Play interactive tour

Edit tour

Analysis Report BILL-OOO566876.exe

Overview

General Information

Sample Name:	BILL-OOO566876.exe
Analysis ID:	385473
MD5:	1c84862e5b015bcecf6a194d17172dcf
SHA1:	a3e0a0bda2cdef94089a6012bd025113f9fbead9
SHA256:	ea29689e038f2a801066054f8ae2e3e3884127e8ac897f5467055250ce2b42f9
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

BILL-OOO566876.exe (PID: 1308 cmdline: 'C:\Users\user\Desktop\BILL-OOO566876.exe' MD5: 1C84862E5B015BCECF6A194D17172DCF)

BILL-OOO566876.exe (PID: 1156 cmdline: {path} MD5: 1C84862E5B015BCECF6A194D17172DCF)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "rainie.wang@syntrnomh.comTdn$AuZro1smtp.syntrnomh.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BILL-OOO566876.exe PID: 1156	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BILL-OOO566876.exe PID: 1156	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BILL-OOO566876.exe PID: 1308	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BILL-OOO566876.exe PID: 1308	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.BILL-OOO566876.exe.40f75c0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.BILL-OOO566876.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BILL-OOO566876.exe.40f75c0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BILL-OOO566876.exe.3fb6720.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.BILL-OOO566876.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "rainie.wang@syntrnomh.comTdn$AuZro1smtp.syntrnomh.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: BILL-OOO566876.exe	Virustotal: Detection: 24%			Perma Link
Source: BILL-OOO566876.exe	ReversingLabs: Detection: 52%

Machine Learning detection for sample

Show sources

Source: BILL-OOO566876.exe

Joe Sandbox ML: detected

Source: 2.2.BILL-OOO566876.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: BILL-OOO566876.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: BILL-OOO566876.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: BILL-OOO566876.exe, 00000000.00000002.235301407.00000000093A0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.473146526.0000000000FC0000.00000002.00000001.sdmp

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 208.91.199.225:587

Source: Joe Sandbox View

IP Address: 208.91.199.225 208.91.199.225

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 208.91.199.225:587

Source: unknown

DNS traffic detected: queries for: smtp.syntrnomh.com

Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.476845028.0000000002F88000.00000004.00000001.sdmp	String found in binary or memory: http://YdPNTdHEQXue9T.org
Source: BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmp	String found in binary or memory: http://YdPNTdHEQXue9T.orgl;
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: http://api.github.com/repos/
Source: BILL-OOO566876.exe, 00000000.00000003.203328834.00000000053D7000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: http://hBlbMr.com
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com)
Source: BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comY
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comu
Source: BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000003.208195250.000000000540D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: BILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comno
Source: BILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comx
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BILL-OOO566876.exe, 00000000.00000003.211731693.000000000540D000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BILL-OOO566876.exe, 00000000.00000003.202808276.00000000053EB000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: BILL-OOO566876.exe, 00000000.00000003.203388064.00000000053EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comc
Source: BILL-OOO566876.exe, 00000000.00000003.204324110.00000000053EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comx
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://8chan.moe/
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://8kun.top/
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://a.4cdn.org/
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://api.420chan.org/
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/murrty/YChanEx/
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/murrty/ychanex
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/murrty/ychanex/releases/latest
Source: BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 2.2.BILL-OOO566876.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b386A76A6u002d42ADu002d45E1u002d9C77u002d7549EE260D53u007d/CA2BB758u002dC547u002d44ECu002dA120u002dBDF675DDAE8B.cs

Large array initialization: .cctor: array initializer size 11936

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: BILL-OOO566876.exe

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00DCB0BA NtQuerySystemInformation,		2_2_00DCB0BA
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00DCB089 NtQuerySystemInformation,		2_2_00DCB089

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05072950	0_2_05072950
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E989	0_2_0507E989
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507ADE0	0_2_0507ADE0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05077C48	0_2_05077C48
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05078CB8	0_2_05078CB8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507F4B8	0_2_0507F4B8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05070B18	0_2_05070B18
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507B739	0_2_0507B739
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05071B70	0_2_05071B70
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050797C0	0_2_050797C0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05079200	0_2_05079200
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507C628	0_2_0507C628
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05071240	0_2_05071240
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507A6B0	0_2_0507A6B0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507715E	0_2_0507715E
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050771A8	0_2_050771A8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E5D0	0_2_0507E5D0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E5E0	0_2_0507E5E0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050791F1	0_2_050791F1
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507DDF0	0_2_0507DDF0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05077C38	0_2_05077C38
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05072878	0_2_05072878
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05070099	0_2_05070099
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050700A8	0_2_050700A8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05078CA8	0_2_05078CA8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E0A8	0_2_0507E0A8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050748D1	0_2_050748D1
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050748E0	0_2_050748E0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05074700	0_2_05074700
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05074B00	0_2_05074B00
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507D330	0_2_0507D330
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507D340	0_2_0507D340
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05071B60	0_2_05071B60
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05078378	0_2_05078378
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05078388	0_2_05078388
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E7B8	0_2_0507E7B8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05076BC2	0_2_05076BC2
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05079BC0	0_2_05079BC0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E7C8	0_2_0507E7C8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E3D0	0_2_0507E3D0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507E3E0	0_2_0507E3E0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05076BF0	0_2_05076BF0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507DE00	0_2_0507DE00
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05075E11	0_2_05075E11
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507C626	0_2_0507C626
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05075E20	0_2_05075E20
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05071230	0_2_05071230
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507B24E	0_2_0507B24E
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05076660	0_2_05076660
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05071668	0_2_05071668
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0507A671	0_2_0507A671
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05076670	0_2_05076670
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05071678	0_2_05071678
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05070A80	0_2_05070A80
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050736D9	0_2_050736D9
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050736E8	0_2_050736E8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050746F1	0_2_050746F1
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05074AF0	0_2_05074AF0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE02268	0_2_0EE02268
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE008E0	0_2_0EE008E0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE00FC8	0_2_0EE00FC8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE008D0	0_2_0EE008D0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE00FB9	0_2_0EE00FB9
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE02480	0_2_0EE02480
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE01F91	0_2_0EE01F91
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE00070	0_2_0EE00070
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE02470	0_2_0EE02470
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE00D40	0_2_0EE00D40
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE00D50	0_2_0EE00D50
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_0EE00007	0_2_0EE00007
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00F904C0	2_2_00F904C0
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00F95E98	2_2_00F95E98
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00F9AA18	2_2_00F9AA18
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00F966D1	2_2_00F966D1
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_0112D3F8	2_2_0112D3F8
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_01127280	2_2_01127280
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_0112A2C8	2_2_0112A2C8

Source: BILL-OOO566876.exe	Binary or memory string: OriginalFilename vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: get_SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: set_SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: chkSaveOriginalFileNames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000002.224944328.00000000051F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmp	Binary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmp	Binary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmp	Binary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000000.201469299.00000000007E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemWu~ vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRJrtDKvhAdvpEZGtLbeHPhuoFONJcv.exe4 vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000000.00000002.235301407.00000000093A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: OriginalFilename vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: get_SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: set_SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: chkSaveOriginalFileNames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmp	Binary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmp	Binary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmp	Binary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.470196435.0000000000632000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemWu~ vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.472372681.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.473146526.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameRJrtDKvhAdvpEZGtLbeHPhuoFONJcv.exe4 vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe, 00000002.00000002.472477668.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: get_SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: set_SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: SaveOriginalFilenames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: chkSaveOriginalFileNames vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs BILL-OOO566876.exe
Source: BILL-OOO566876.exe	Binary or memory string: OriginalFilenamemWu~ vs BILL-OOO566876.exe

Source: BILL-OOO566876.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: BILL-OOO566876.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 2.2.BILL-OOO566876.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.BILL-OOO566876.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00DCAF3E AdjustTokenPrivileges,		2_2_00DCAF3E
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00DCAF07 AdjustTokenPrivileges,		2_2_00DCAF07

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BILL-OOO566876.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: BILL-OOO566876.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: BILL-OOO566876.exe	Virustotal: Detection: 24%
Source: BILL-OOO566876.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\BILL-OOO566876.exe 'C:\Users\user\Desktop\BILL-OOO566876.exe'
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process created: C:\Users\user\Desktop\BILL-OOO566876.exe {path}
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process created: C:\Users\user\Desktop\BILL-OOO566876.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BILL-OOO566876.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: BILL-OOO566876.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_007E2D3F push es; retf	0_2_007E2DD3
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_007E2900 push 00000001h; ret	0_2_007E2903
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_007E68FC push es; ret	0_2_007E6903
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_007E26F3 push esp; retf	0_2_007E26F6
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_007E24D9 push edx; retf	0_2_007E24DA
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_050727D2 push es; ret	0_2_050727D9
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 0_2_05076289 push FFFFFFB2h; retf	0_2_0507628B
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00632D3F push es; retf	2_2_00632DD3
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_00632900 push 00000001h; ret	2_2_00632903
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_006326F3 push esp; retf	2_2_006326F6
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_006368FC push es; ret	2_2_00636903
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Code function: 2_2_006324D9 push edx; retf	2_2_006324DA

