bb1040df851349cd02acbcf6872a340bab1ecbcce6dfceb
Instruction Fuzzy Hash: 91017172900600ABD710DF16DC85F36FBA8EB88B20F14C56AED089B741E731B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174B85E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0174B8AE

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 49d529d6f0bb750db7078c86cdf79239f02835189c0f1fb079a5191956553fd4
Instruction ID: 9643f70a73f3a22222a57fa7b0174ecef186e8d238137af115a129caff2055ac
Opcode Fuzzy Hash: 49d529d6f0bb750db7078c86cdf79239f02835189c0f1fb079a5191956553fd4
Instruction Fuzzy Hash: 12017172900600ABD710DF16DC85F36FBA8EB88B20F14C56AED089B741E731B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0174A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174A7F6

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b5d52591142b08c4c3cb509c3b601008480a4c60f2891794078e5bbbc9b8074f
Instruction ID: 656ac4f30d2ecce86a82f070cc9d2b8f622527dda99363efb0b62e45c705018e
Opcode Fuzzy Hash: b5d52591142b08c4c3cb509c3b601008480a4c60f2891794078e5bbbc9b8074f
Instruction Fuzzy Hash: A3018432440600DFEB22CF55D844B66FFE4EF48310F18C99ADE4A4B612D375A415DF61

Uniqueness

Uniqueness Score: -1.00%

Function 06011866, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 06011898

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: dd19f06c04268e78a1c9c2c0fcd1577e31f6661804457a9c6548c984bef1e78e
Instruction ID: 49987c838410cd614f1ddf194820b07a1950a1b45f63dc1af63c59291669ee79
Opcode Fuzzy Hash: dd19f06c04268e78a1c9c2c0fcd1577e31f6661804457a9c6548c984bef1e78e
Instruction Fuzzy Hash: F201D4719002449FEB548F19D88476AFFD4DF40220F18C4ABDE098F242D2B49444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06011D8E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 06011DCC

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 09801caaaf9ef3711631429063a8170991440819ad33c0b026bd4344548dc1e7
Instruction ID: 633edc29699b798c02fdde422466b9d9402b49710d14922c766bee27d0104499
Opcode Fuzzy Hash: 09801caaaf9ef3711631429063a8170991440819ad33c0b026bd4344548dc1e7
Instruction Fuzzy Hash: 26019E31800640DFDB60CF55D884B66FFE0EF08320F18C8AADE498F616D275A458CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 060113D6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E2C,?,?), ref: 06011426

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: a290221b907c5bedccebd98601ba218c26f607bc21ef88528a2b29c698ba6e98
Instruction ID: a5e0bd66cbbd1fbcc050afba1b6862b9aba4cea08296c05ee4fe9f35f8264036
Opcode Fuzzy Hash: a290221b907c5bedccebd98601ba218c26f607bc21ef88528a2b29c698ba6e98
Instruction Fuzzy Hash: 40018F72500600ABD210DF16DC86F36FBA8EB88B20F14811AED084B741E331B526CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0174AC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0174ACA8

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cf3ea33614af0666de250cf7a1d01a392dbdaf40470bd8bb718b1ed610431388
Instruction ID: 444c5e2a2525bd6f6573dc5ebd107a7cbbca5daad6c88e4b30fc0c6a37e21cc5
Opcode Fuzzy Hash: cf3ea33614af0666de250cf7a1d01a392dbdaf40470bd8bb718b1ed610431388
Instruction Fuzzy Hash: 3C018B719002409FDB508F29D884766FFA4EF44220F18C4ABDE0A8F256D7B9A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0174B5BA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 0174B60A

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2f8b026dd08dd6c9cf2edcb737c29e3f621766159d0bf740da9ee0e6e821ee21
Instruction ID: 3456c41a2347b29031367809d7b13c508f7662fd9118c926a0e551499247edbe
Opcode Fuzzy Hash: 2f8b026dd08dd6c9cf2edcb737c29e3f621766159d0bf740da9ee0e6e821ee21
Instruction Fuzzy Hash: 7D018F72500600ABD210DF16DC86F36FBA8EB88B20F14811AED084B741E371B526CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0174AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0174AB7E

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: b2941484d10b7a9fdaf999f483c06e8da0ae45fc49b25d244010c1d21f19584f
Instruction ID: 24bbb823376187f4b1dce634ec6473ea5d24a85a00fda7e84d84cdea19e5d83e
Opcode Fuzzy Hash: b2941484d10b7a9fdaf999f483c06e8da0ae45fc49b25d244010c1d21f19584f
Instruction Fuzzy Hash: 6C018F72500600ABD210DF16DC86F36FBA8FB88B20F14811AED084B741E331B526CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0174B00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0174B040