Source: initial sample

Static PE information: section name: .text entropy: 7.62974179137

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: BILL-OOO566876.exe PID: 1308, type: MEMORY

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Window / User API: threadDelayed 665

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 6024	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 6040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800	Thread sleep count: 665 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800	Thread sleep time: -19950000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe TID: 4800	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: BILL-OOO566876.exe, 00000002.00000002.471992237.0000000000CDD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllessor Free20191113112613.000000-420\Device\HarddiskVolume2\Device\HarddiskVolume420200930080229.493177-42064-bit
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: BILL-OOO566876.exe, 00000002.00000002.471992237.0000000000CDD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: BILL-OOO566876.exe, 00000000.00000002.221270169.0000000002F9C000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: BILL-OOO566876.exe, 00000002.00000002.477494800.0000000005160000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Code function: 2_2_00F9C948 LdrInitializeThunk,

2_2_00F9C948

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Memory written: C:\Users\user\Desktop\BILL-OOO566876.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Process created: C:\Users\user\Desktop\BILL-OOO566876.exe {path}

Jump to behavior

Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: BILL-OOO566876.exe, 00000002.00000002.473566293.0000000001540000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BILL-OOO566876.exe PID: 1156, type: MEMORY
Source: Yara match	File source: Process Memory Space: BILL-OOO566876.exe PID: 1308, type: MEMORY
Source: Yara match	File source: 0.2.BILL-OOO566876.exe.40f75c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.BILL-OOO566876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BILL-OOO566876.exe.40f75c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BILL-OOO566876.exe.3fb6720.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\BILL-OOO566876.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BILL-OOO566876.exe PID: 1156, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BILL-OOO566876.exe PID: 1156, type: MEMORY
Source: Yara match	File source: Process Memory Space: BILL-OOO566876.exe PID: 1308, type: MEMORY
Source: Yara match	File source: 0.2.BILL-OOO566876.exe.40f75c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.BILL-OOO566876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BILL-OOO566876.exe.40f75c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BILL-OOO566876.exe.3fb6720.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools11	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BILL-OOO566876.exe	25%	Virustotal		Browse
BILL-OOO566876.exe	16%	Metadefender		Browse
BILL-OOO566876.exe	52%	ReversingLabs	Win32.Trojan.AgentTesla
BILL-OOO566876.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.BILL-OOO566876.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fonts.comno	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://hBlbMr.com	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://8chan.moe/	0%	Avira URL Cloud	safe
http://YdPNTdHEQXue9T.orgl;	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com)	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.comx	0%	URL Reputation	safe
http://www.fonts.comx	0%	URL Reputation	safe
http://www.fonts.comx	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.tiro.comx	0%	Avira URL Cloud	safe
https://8kun.top/	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.carterandcone.comY	0%	Avira URL Cloud	safe
http://www.carterandcone.comu	0%	Avira URL Cloud	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
https://raw.githubusercontent.com/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://YdPNTdHEQXue9T.org	0%	Avira URL Cloud	safe
http://www.tiro.comc	0%	URL Reputation	safe
http://www.tiro.comc	0%	URL Reputation	safe
http://www.tiro.comc	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high
smtp.syntrnomh.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://www.fonts.comno	BILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/murrty/ychanex/releases/latest	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.420chan.org/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://hBlbMr.com	BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://8chan.moe/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://YdPNTdHEQXue9T.orgl;	BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.goodfont.co.kr	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	BILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com)	BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.sajatypeworks.com	BILL-OOO566876.exe, 00000000.00000003.202808276.00000000053EB000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BILL-OOO566876.exe, 00000000.00000003.211731693.000000000540D000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/murrty/ychanex	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
https://github.com/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comx	BILL-OOO566876.exe, 00000000.00000003.202973628.00000000053EB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	BILL-OOO566876.exe, 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com=	BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comx	BILL-OOO566876.exe, 00000000.00000003.204324110.00000000053EB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://8kun.top/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	BILL-OOO566876.exe, 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comY	BILL-OOO566876.exe, 00000000.00000003.206174068.00000000053D7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comu	BILL-OOO566876.exe, 00000000.00000003.206256359.00000000053D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.coma	BILL-OOO566876.exe, 00000000.00000003.218522176.00000000053D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmld	BILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmp	false		high
http://en.w	BILL-OOO566876.exe, 00000000.00000003.203328834.00000000053D7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://raw.githubusercontent.com/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp, BILL-OOO566876.exe, 00000000.00000003.208195250.000000000540D000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	BILL-OOO566876.exe, 00000000.00000003.208525319.000000000540D000.00000004.00000001.sdmp	false		high
https://a.4cdn.org/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BILL-OOO566876.exe, 00000000.00000002.225516202.00000000054C0000.00000002.00000001.sdmp	false		high
https://github.com/murrty/YChanEx/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
http://YdPNTdHEQXue9T.org	BILL-OOO566876.exe, 00000002.00000002.476441058.0000000002EFC000.00000004.00000001.sdmp, BILL-OOO566876.exe, 00000002.00000002.476845028.0000000002F88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.github.com/repos/	BILL-OOO566876.exe, 00000000.00000002.221101600.0000000002F11000.00000004.00000001.sdmp	false		high
http://www.tiro.comc	BILL-OOO566876.exe, 00000000.00000003.203388064.00000000053EB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.225	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385473
Start date:	12.04.2021
Start time:	15:16:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BILL-OOO566876.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.9% (good quality ratio 6.6%) Quality average: 32.2% Quality standard deviation: 36.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 261 Number of non-executed functions: 45
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 204.79.197.200, 13.107.21.200, 52.147.198.201, 20.50.102.62, 184.30.24.56, 92.122.213.194, 92.122.213.247, 13.88.21.125, 205.185.216.42, 205.185.216.10, 20.54.26.129, 13.64.90.137 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:17:11	API Interceptor	969x Sleep call for process: BILL-OOO566876.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.225	ORDER 9387383900.xlsx	Get hash	malicious	Browse
	usd 420232.exe	Get hash	malicious	Browse
	P037725600.exe	Get hash	malicious	Browse
	VAT INVOICE.exe	Get hash	malicious	Browse
	New Order PO#121012020_____PDF_______.exe	Get hash	malicious	Browse
	swift Copy.xls.exe	Get hash	malicious	Browse
	AD1-2001028L.exe	Get hash	malicious	Browse
	AD1-2001028L (2).exe	Get hash	malicious	Browse
	#U7f8e#U91d1#U532f#U738728.84 (USD 40,257+5% #U7a05.exe	Get hash	malicious	Browse
	balance payment.exe	Get hash	malicious	Browse
	Image0001.exe	Get hash	malicious	Browse
	money.exe	Get hash	malicious	Browse
	new order.doc	Get hash	malicious	Browse
	New Enquiry.MORROCCO.exe	Get hash	malicious	Browse
	Purchase Order #07916813.exe	Get hash	malicious	Browse
	QUOTATION 03-28-2021.exe	Get hash	malicious	Browse
	PURCHASE ORDER COPY.exe	Get hash	malicious	Browse
	credit notification.exe	Get hash	malicious	Browse
	PURCHASE ORDER COPY.exe	Get hash	malicious	Browse
	Ref_0866_0817.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	SecuriteInfo.com.Scr.Malcodegdn30.29716.exe	Get hash	malicious	Browse	208.91.198.143
	ORDER 9387383900.xlsx	Get hash	malicious	Browse	208.91.199.225
	Payment Advice Note from 02.04.2021 to 608761.exe	Get hash	malicious	Browse	208.91.199.223
	e0xd7qhFaMk3Dpx.exe	Get hash	malicious	Browse	208.91.198.143
	PAGO FACTURA V-8680.exe	Get hash	malicious	Browse	208.91.198.143
	usd 420232.exe	Get hash	malicious	Browse	208.91.199.225
	P037725600.exe	Get hash	malicious	Browse	208.91.199.225
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.225
	NEW ORDER.exe	Get hash	malicious	Browse	208.91.198.143
	TRANSFERENCIA AL EXTERIOR U810295.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT SWIFT COPY MT103.exe	Get hash	malicious	Browse	208.91.198.143
	UPDATED SOA.exe	Get hash	malicious	Browse	208.91.199.224
	BANK PAYMENT.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	IMG_00000000001.PDF.exe	Get hash	malicious	Browse	208.91.198.143
	New Order PO#121012020_____PDF_______.exe	Get hash	malicious	Browse	208.91.198.143
	swift Copy.xls.exe	Get hash	malicious	Browse	208.91.199.225
	FN vw Safety 1 & 2.exe	Get hash	malicious	Browse	208.91.199.223
	MV TBN.uslfze.exe	Get hash	malicious	Browse	208.91.199.224

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	SecuriteInfo.com.Scr.Malcodegdn30.29716.exe	Get hash	malicious	Browse	208.91.198.143
	commercial invoice & packing list doc.exe	Get hash	malicious	Browse	43.225.55.205
	ORDER 9387383900.xlsx	Get hash	malicious	Browse	208.91.199.225
	Payment Advice Note from 02.04.2021 to 608761.exe	Get hash	malicious	Browse	208.91.199.223
	Dubai REGA 2021UAE.exe	Get hash	malicious	Browse	208.91.199.135
	e0xd7qhFaMk3Dpx.exe	Get hash	malicious	Browse	208.91.198.143
	Dridex.xls	Get hash	malicious	Browse	208.91.199.159
	documents-351331057.xlsm	Get hash	malicious	Browse	162.251.80.27
	documents-351331057.xlsm	Get hash	malicious	Browse	162.251.80.27
	DUBAI UAEGH092021.exe	Get hash	malicious	Browse	208.91.199.135
	PAGO FACTURA V-8680.exe	Get hash	malicious	Browse	208.91.198.143
	documents-1819557117.xlsm	Get hash	malicious	Browse	162.251.80.27
	documents-1819557117.xlsm	Get hash	malicious	Browse	162.251.80.27
	usd 420232.exe	Get hash	malicious	Browse	208.91.199.225
	P037725600.exe	Get hash	malicious	Browse	208.91.199.225
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	NEW ORDER.exe	Get hash	malicious	Browse	208.91.198.143
	TRANSFERENCIA AL EXTERIOR U810295.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT SWIFT COPY MT103.exe	Get hash	malicious	Browse	208.91.198.143

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BILL-OOO566876.exe.log Download File
Process:	C:\Users\user\Desktop\BILL-OOO566876.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6241220288435505
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BILL-OOO566876.exe
File size:	893952
MD5:	1c84862e5b015bcecf6a194d17172dcf
SHA1:	a3e0a0bda2cdef94089a6012bd025113f9fbead9
SHA256:	ea29689e038f2a801066054f8ae2e3e3884127e8ac897f5467055250ce2b42f9
SHA512:	786b1e6f5c283b33bb55e252355346af43715b81f926cb035c9935ba031958e21413e2bd54fa7c8fc198b7250431361a3abf39adc418d03a72a9d3afd9d42bdc
SSDEEP:	12288:g/m/1Vjriddyflf5T716samRCChXNNAdUbuTSYScJ/cfCTpc7kg5M7Cdb/G/uxFB:AaSyB5T716rmRCQB6T5/hT5kb/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4db91e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60731BE9 [Sun Apr 11 15:55:21 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdb8c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdc000	0x5c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd9924	0xd9a00	False	0.765819078475	data	7.62974179137	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xdc000	0x5c0	0x600	False	0.428385416667	data	4.12173224524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xdc0a0	0x330	data
RT_MANIFEST	0xdc3d0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2018
Assembly Version	1.0.0.0
InternalName	mWu.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	ASCIIArt
ProductVersion	1.0.0.0
FileDescription	ASCIIArt
OriginalFilename	mWu.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:18:42.176328897 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:42.352276087 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:42.352453947 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:42.875756979 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:42.876359940 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.050717115 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.050755024 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.052225113 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.228472948 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.229031086 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.407139063 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.407423019 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.585530043 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.585781097 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.771244049 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.771477938 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.946533918 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:43.960316896 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.960429907 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.960508108 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:43.960582018 CEST	49739	587	192.168.2.3	208.91.199.225
Apr 12, 2021 15:18:44.134759903 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:44.134810925 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:44.231465101 CEST	587	49739	208.91.199.225	192.168.2.3
Apr 12, 2021 15:18:44.280231953 CEST	49739	587	192.168.2.3	208.91.199.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:16:57.626996040 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:16:57.676660061 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 12, 2021 15:16:57.950560093 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:16:58.002713919 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 15:16:59.123594046 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:16:59.172378063 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:00.325143099 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:00.382375002 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:10.669775009 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:10.718667030 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:11.884468079 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:11.935942888 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:12.807837009 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:12.859298944 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:16.975037098 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:17.026108980 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:22.659409046 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:22.708585978 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:28.712503910 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:28.770036936 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:29.946908951 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:29.998414993 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:33.402914047 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:33.451730013 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:34.819503069 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:34.881642103 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:45.875643015 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:45.934130907 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:50.349664927 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:50.401159048 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:51.484985113 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:51.536576033 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:53.174205065 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:53.205549002 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:53.222877026 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:53.264185905 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:54.363640070 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:54.420811892 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:55.627034903 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:55.675615072 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:56.907742977 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:56.956568956 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 12, 2021 15:17:58.024431944 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:17:58.073045015 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:03.563596010 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:03.631918907 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:09.803677082 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:09.855288029 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:13.240446091 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:13.297455072 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:29.325659990 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:29.374316931 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:41.811301947 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:42.129463911 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:44.853279114 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:44.901916027 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 12, 2021 15:18:47.035443068 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 12, 2021 15:18:47.092525959 CEST	53	56579	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 15:18:41.811301947 CEST	192.168.2.3	8.8.8.8	0x51eb	Standard query (0)	smtp.syntrnomh.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 15:18:42.129463911 CEST	8.8.8.8	192.168.2.3	0x51eb	No error (0)	smtp.syntrnomh.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 15:18:42.129463911 CEST	8.8.8.8	192.168.2.3	0x51eb	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Apr 12, 2021 15:18:42.129463911 CEST	8.8.8.8	192.168.2.3	0x51eb	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Apr 12, 2021 15:18:42.129463911 CEST	8.8.8.8	192.168.2.3	0x51eb	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Apr 12, 2021 15:18:42.129463911 CEST	8.8.8.8	192.168.2.3	0x51eb	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 12, 2021 15:18:42.875756979 CEST	587	49739	208.91.199.225	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 12, 2021 15:18:42.876359940 CEST	49739	587	192.168.2.3	208.91.199.225	EHLO 134349
Apr 12, 2021 15:18:43.050755024 CEST	587	49739	208.91.199.225	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Apr 12, 2021 15:18:43.052225113 CEST	49739	587	192.168.2.3	208.91.199.225	AUTH login cmFpbmllLndhbmdAc3ludHJub21oLmNvbQ==
Apr 12, 2021 15:18:43.228472948 CEST	587	49739	208.91.199.225	192.168.2.3	334 UGFzc3dvcmQ6
Apr 12, 2021 15:18:43.407139063 CEST	587	49739	208.91.199.225	192.168.2.3	235 2.7.0 Authentication successful
Apr 12, 2021 15:18:43.407423019 CEST	49739	587	192.168.2.3	208.91.199.225	MAIL FROM:<rainie.wang@syntrnomh.com>
Apr 12, 2021 15:18:43.585530043 CEST	587	49739	208.91.199.225	192.168.2.3	250 2.1.0 Ok
Apr 12, 2021 15:18:43.585781097 CEST	49739	587	192.168.2.3	208.91.199.225	RCPT TO:<rainie.wang@syntrnomh.com>
Apr 12, 2021 15:18:43.771244049 CEST	587	49739	208.91.199.225	192.168.2.3	250 2.1.5 Ok
Apr 12, 2021 15:18:43.771477938 CEST	49739	587	192.168.2.3	208.91.199.225	DATA
Apr 12, 2021 15:18:43.946533918 CEST	587	49739	208.91.199.225	192.168.2.3	354 End data with <CR><LF>.<CR><LF>
Apr 12, 2021 15:18:43.960582018 CEST	49739	587	192.168.2.3	208.91.199.225	.
Apr 12, 2021 15:18:44.231465101 CEST	587	49739	208.91.199.225	192.168.2.3	250 2.0.0 Ok: queued as A9165781F07

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: BILL-OOO566876.exe PID: 1308 Parent PID: 5652

General

Start time:	15:17:04
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\BILL-OOO566876.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\BILL-OOO566876.exe'
Imagebase:	0x7e0000
File size:	893952 bytes
MD5 hash:	1C84862E5B015BCECF6A194D17172DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.222165033.0000000003F36000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: BILL-OOO566876.exe PID: 1156 Parent PID: 1308

General

Start time:	15:17:12
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\BILL-OOO566876.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x630000
File size:	893952 bytes
MD5 hash:	1C84862E5B015BCECF6A194D17172DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.476024928.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.469525382.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: BILL-OOO566876.exe PID: 1308 Parent PID: 5652 BILL-OOO566876.exeCOMMON

Executed Functions

Function 05078CA8, Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

,:ar, xrefs: 05078D63
,:ar, xrefs: 05078DE2

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ,:ar$,:ar
API String ID: 0-3361632965
Opcode ID: 229d4f7cfb92694a4a659d0da04ced4e90bf65fbc8a683c2ea01141e248d09ff
Instruction ID: 6cf0324340a892b88092a0ab8a5fccf7e9f604a77dfb9ce7d568fae6112cfbea
Opcode Fuzzy Hash: 229d4f7cfb92694a4a659d0da04ced4e90bf65fbc8a683c2ea01141e248d09ff
Instruction Fuzzy Hash: 12514574E0520EDFCB44CFA9D9896AEBBB2FF88310F20992AD411B7250D7745A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05078CB8, Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

,:ar, xrefs: 05078D63
,:ar, xrefs: 05078DE2

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ,:ar$,:ar
API String ID: 0-3361632965
Opcode ID: c4ab59c37d3a35cb961e2d6e18819827c7c7b1368af1083926a915e8c2bf31bd
Instruction ID: 8f7ad7f69915cacd0395d1ad79566c6ddb6a7af7450a90829614ebc0abf72d9d
Opcode Fuzzy Hash: c4ab59c37d3a35cb961e2d6e18819827c7c7b1368af1083926a915e8c2bf31bd
Instruction Fuzzy Hash: CE510374E0520EDFCB44CFA9D9896AEBBB2FF88300F20982AD515B7254D7749A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 0507C628, Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

~;, xrefs: 0507C8D8

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ~;
API String ID: 0-413628840
Opcode ID: ae19d46089ffb327c0f389f3fd2aae7ad133d9bbbe67f53052e6b465a32829fd
Instruction ID: 18baa0896b3600f13f1c7d09dbd4b477b331fdd6a2e40a4764b4a8e5adc98e8c
Opcode Fuzzy Hash: ae19d46089ffb327c0f389f3fd2aae7ad133d9bbbe67f53052e6b465a32829fd
Instruction Fuzzy Hash: 99C10474D0524ADFDB44CFA4D5808AEFBB2FF49350B24A55AC402BB254D731AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0507C626, Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

~;, xrefs: 0507C8D8

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ~;
API String ID: 0-413628840
Opcode ID: 786292a90c8621ff827398fd9197dad5030c289f055f6039756159d4bfee7d98
Instruction ID: 16d33e00d31c1a6392da5514494edd9d73a04e977812e8df88032dd521058753
Opcode Fuzzy Hash: 786292a90c8621ff827398fd9197dad5030c289f055f6039756159d4bfee7d98
Instruction Fuzzy Hash: C0C11774D0524ADFDB44CFA4D1808AEBBB2FF49350B24A55AC402BB255D731AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0507ADE0, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

d|T, xrefs: 0507AE4C

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: d|T
API String ID: 0-1754122897
Opcode ID: bf0fb0ff927f78af1bf0fe1e165f8c446f5a22b13315492b914671fdcdeeda60
Instruction ID: 45477f7331dc424960c646eab5f1bea4e0c8a04e3c2bf730b927cba9c0c11890
Opcode Fuzzy Hash: bf0fb0ff927f78af1bf0fe1e165f8c446f5a22b13315492b914671fdcdeeda60
Instruction Fuzzy Hash: 92515971E0524ACFDB08CFA6D5816AEFBF2FB89311F14D42AD015AB210D7349A41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 050791F1, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

X1ar, xrefs: 05079321

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: X1ar
API String ID: 0-3367582976
Opcode ID: 18a76bd023f2bf4db869a24d5e3fb6ee018d1b6ddd5f6f9abee175195e0baa3f
Instruction ID: 7a57b15b52baf928f2f924aa3f3855b8cebebcea59f097bcc4682b743cf98491
Opcode Fuzzy Hash: 18a76bd023f2bf4db869a24d5e3fb6ee018d1b6ddd5f6f9abee175195e0baa3f
Instruction Fuzzy Hash: 58519474E002089FDB48DFEAD951A9EFBF2BF88300F14852AE905AB364EB355941DF54

Uniqueness

Uniqueness Score: -1.00%

Function 05079200, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

X1ar, xrefs: 05079321

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: X1ar
API String ID: 0-3367582976
Opcode ID: ee4efe84a762d3ffcba83018f81be332e1d686e70f641f0b58fda8631f1d5b7b
Instruction ID: 20cb916f04328a75742f0c3cb59f679fab7d33038c10583400730eefa86054f3
Opcode Fuzzy Hash: ee4efe84a762d3ffcba83018f81be332e1d686e70f641f0b58fda8631f1d5b7b
Instruction Fuzzy Hash: E8518374E002089FDB48DFEAD951AAEFBF2BF88300F14852AE905AB364DB355941DF54

Uniqueness

Uniqueness Score: -1.00%

Function 05072878, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dddfb76180440ae0270a7c686e6b5795564e27af04db0126f672cd31750b68
Instruction ID: 2dfeb35b12398e933e2458ab87d397c4e7ade8c6c3dc2642a613c50b59e99916
Opcode Fuzzy Hash: 25dddfb76180440ae0270a7c686e6b5795564e27af04db0126f672cd31750b68
Instruction Fuzzy Hash: 2CD17BB9D0520EEFCB04CFA4E5819AEBBB2FF49351B589559C001AB211C734EB81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 05072950, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba8fdaeffe390988037abcffd5af41e4357b6a31fec28135577e734ae18b54b
Instruction ID: 55b2dbc4612f2d8321111748d1f92eabb5088ed46ebad231cf66d29b838c29c9
Opcode Fuzzy Hash: 5ba8fdaeffe390988037abcffd5af41e4357b6a31fec28135577e734ae18b54b
Instruction Fuzzy Hash: E8C109B4D0520EEFCB04CFA5E5808AEFBB2FF49351F549559C506AB215C730AA81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 05077C38, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37de42a2a9b80a28cee690b4011ffe1085e631bf2c468711a8dcfe52335e5781
Instruction ID: 8dcc7b7c5090e7e22dfc6e40133133f464f039a291595cb976ef09514765d979
Opcode Fuzzy Hash: 37de42a2a9b80a28cee690b4011ffe1085e631bf2c468711a8dcfe52335e5781
Instruction Fuzzy Hash: 9EA1F6B4E05209DFDB44CFA5E985A9DBBF2FF88301F2094AAD909AB314DB345A41DF14

Uniqueness

Uniqueness Score: -1.00%

Function 05077C48, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b400222caece52c007a71fbe59ae9c996dfa157e990c0d0dece5acd5095a6fa8
Instruction ID: 19149a5f3eaee49e603c78301cc699a8dd26ace00e813950314020d318fb173b
Opcode Fuzzy Hash: b400222caece52c007a71fbe59ae9c996dfa157e990c0d0dece5acd5095a6fa8
Instruction Fuzzy Hash: 59A1F5B4E05209DFDB44DFA5E985A9DBBF2FF88301F2094AAD909AB314DB305A41DF14