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 51086dd86cd523722cb39ab5d3a1797a135c2d04f03ba994b9b4addd95ae0ab0
Instruction ID: 88b16256303a48a5aeb6ff8cdf960037febdf999167a93d3608827225aee876e
Opcode Fuzzy Hash: 51086dd86cd523722cb39ab5d3a1797a135c2d04f03ba994b9b4addd95ae0ab0
Instruction Fuzzy Hash: 9601DF71500600DFDB10CF29D884766FFE4EF40221F18C0ABDD498B622C675E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06010FC2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 06010FF4

Memory Dump Source

Source File: 00000003.00000002.466498378.0000000006010000.00000040.00000001.sdmp, Offset: 06010000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 8d4189b390127f7928813981e629a1592c231ca1a0b6ab779a947b16d9b807ff
Instruction ID: d0eeba68fed2ed64f95557819d669cd0f152bc7140dc94c5faad240b7496af9b
Opcode Fuzzy Hash: 8d4189b390127f7928813981e629a1592c231ca1a0b6ab779a947b16d9b807ff
Instruction Fuzzy Hash: 15012130900640DFDB548F19D88476AFFE0EF04320F08C0AADE098F212C6B5E458CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174A47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0174A4AC

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 030d658c7777d4e658b973c32a075e189b82f46e3e7cf006e5656f759615b97d
Instruction ID: 40900f648d9a2a29069344b5e40d28c880e30c7fe89243b74c85bfe42359446e
Opcode Fuzzy Hash: 030d658c7777d4e658b973c32a075e189b82f46e3e7cf006e5656f759615b97d
Instruction Fuzzy Hash: 05014B758442449FDB21CF1DD88876AFFA4EF44220F18C4AADE498B216D3B9A408CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0174A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,CDB6BE16,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 0174A8A8

Memory Dump Source

Source File: 00000003.00000002.461681606.000000000174A000.00000040.00000001.sdmp, Offset: 0174A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8f23971ec1450ef7ccb904f9ef8c89dd5b9f6cb2a4a468bd03388139f6632a60
Instruction ID: f4d731f622a129d8f56ea7b95280f5cfa49c9e81269981bf8b5010c149b535b7
Opcode Fuzzy Hash: 8f23971ec1450ef7ccb904f9ef8c89dd5b9f6cb2a4a468bd03388139f6632a60
Instruction Fuzzy Hash: 04F0AF34940744DFEB218F19D884766FFA8EF04320F18C49ADE4A4F212D3B5A419CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0171025D, Relevance: .7, Instructions: 697COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.461645207.0000000001710000.00000040.00000040.sdmp, Offset: 01710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec67b14e7bc2f3583fa829c8c25782aa812013b3a44d639c099cb2926215e87c
Instruction ID: 610fab97429075bba6d466e30dc6abdc7f5ee0d38d6173a325274d28d319ef42
Opcode Fuzzy Hash: ec67b14e7bc2f3583fa829c8c25782aa812013b3a44d639c099cb2926215e87c
Instruction Fuzzy Hash: D741CF6140E3C05FD7038B759C646A1BFB49E43220B1E85EBD8C5CF5A3D22A584AC773

Uniqueness

Uniqueness Score: -1.00%

Function 0602300E, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab64229863371787cabf25ffe5c6037fbfe20cd90108514a8846cb9febe19ea
Instruction ID: 2199d4d94e86256565df42eb14952b0157dad28c589a10977a78d54d02bcc325
Opcode Fuzzy Hash: cab64229863371787cabf25ffe5c6037fbfe20cd90108514a8846cb9febe19ea
Instruction Fuzzy Hash: 1021C5B5608341AFD340CF19D880A5BFBE4FF89660F14896EF988D7311D275E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 06023A80, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8903c72379a6d0147e466723af015638feb6f6fc5c8ed35a07a683dc6cbf75d
Instruction ID: 328baefc9b5f4f1a1765bb414a9724e68836b1ee662a2c56aa49a5f65984cc63
Opcode Fuzzy Hash: c8903c72379a6d0147e466723af015638feb6f6fc5c8ed35a07a683dc6cbf75d
Instruction Fuzzy Hash: A211CCB5908301AFD350CF19D880A5BFBE4FB88664F14896EF998D7311D371EA148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0171075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.461645207.0000000001710000.00000040.00000040.sdmp, Offset: 01710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71519f028c49039220bfaa579944855c33719adb01876473a8195ddab59a0cec
Instruction ID: a5aa6a7c5e18188b12c8a1ce576afcbb4d35a60700a8547f0b1643488e99ed53
Opcode Fuzzy Hash: 71519f028c49039220bfaa579944855c33719adb01876473a8195ddab59a0cec
Instruction Fuzzy Hash: 1111E434204244EFD705DB28C984B26FBD1AB88708F24C59CF9491B647C777D843CE51