Uniqueness

Uniqueness Score: -1.00%

Function 05070A80, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304bda24dad1901f489500eb567d02e225fe30d230326a4010dc808149ee22fe
Instruction ID: 80a88610927ac990cd3402437d09891167b8b1881a9ccaeec6541bfa21fbac9b
Opcode Fuzzy Hash: 304bda24dad1901f489500eb567d02e225fe30d230326a4010dc808149ee22fe
Instruction Fuzzy Hash: 8F9125B5E052599FDB04CFA9E8956EEBBB2FF89300F14826AD401BB250D7389A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0507F4B8, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3d2774c7cacd91ef72f52a272ddb87f48fcf3620fe015bc9f9b5ddbd8ee01c
Instruction ID: e9fb590e943ec3a3d96b7eef9521dbbd3325847a8e3c88e2441f5327faa45d4b
Opcode Fuzzy Hash: 8f3d2774c7cacd91ef72f52a272ddb87f48fcf3620fe015bc9f9b5ddbd8ee01c
Instruction Fuzzy Hash: 92917674E0928ADFCB44DFA4E5849ACBBF6FB48315F20A06AD805EB364E7309941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0507A671, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f783fe3708789ce78c33353cdb0c0186a3ac9b019590e62dfab1146249f45d
Instruction ID: 083c36ea660640fc33067d579ed7687d62d299c2ace9f4d8e68a13a8d8615d79
Opcode Fuzzy Hash: 22f783fe3708789ce78c33353cdb0c0186a3ac9b019590e62dfab1146249f45d
Instruction Fuzzy Hash: C1812374E04249DFCB08CFA5D980AEEBBB2FF89300F20816AD416BB254D7395A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0507A6B0, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad13f412408a06b0b8436f9ee948d3aabe15e06194a9709ea3ab773d91f0a262
Instruction ID: 0eb6d3274b8c5151daacd859b941adb2520a7ca58b103005b298083262b6e40f
Opcode Fuzzy Hash: ad13f412408a06b0b8436f9ee948d3aabe15e06194a9709ea3ab773d91f0a262
Instruction Fuzzy Hash: D171E374E01209DFCB48CFE9D940AAEBBB2FF88300F20806AD415BB254DB395A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0507B24E, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ca4c66b60ce969347b9a935308231c9193088764804c5f37fb5f6d2df38b1a
Instruction ID: 5a6ec6d690902be1f9677fd4503a013bbe7fbe1ec16cb6e911c26fb525f4ca27
Opcode Fuzzy Hash: 34ca4c66b60ce969347b9a935308231c9193088764804c5f37fb5f6d2df38b1a
Instruction Fuzzy Hash: 7E712674D0520EDFCB44CFA8D5819AEBBF2FF49340F20955AD415AB214E734AA42CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 05070B18, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a614b1482726237958a190757e656e3bf57a97d6735bc8413d50cd715f0a86
Instruction ID: a79ffb6cd760d8f951155ed02333782b98dce678787f0d2cebcb338d48911950
Opcode Fuzzy Hash: 19a614b1482726237958a190757e656e3bf57a97d6735bc8413d50cd715f0a86
Instruction Fuzzy Hash: 6A71D2B4E01219DFDB48DFE9D954AAEBBB2FF88300F10812AD505BB254DB349A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02268, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdebd8d6120dc486610fdcffaef2c03bce1496410da6d96038694dd5ae3a178
Instruction ID: 5b17c95d6eec9cd514971541d3b90daab42dc9e79cc43d989befbfd627ef6af1
Opcode Fuzzy Hash: 1fdebd8d6120dc486610fdcffaef2c03bce1496410da6d96038694dd5ae3a178
Instruction Fuzzy Hash: 315125B0C0620DDFCB04CFA6E5886EDFBF1FB49310F60A02AD205A62A5D7785985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 050797C0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc489713434d286d247e389f4eaff4970bce3ea7915708d34d7097bb209a102
Instruction ID: 1aea23fe6e10003cf0eb93593119395bd62dc17f5aa79d930532e8c3a84defe4
Opcode Fuzzy Hash: 5dc489713434d286d247e389f4eaff4970bce3ea7915708d34d7097bb209a102
Instruction Fuzzy Hash: B751D2B4E042189FDB44DFA9D480AADFBF2BF88300F18D565D818A7215D7349981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05071230, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd03327aabf0e01f284f0d0753ccef45f1f24ad32e3f603b0dfaa911760b116
Instruction ID: 25ec646d5e09689c321be48d87ac1c8aee4149df757c5abac3afed290dd8545c
Opcode Fuzzy Hash: 7dd03327aabf0e01f284f0d0753ccef45f1f24ad32e3f603b0dfaa911760b116
Instruction Fuzzy Hash: 605135B1E042098FDB08CFAAD4406AEFBF2FF89311F14D06AD415B7290D7749A42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05071240, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f541177f333277100b395d1592260e6dee2f7ebae4e5d6453936c8b063f2e6
Instruction ID: 6175a6e7b48ead8314ee71d7e896f4af8112540f23330c1d29d27e8e1c31c0b4
Opcode Fuzzy Hash: b5f541177f333277100b395d1592260e6dee2f7ebae4e5d6453936c8b063f2e6
Instruction Fuzzy Hash: F84114B0E0420D8FDB08CFAAD4406AEFBF2FF89311F14906AD415B7290D7749A52CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0507B739, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73421fb4f854eed9f340f5e104b1a2efb87017e441c2fc6253f8926bfb7a3eb
Instruction ID: 91c9a83834ad157f13fff214a14a3b29f23a706d9cae20eab9cb5eb3bffe8f7b
Opcode Fuzzy Hash: e73421fb4f854eed9f340f5e104b1a2efb87017e441c2fc6253f8926bfb7a3eb
Instruction Fuzzy Hash: 2131E7B1E046589BDB18CFA6D8443DEFBF2BFC8310F14C06AD409AA254DB750946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05071B70, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616c45b4c5bf61f279c262cac9fc3e0e27758266d33981c804d1b9020fec692f
Instruction ID: 1cb789a7977beb6161daa5b56b9c348f06a19f7dcf71be512a832314d885add0
Opcode Fuzzy Hash: 616c45b4c5bf61f279c262cac9fc3e0e27758266d33981c804d1b9020fec692f
Instruction Fuzzy Hash: 5B211671E016188BDB58CFAAD8406DEFBF7EFC9300F14C06AD509AA264DB355A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0507E989, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df92ce4e2c321d4e41ce8df8e630332b16741aae5ee038e0c0cd3e9d9602d7b
Instruction ID: 6def6eae6370400b393d74a9337aa9e50bd29191428e185a0cd51d23d1818abb
Opcode Fuzzy Hash: 2df92ce4e2c321d4e41ce8df8e630332b16741aae5ee038e0c0cd3e9d9602d7b
Instruction Fuzzy Hash: DE21FA71E016199FEB18DF6BD84469EBBF7BFC9300F14C0B6D908AA224DB7415458F51

Uniqueness

Uniqueness Score: -1.00%

Function 05071B60, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa76150c3e763546d968c7cfae2f70bfa58e4441ea4f455378a38e469fe0b07
Instruction ID: 27b6309cbc41eab3bbcc8dbeaa0faa62610c34695047abeed5651752a04fa05f
Opcode Fuzzy Hash: 0aa76150c3e763546d968c7cfae2f70bfa58e4441ea4f455378a38e469fe0b07
Instruction Fuzzy Hash: 3D21F9B1E016588BDB19CFAAD9446DEBFF3AFC9300F14C06AD409AA258DB745A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05079468, Relevance: 6.5, Strings: 5, Instructions: 219COMMON

Download Yara Rule

Strings

</ar, xrefs: 050794D1
,:ar, xrefs: 050796B3
,:ar, xrefs: 050795ED
,:ar, xrefs: 05079753
,:ar, xrefs: 05079650

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ,:ar$,:ar$,:ar$,:ar$</ar
API String ID: 0-558880252
Opcode ID: abcb2de0e640a53cda51009f02d65e3e9204eb3d584666019065d03cfe93422a
Instruction ID: b5c8c986e39613170bfa98c007aecdc5ee8687b2b389dac87f44df81372f492b
Opcode Fuzzy Hash: abcb2de0e640a53cda51009f02d65e3e9204eb3d584666019065d03cfe93422a
Instruction Fuzzy Hash: EDA1C674D00228CFDB64CFA9D980BDDBBB2BF49310F1081EAE509A7261DB719A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05079458, Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

</ar, xrefs: 050794D1
,:ar, xrefs: 05079753

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ,:ar$</ar
API String ID: 0-2192196801
Opcode ID: 272549c52b6a02a18620bebc2a2b1870c09a9c53aa34eb70b7ac3f2562187cf4
Instruction ID: d6574a08512984c31faea75b807bb3dd3331c2da03b4a61a89c3069515c38833
Opcode Fuzzy Hash: 272549c52b6a02a18620bebc2a2b1870c09a9c53aa34eb70b7ac3f2562187cf4
Instruction Fuzzy Hash: C4411971D00218CFDB54CFAAD941BEDBBF2AF84310F1080AAD509A7391EB345A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02EFF, Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

sd5v, xrefs: 0EE02F72
sd5v, xrefs: 0EE02F7C

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: sd5v$sd5v
API String ID: 0-1172623907
Opcode ID: 6182846d3a5b99947b116007a00ac05e7267401e68bc33fbf79ec8754f05d305
Instruction ID: ea7458bf404a796433e554d77b5a9c9d8fee86751f2f9848eb225f17ec47a787
Opcode Fuzzy Hash: 6182846d3a5b99947b116007a00ac05e7267401e68bc33fbf79ec8754f05d305
Instruction Fuzzy Hash: 400144B0D4022ACFCB24CF65CD84BEDB7F0BB09344F6140EA8569A7266C3300A80CF44

Uniqueness

Uniqueness Score: -1.00%

Function 051E0A50, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051E0AD0

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e974a4a31bca316691c4d5d934a04d6544d337ffb813fea5afe1b3d417fb2991
Instruction ID: 727e7d38142da8a19786f8dcec74b100a6b4f907a7931847352d43e75b7bf337
Opcode Fuzzy Hash: e974a4a31bca316691c4d5d934a04d6544d337ffb813fea5afe1b3d417fb2991
Instruction Fuzzy Hash: 6F21CF760097C09FD7228B25DC85A92FFF4EF06310F0984DEE9858B163D265A848DB61

Uniqueness

Uniqueness Score: -1.00%

Function 051E0BB1, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 051E0C25

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00685c66250b4749b45338c22ae0aa35631eb7069bc3d2e76d00c7cf6bfd2760
Instruction ID: 70847b6fc0defebc474b8dab4da0f5c185b5bcb64fbb3d16895699fbbfdcab61
Opcode Fuzzy Hash: 00685c66250b4749b45338c22ae0aa35631eb7069bc3d2e76d00c7cf6bfd2760
Instruction Fuzzy Hash: E6218C724097C0AFDB238B25CC44A52BFB4EF17210F0984DAED848F163D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 051E09AF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051E0A14

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5caa8940625bb0bca0fe78afde6422e30dabc891c6544e12602468badea9c5aa
Instruction ID: 491f5b332fc60cf266df0fba414c520591aef9d3dfd777ac3a33840b8de0fa14
Opcode Fuzzy Hash: 5caa8940625bb0bca0fe78afde6422e30dabc891c6544e12602468badea9c5aa
Instruction Fuzzy Hash: F311E276409784AFDB228F21DC44E52FFB4EF0A220F0880DEED858B163C275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 051E0F43, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 051E0FAD

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 58b8ff039d3b7fe2cfb2a977c1b2f0e26174b353f16826fbf6477bb0de472890
Instruction ID: b6a7a725073956d999e8f7aa50e03942048f57dc28334e479da9b3eec60e57d5
Opcode Fuzzy Hash: 58b8ff039d3b7fe2cfb2a977c1b2f0e26174b353f16826fbf6477bb0de472890
Instruction Fuzzy Hash: 3D11D072409784AFDB228F25DC45F52FFB4EF06320F08849EED854B163C275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 051E0908, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 051E0967

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b596b1a52ca61375933be786ef62af52fa0c146033daeb49a0706f2091c1ae13
Instruction ID: e1a729f7abba75886df37940e063f305f1f775d0236e3a3054a2b37f3f76774c
Opcode Fuzzy Hash: b596b1a52ca61375933be786ef62af52fa0c146033daeb49a0706f2091c1ae13
Instruction Fuzzy Hash: 7911C4715043849FD711CF15DC44F66FFE8EF06220F0880AAED498B262D375E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051E0A8A, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051E0AD0

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5bc8e704a3db80cda23c353be5733d559a7727dcc8caa725084e294246b9dd45
Instruction ID: ebe80099cfc178add9571b6b510caef3721e2cb2634d1f22e2a1b4af597ca9e9
Opcode Fuzzy Hash: 5bc8e704a3db80cda23c353be5733d559a7727dcc8caa725084e294246b9dd45
Instruction Fuzzy Hash: 6101A175500A04DFDB20CF55D889B66FBE4EF08310F08846ADD458B651D3B1E848DB61

Uniqueness

Uniqueness Score: -1.00%

Function 051E092A, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 051E0967

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 782f066282ce20b1919bcf38414d89ed3722a3731dcd129f7786cc8e6203e210
Instruction ID: bc0f730e3e12b1881c1421d007bfd4e9f1c4381c53fb6c936f3b624842314cbd
Opcode Fuzzy Hash: 782f066282ce20b1919bcf38414d89ed3722a3731dcd129f7786cc8e6203e210
Instruction Fuzzy Hash: EB018475504605DFEB20CF1AD888B66FBD4EF08320F08C4ABDD498B256D7B5E448CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 051E09D6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051E0A14

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c12082c6370e0a4e95046907b237f6983e34672536fc7c399760dbce107ea02f
Instruction ID: 7fae4eddc816ba5283998c3b47d40565c7f5e10df2fc0a01bcac6dc2eb308762
Opcode Fuzzy Hash: c12082c6370e0a4e95046907b237f6983e34672536fc7c399760dbce107ea02f
Instruction Fuzzy Hash: F4019E36500A04DFDB208F55D849B66FFA1EF48320F08C4AAEE494A612D3B1E458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 051E0F72, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 051E0FAD

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ceb0af70f7309af8d1f9424702d8cfc32b33ead9c812cdc566c27b8473fc6b2d
Instruction ID: 22f16a607781bb6b72f53b37ec26a1d018c37a26ee17293bd525b6ccc62f1f05
Opcode Fuzzy Hash: ceb0af70f7309af8d1f9424702d8cfc32b33ead9c812cdc566c27b8473fc6b2d
Instruction Fuzzy Hash: 2E015E75500B04DFDB208F55D888B66FFA4EF08320F18849AED4A4A652D3B5A558DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 051E0BEA, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 051E0C25

Memory Dump Source

Source File: 00000000.00000002.224936560.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 21efd92628fcfb75b7225714ffdf639216c0aab5e3a8479c8da187689da9ae89
Instruction ID: fa477eeb8034c9ba109e1baa9b87602bec0b3e8d33051f84fcab7f9fdb2d4e7b
Opcode Fuzzy Hash: 21efd92628fcfb75b7225714ffdf639216c0aab5e3a8479c8da187689da9ae89
Instruction Fuzzy Hash: AE014F75400A44DFDB20CF55D848B66FFE1FF08320F18C49ADE495B616D3B6A458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00625, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

5m[, xrefs: 0EE006CA

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: 5m[
API String ID: 0-3974686265
Opcode ID: 53a1c5751a53a00350937ce2136d44b3b84f5c4c5770b0271803e775883293b3
Instruction ID: bfe0e318c9d09aa99df3916ab5e71c91476e3ddc28f81f95033514bdad39c759
Opcode Fuzzy Hash: 53a1c5751a53a00350937ce2136d44b3b84f5c4c5770b0271803e775883293b3
Instruction Fuzzy Hash: E031CC7881924DDFCB01CFA5E8416EDBBB2EB8A300B209997C401A7295D3354A82DB92

Uniqueness

Uniqueness Score: -1.00%

Function 05071521, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

7YB, xrefs: 05071561

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: 7YB
API String ID: 0-2030384022
Opcode ID: 0a36c04b6d34db92998d1aefbaf4fe2cf3130ff0bfee7ad85d5f6da952251401
Instruction ID: 5d09271ae25c01283bd7a261d959c87dfbf30595504b3fd219d4704e01e588f8
Opcode Fuzzy Hash: 0a36c04b6d34db92998d1aefbaf4fe2cf3130ff0bfee7ad85d5f6da952251401
Instruction Fuzzy Hash: 352139B0E04209DFCB08CFA9D9819AEBBF2FF89300F5085A9D415A7354E7349A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05074DF8, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

>_?r, xrefs: 05074E2F

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: >_?r
API String ID: 0-2961507119
Opcode ID: a4fc906aad440575bf46da79f62a2296517bf93b9f9d9356f5bb35dc83ed0f56
Instruction ID: fa771048d62bfdba9c1468eec6e13f8ce96710f57751ad0700e0b822e5f6e34c
Opcode Fuzzy Hash: a4fc906aad440575bf46da79f62a2296517bf93b9f9d9356f5bb35dc83ed0f56
Instruction Fuzzy Hash: DC2179B1D0820CEFDF04CFA8D941AADFBB1EF8A311F5080A9D516BB260D7349A00DB15

Uniqueness

Uniqueness Score: -1.00%

Function 05071530, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

7YB, xrefs: 05071561

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: 7YB
API String ID: 0-2030384022
Opcode ID: c7ceab8d31877b685f8d5f41da42a6eb3ba4f86b2a43365369fc63533bda832c
Instruction ID: 8834419881008a01b7b92a95e47fe8a642e2f6216885e48b3268572858e27f36
Opcode Fuzzy Hash: c7ceab8d31877b685f8d5f41da42a6eb3ba4f86b2a43365369fc63533bda832c
Instruction Fuzzy Hash: E521F5B0E04209EFCB48CF99D9819AEBBF2FB89300F5185A9D405A7354D734DA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05074E08, Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

>_?r, xrefs: 05074E2F

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: >_?r
API String ID: 0-2961507119
Opcode ID: 4c08d8c7c015607c7ab2c5cc103d7f9a32940951e4b756983463d06de906724a
Instruction ID: a7d7283aa5438c32f440bc583d726c972483d833c9af51850d58ef0574519c7e
Opcode Fuzzy Hash: 4c08d8c7c015607c7ab2c5cc103d7f9a32940951e4b756983463d06de906724a
Instruction Fuzzy Hash: 35214770D0520CEFDF44DFA8D540AAEFBB1EF8A311F2094A9D516BB260D7309A00DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00678, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

5m[, xrefs: 0EE006CA

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: 5m[
API String ID: 0-3974686265
Opcode ID: c0d17faa824ae5fe2755763a4aaa0973697b1b8264c2c837846405fa805d4db7
Instruction ID: 4ee5adb36021a84b9c07c80a9d15f3bcc98f24ccdc0232464a34eef51ada137f
Opcode Fuzzy Hash: c0d17faa824ae5fe2755763a4aaa0973697b1b8264c2c837846405fa805d4db7
Instruction Fuzzy Hash: 8721F0B4D0520EDFCB44CFE9E5806AEBBF1EB88300F2098AAD815A7254D7399A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050759EE, Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

X,", xrefs: 050759FF

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: X,"
API String ID: 0-723936338
Opcode ID: ec314cda659cc9631e118a52e57209e46e6b7aad3f91d1d15c29fcb5a4e71f42
Instruction ID: 8dc74a1841b7ec1d430bf989a6c5648fc52eb24de40431ff087bde63915ab14d
Opcode Fuzzy Hash: ec314cda659cc9631e118a52e57209e46e6b7aad3f91d1d15c29fcb5a4e71f42
Instruction Fuzzy Hash: EFE09234D043089FCB40DFA8E88489CBBB5FB8D311B208569D91AEB325C7309856DF14

Uniqueness

Uniqueness Score: -1.00%

Function 05079942, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491abc646bda7a7d355eac802bd6ef879a3c10278e7125dbf9223eb22c15ce7d
Instruction ID: f877d62392379af0eaa9eea7c3caa9911358681c2c2228a934187369b688e118
Opcode Fuzzy Hash: 491abc646bda7a7d355eac802bd6ef879a3c10278e7125dbf9223eb22c15ce7d
Instruction Fuzzy Hash: 1D515974E012189FDB54DFA9D891AAEBBF2BFC9300F24842AE505BB394DB315C02CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05073E08, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531b6f87b7770550ad3ce9ea5247e24ee655d0efaff3e020e029c52b5b60ccdc
Instruction ID: a5f26a20c6df8d67e3261d970dcbd0205f3017f3abe829134bb0d1109ff8b232
Opcode Fuzzy Hash: 531b6f87b7770550ad3ce9ea5247e24ee655d0efaff3e020e029c52b5b60ccdc
Instruction Fuzzy Hash: 4251E3B4D0520DEFDB04CFA8E985AEDBBB2BF58300F20896AD401A7351D3309A51DF99

Uniqueness

Uniqueness Score: -1.00%

Function 05073E18, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210a8c3edc15e01a3ceffd809b8bbd68faa8da788d9daab60196793f1a2a73f0
Instruction ID: 61b986fe3e46c4a086eda366353f7190c6120d47636939e53c2d49f02f856be7
Opcode Fuzzy Hash: 210a8c3edc15e01a3ceffd809b8bbd68faa8da788d9daab60196793f1a2a73f0
Instruction Fuzzy Hash: 4641C4B4D0521DEFDB04CFA8E9859EDBBB2FF58304F208969D411AB350D3309A50DB99

Uniqueness

Uniqueness Score: -1.00%

Function 05079A20, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aaffe0b5602673cbf38274ab129a6c304202a374ccb97d463cdb787e54482a3
Instruction ID: a65f42bd442ca1af12f54be6b7010db0aa56951e428f78d61c651255100b4173
Opcode Fuzzy Hash: 9aaffe0b5602673cbf38274ab129a6c304202a374ccb97d463cdb787e54482a3
Instruction Fuzzy Hash: 3641C274E01208DBDB58DFAAD891A9EBBF2BF89300F248029E905B7390DB305841DF54

Uniqueness

Uniqueness Score: -1.00%

Function 050781FA, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983c57838da2d08cec41fefb4beb8d96dff5605ddb1006f968ffc5bf31072ac7
Instruction ID: b2c9e625212103b67f3304ec4b8a9140c4b8dd5f51bfa943ec20e879c199e546
Opcode Fuzzy Hash: 983c57838da2d08cec41fefb4beb8d96dff5605ddb1006f968ffc5bf31072ac7
Instruction Fuzzy Hash: 4A3122B1C0570DDFCB44DFA5E4996AEBBF1FF48342F1084AAC406A7254D7388A428F95

Uniqueness

Uniqueness Score: -1.00%

Function 05078208, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb49a7811e29bcf4e9ad194f2b2be657cb039501327afe38f3b05369b70b6315
Instruction ID: afaf8765304b0b902d68d9e066915560d643700b8281ca3d539e8c523f0035af
Opcode Fuzzy Hash: eb49a7811e29bcf4e9ad194f2b2be657cb039501327afe38f3b05369b70b6315
Instruction Fuzzy Hash: 843122B4C0960DDFCB44DFA5E8596AEBBF2FF48341F10C4AAC406A7254D73896428F95

Uniqueness

Uniqueness Score: -1.00%

Function 050797AF, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac50f6e1cc10dd8708cfb61128be0ea86f3590748adf3357f559a18d959523e3
Instruction ID: 0e80c341d527a707f9f82a923930585746bcee6b2b7e553a28b2abd5fbe230ad
Opcode Fuzzy Hash: ac50f6e1cc10dd8708cfb61128be0ea86f3590748adf3357f559a18d959523e3
Instruction Fuzzy Hash: D631C5B4E052089FDB44DFAAD484AAEFBF2BF88310F14D56AD818A7355E7349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0507CE88, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8934f332125c67393522af7e9a944d89ddbd2d1c71d276ae5038af1a537ae77e
Instruction ID: dfdcf3e4b54c882d06d355c8a072a0d71d379140a6134513a862d79370866c96
Opcode Fuzzy Hash: 8934f332125c67393522af7e9a944d89ddbd2d1c71d276ae5038af1a537ae77e
Instruction Fuzzy Hash: 593149B0E04209DFDB08CFA9D485AAEFBB2FF85300F10C55AD52AA7214D7749A41CF89

Uniqueness

Uniqueness Score: -1.00%

Function 050713F9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1448771a2cad784b6eed6dab272590d33e52175d366dc9a1e8b6654d589da59
Instruction ID: 6ec6dd93e9ddd8b475b99f227ac55f6012048199cc41a824466765a743abea98
Opcode Fuzzy Hash: f1448771a2cad784b6eed6dab272590d33e52175d366dc9a1e8b6654d589da59
Instruction Fuzzy Hash: CB3108B4E05249DFCB48CFA9D5809AEBBF2FF48300F10856AD815AB754D738AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05071408, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e0092c64af4192250175fc1b05a13f33ca8674a503be4ef0730f160e07a1ea
Instruction ID: 7b89cdba1977e20486ce24214764c2312bb7dbc5189c4d97f35cfa8c56c371a3
Opcode Fuzzy Hash: 03e0092c64af4192250175fc1b05a13f33ca8674a503be4ef0730f160e07a1ea
Instruction Fuzzy Hash: 663118B4E04249DFCB48CF99D5809AEBBF6FF48300F10855AD815AB754D738AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05078A98, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42ba8d72fd59cbcf1d8a705dc22847a637eaa2114e63340614d225e06519bf0
Instruction ID: 9b33f0b2428f6e054bfbe7bfd79654f13bfdc082e1fc7b77a19c0aa37787da9c
Opcode Fuzzy Hash: e42ba8d72fd59cbcf1d8a705dc22847a637eaa2114e63340614d225e06519bf0
Instruction Fuzzy Hash: 28218BB1C0524DEFDB44CFA5D5494AEBFB2FF8A210F20C4AAC402AB250D7308A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0507AFF8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbe8679dc4ff28714044436c9859168a1caafdbd447576a9774e5ee373db0be
Instruction ID: 034f91dca8bd2c9ef6f138ea6d9ac6bc11c6d2671242eef7a1cada39d2f90a3b
Opcode Fuzzy Hash: 3dbe8679dc4ff28714044436c9859168a1caafdbd447576a9774e5ee373db0be
Instruction Fuzzy Hash: B531F5B4E14209DFDB44CFA9C481AAEBBF1FF49300F10856AD825A7714D739AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0507B0F8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5b16ed684b1e5a566ef886609bbfc1720b8d79198f10479ca21a68eb9856bf
Instruction ID: 456d7f61311e591b98ae42fc0322a59083c39dca760849ca157fb03d7c104e28
Opcode Fuzzy Hash: be5b16ed684b1e5a566ef886609bbfc1720b8d79198f10479ca21a68eb9856bf
Instruction Fuzzy Hash: 3B211B70E04219DFCB04CFA9D885AAEFBF2FF99300F55C5A9D415A7210E7349A058F55

Uniqueness

Uniqueness Score: -1.00%

Function 0507B008, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9102230076cfbf3eff80cbfa22113ee845a32b86ffbb0b55449dc4163adca48
Instruction ID: 7d9d35a63d5fe1654bd0629894374647813113db044302df79251fd378b5f810
Opcode Fuzzy Hash: b9102230076cfbf3eff80cbfa22113ee845a32b86ffbb0b55449dc4163adca48
Instruction Fuzzy Hash: 2421D374E04209DFCB44CFA9D581AAEBBF5FF49300F10955AD829A7354D738AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0507CBB1, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6982a6f06d0757a6d497321b4f63ea0680fff7afb80eb55aa2ca411db31fd6
Instruction ID: 1293d0fc770699e6bf429b4dad625165880431114709dfb51c8e31b827aac61e
Opcode Fuzzy Hash: 6a6982a6f06d0757a6d497321b4f63ea0680fff7afb80eb55aa2ca411db31fd6
Instruction Fuzzy Hash: 0F2148B0E0920DEFEB04DFA5D5819AEFBB2FF88300F14D4AAD406AB214D7349A41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 05078AA8, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b445bc6f6c7747232594ec02d8267cc7fccd087737b99e3ebe98a0116e0ac71
Instruction ID: b019827d18674b9b521086cb0a37e9481783c826a9e0bdf3d282a657bd04a196
Opcode Fuzzy Hash: 4b445bc6f6c7747232594ec02d8267cc7fccd087737b99e3ebe98a0116e0ac71
Instruction Fuzzy Hash: 8B2157B1D0520EEFDB44CFA5D5895AEFBB2FF89201F60C46AC511A7250E7309A42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05072EE8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68420ae4e7711d0a924fd3b96ae2a64b76d9889e4f30fb9666b107e3b0d645f
Instruction ID: b34113ce896253d489a5798786e683372b05f2ee662b111970f41385470befac
Opcode Fuzzy Hash: c68420ae4e7711d0a924fd3b96ae2a64b76d9889e4f30fb9666b107e3b0d645f
Instruction Fuzzy Hash: 0A217574D0920EEBCB04CFA5D8829AEBFB1BB89300F1485AAD415A7221D7309A41DF44

Uniqueness

Uniqueness Score: -1.00%

Function 01200726, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219912071.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e2b2df3030d9a7bbf4fb9cb1c44766d6735ab0d25df6bf16e036db2fb62bed
Instruction ID: d662958072f79fd8637f2335eee471f3c3a93780155d012e6958ee238bcf4ccd
Opcode Fuzzy Hash: f2e2b2df3030d9a7bbf4fb9cb1c44766d6735ab0d25df6bf16e036db2fb62bed
Instruction Fuzzy Hash: 3D218E3510D3C19FD7079B64C850B15BFB1AF47718F1986EBD5848B6A3D33A9806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05072EF8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d63f13fe2bcbde293a7766ccb4025d24a6e65994c7bbce19fa6ab94ede36b0
Instruction ID: 06e923316bed97bfba9847b1560431e1b0e82b0a3124a1cd4ed6fc64dd69bd25
Opcode Fuzzy Hash: 59d63f13fe2bcbde293a7766ccb4025d24a6e65994c7bbce19fa6ab94ede36b0
Instruction Fuzzy Hash: 672177B4D0520EEBCB04CFA5D9429AEFBB2FB89300F10C5A9D425AB220D7349B51DF84

Uniqueness

Uniqueness Score: -1.00%

Function 0120075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219912071.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1580501dace64d55f3190e046ab410fc85895fb6d43a4e3ffa004dcab87caa
Instruction ID: 17836db2975bf3d83e45b85c900b676c1379bb9f9d7361e3338b23823475c8c3
Opcode Fuzzy Hash: 0b1580501dace64d55f3190e046ab410fc85895fb6d43a4e3ffa004dcab87caa
Instruction Fuzzy Hash: 4511E734214284DFE30ACB14C980F26BB95AB48708F24C69DFA491B693C77BD803CE55

Uniqueness

Uniqueness Score: -1.00%

Function 05078128, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197b1d1f9fe2c5257c6d624c552ba4649ec0ee407a6f4abf8fdb5781daea3b37
Instruction ID: 965f7a735b2e65be7f53cfc8fb2e81c2afad10eb4b842f94e19135a1482cdfdb
Opcode Fuzzy Hash: 197b1d1f9fe2c5257c6d624c552ba4649ec0ee407a6f4abf8fdb5781daea3b37
Instruction Fuzzy Hash: 8F1146B5D08309EFDB04EFA4E94A6AEBBB1FF49301F1494AAD815A7354D7304A01DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05070006, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6f537e4b8727ce4eaeca357e3e66a45793c0a11276ce6b64e5c6108a84ffc0
Instruction ID: 5d81b5b1274b61a37afeae15ada055eb3e3f5d10536e7f6c6a794a63a9e1288d
Opcode Fuzzy Hash: 4b6f537e4b8727ce4eaeca357e3e66a45793c0a11276ce6b64e5c6108a84ffc0
Instruction Fuzzy Hash: 180128A684E3D48FD3038B70AC667967F70AF13215F0E02D7D485CB1A3E2684958DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05072FE1, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf947c6c6e8ee66cbad95c9c89f86704519bd51040c6ccdeb2c4f433bb580759
Instruction ID: 769af4d9f5585badaa976d9ba6bf5a8a95c2727e4cdb62b7a8a9435922eca0e8
Opcode Fuzzy Hash: bf947c6c6e8ee66cbad95c9c89f86704519bd51040c6ccdeb2c4f433bb580759
Instruction Fuzzy Hash: 33111974E05248EFDB04CFA8C594A9DFFF2EF89200F15C4A9E505AB362DA359A11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05072FF0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6126e1ed3cbb55d4a7475624dc3d2e0331d51432b05fd5bef322d625060864
Instruction ID: 01296adc682e68a313c54b1c421632e847916af3ab72a7716176293add2125bc
Opcode Fuzzy Hash: cf6126e1ed3cbb55d4a7475624dc3d2e0331d51432b05fd5bef322d625060864
Instruction Fuzzy Hash: 35113A74E01108EFDB04CFA8C554A9DFBF2EF88200F15C4A9A508AB321DA34DA00DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05074CC0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d0eb995bec7588e1aa098f159f89ed770e52ba8bc403c4ccc1c05514683b3a
Instruction ID: 5087844ac541c5892d38f96c5e2b58c6ad0a0020f6ee85ea8674d1ea2b8c95a0
Opcode Fuzzy Hash: 97d0eb995bec7588e1aa098f159f89ed770e52ba8bc403c4ccc1c05514683b3a
Instruction Fuzzy Hash: 1D118E71C1530CEFCB48DFA8E58A5ADBFB0EB4A312F1055AED506A7150DB388A45DF05

Uniqueness

Uniqueness Score: -1.00%

Function 05078138, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41960995965b0357b351a436460258a42d8ffa9497da451312b1a5390d307edd
Instruction ID: 88a804e678a4e056ce5b350397bc24512a49ef692639326708f452e9a5da53b9
Opcode Fuzzy Hash: 41960995965b0357b351a436460258a42d8ffa9497da451312b1a5390d307edd
Instruction Fuzzy Hash: 801113B0D0830DEFDB04EFA4E9495AEBBB5EF49301F1494AAD905A7314D7305A009B95

Uniqueness

Uniqueness Score: -1.00%

Function 05074CD0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d72bd12e508a2b8b25497c926c0e3a820430586aa4a58f3999beb72f01e9fa9
Instruction ID: 3a7b01bd83aabce54ce2565a0b52dfe9ce9b84e6c42aec334ac5c6ebae17a5b7
Opcode Fuzzy Hash: 7d72bd12e508a2b8b25497c926c0e3a820430586aa4a58f3999beb72f01e9fa9
Instruction Fuzzy Hash: 9F019E30C1530CEFCF48EFA8E58656DBBB0EB4A302F1094A9D506A7250CB389B04EF49

Uniqueness

Uniqueness Score: -1.00%

Function 012005D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219912071.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111ebe577e36003de90446b39dd009f632a2cdb6f734a2f8e83f85db9299b975
Instruction ID: 52cba9f2fbc8cc6e90ee6eae6ead06a77c707a72008d3468dc6022c0ac236278
Opcode Fuzzy Hash: 111ebe577e36003de90446b39dd009f632a2cdb6f734a2f8e83f85db9299b975
Instruction Fuzzy Hash: 5D01A9B65097805FD7128F16EC44863FFE8EA86620759C49FED498B712D125A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05078B98, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3af1531d53d09f74c4b2c62f1727832c52b18bdd929d9acb41268de4bc83a84
Instruction ID: 482da8ccf15130989532a4334b53da45f4c7e72b8e2728ead85be67d806d1a0e
Opcode Fuzzy Hash: f3af1531d53d09f74c4b2c62f1727832c52b18bdd929d9acb41268de4bc83a84
Instruction Fuzzy Hash: 6D0144B1D1624CAFCB95DFB8D80A79DBFB09F05201F1481FEC80593251E2754A55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05074FC8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083d05915ec60c399b9148ee4d907331c05808bdfbec6b0f022d355c1a15def4
Instruction ID: d35c89b820e6c772d3c3bf03ec54ddc6f568932f27f85504c122b2895358cb37
Opcode Fuzzy Hash: 083d05915ec60c399b9148ee4d907331c05808bdfbec6b0f022d355c1a15def4
Instruction Fuzzy Hash: 6101E574E0030C9FEB44CFA6D8496ADBBB2FB8A302F10806AD619AB254DB345955DB91

Uniqueness

Uniqueness Score: -1.00%

Function 050776F7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5b5510e593becea907e974680893b1adccfc6b860f31d6387dcd0e031b30fd
Instruction ID: 6cdec23b134695f9fa43d7cec4f4e7638fe80b2960bbee8b06a5fd43fd389aaf
Opcode Fuzzy Hash: bd5b5510e593becea907e974680893b1adccfc6b860f31d6387dcd0e031b30fd
Instruction Fuzzy Hash: 3A01B5B3D0928C5FCB228B34EC917AD7F70EF12298B4880DAC854D7757D2658141CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0507CCBC, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160e6133a99541e5cc162ca21607588a0b60ade4363876b6b66543589abaa91f
Instruction ID: 17eb2093ea6dcb44e11145a4e0b1b4e1b49f1e09b23ffe0b131477becde909e8
Opcode Fuzzy Hash: 160e6133a99541e5cc162ca21607588a0b60ade4363876b6b66543589abaa91f
Instruction Fuzzy Hash: 5A01AF78A00208AFDB45DFA9C988A9DBFF2EF88200F1581A4E909AB361D635D941DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0507CCC0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfe2b395c793fb8859709a984a93eb5a6e47d7d7a2b5042850eafd748715472
Instruction ID: 1e4483c5d1afe94f42f6468bddb6a0e0db238c0184c9fe2996f01bf514fb8225
Opcode Fuzzy Hash: 2cfe2b395c793fb8859709a984a93eb5a6e47d7d7a2b5042850eafd748715472
Instruction Fuzzy Hash: 4BF06278A00208AFDB44DFA9D989A5DBBF5EF88200F15C1A4E909AB361DB35E941DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02C63, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83dd2105e048dabbc5ff733d850a273c219824794ee9cc58eb811ec88bd86e42
Instruction ID: 48da57cd636093cff26666b0b623529ce60e0afb170871e0533e64de7d7d17bf
Opcode Fuzzy Hash: 83dd2105e048dabbc5ff733d850a273c219824794ee9cc58eb811ec88bd86e42
Instruction Fuzzy Hash: C6019EB4D012298FCF24CF64C888BDDBBB1BF48300F2091AAD929B7291D7345A80DF41

Uniqueness

Uniqueness Score: -1.00%

Function 050756A7, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9343f1c00bcf7b720b759749e1064f707ccdcb2a8093f39d07d6347a14618785
Instruction ID: 80c49aacb7c37748b30c4dda4213abae35fb4845ab93b462c328c5d057535b4f
Opcode