Uniqueness

Uniqueness Score: -1.00%

Function 06023924, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c366bfa2c1d0f958b3d575125c4f10493da03beca0de38ecca182deacc08c745
Instruction ID: 75a11943afcd4ea667cb0052c448e06fba0425f8324caedff68bbf9543e762a7
Opcode Fuzzy Hash: c366bfa2c1d0f958b3d575125c4f10493da03beca0de38ecca182deacc08c745
Instruction Fuzzy Hash: 0211ECB5508305AFD350CF09DC80E5BFBE8EB88660F14891EFD5997311D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01710818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.461645207.0000000001710000.00000040.00000040.sdmp, Offset: 01710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 8cacecf5bdaa75b46f576d38328f6568d33523538440de714ae78233ecfb0acb
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 0CF04B35108644DFC702CF04C940B15FBA2FB89718F24C6A9E9480B656C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 017105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.461645207.0000000001710000.00000040.00000040.sdmp, Offset: 01710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1e06d8c6949dcd3cda72a98c72cb3b81742df5c0dbedc6834e513d0ecbce56
Instruction ID: 14fd1696e37d8777b7c83e26ca5e0a4ea1cfb14efab543a4a06d26f6777fded8
Opcode Fuzzy Hash: 5f1e06d8c6949dcd3cda72a98c72cb3b81742df5c0dbedc6834e513d0ecbce56
Instruction Fuzzy Hash: 65E09276A006008BD650CF0BEC81466F7E8EB88630B18C47FDD0D8B701E135B515CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 06023973, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c27b5d8441501fae8441cc1466a0d288cbcd90e21c204949124c75fa13c4656
Instruction ID: 40413a161e2dca7939ecf05855b24a76e52343b46f1dc46b74532af41e8a25d9
Opcode Fuzzy Hash: 7c27b5d8441501fae8441cc1466a0d288cbcd90e21c204949124c75fa13c4656
Instruction Fuzzy Hash: 59E0D8729003046BD2509F069C85B63FB98DB40A30F14C55BEE0D5F302D172B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06023083, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7910418163c1e9432cdbe378710d4ad96d04f410a3490f25f8b80cf3255a09f
Instruction ID: dd66ac5dfa63bf743021cd5dcd03f8c22e3fab0e5b129cae9e37182ca1622362
Opcode Fuzzy Hash: a7910418163c1e9432cdbe378710d4ad96d04f410a3490f25f8b80cf3255a09f
Instruction Fuzzy Hash: 29E0D8729003046BD2108F069C85B63FB58DB40A70F14C45BEE085F702D171B5248AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06023397, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438b9e09f0cb9839ba37118587f8698bef105a457eca2936e874d3a892f5a2d3
Instruction ID: fdb70ca9a4e53a8e00c867ee46244d5e9cfa4e783abc8302c8a3996e0c64aa02
Opcode Fuzzy Hash: 438b9e09f0cb9839ba37118587f8698bef105a457eca2936e874d3a892f5a2d3
Instruction Fuzzy Hash: 05E0D8B29002046BD2109F06AC86B63FB98DB40A70F14C45BEE085B302D172B524CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 06023AEB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.466515339.0000000006020000.00000040.00000001.sdmp, Offset: 06020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837f80bfb3f00ffba58c8f34797bf0e727c0158238d134f0580337c9a4e1e736
Instruction ID: c463284f3571a5544b6d743ae6af43561e5558b44247f72b81ce917a632d33c4
Opcode Fuzzy Hash: 837f80bfb3f00ffba58c8f34797bf0e727c0158238d134f0580337c9a4e1e736
Instruction Fuzzy Hash: 3FE0D8B29403046BD2108F069C85B63FB9CDB44A30F14C46BEE085B302D171B5248AF5

Uniqueness

Uniqueness Score: -1.00%

Function 017423F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.461672816.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8957c6b3913106d377e095c7eb2c44493ff1d59c97a9b9ed3cccaee79736eb0a
Instruction ID: 9f4868c6c052cae1893579cf59fa4fdc0a63ae217ec760b3ad4568335b4ab8d2
Opcode Fuzzy Hash: 8957c6b3913106d377e095c7eb2c44493ff1d59c97a9b9ed3cccaee79736eb0a
Instruction Fuzzy Hash: 0ED05E79315A818FE3268A1CD1A8BA57FA4EB51B04F5644FDF8008B6A3C768D991D200

Uniqueness

Uniqueness Score: -1.00%

Function 017423BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.461672816.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af61fc81d630531c6578989c63a84f93022083ad422275023944f6a7f619dfe
Instruction ID: 07755e0e21280f0803893f327c0ae319ec52a4b6a9af9124fba32c3b858db0ef
Opcode Fuzzy Hash: 8af61fc81d630531c6578989c63a84f93022083ad422275023944f6a7f619dfe
Instruction Fuzzy Hash: E1D05E342002818BD715DB0CD594F597BE4AB41B00F0644E8BD008B662C3A4D891C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report malware.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre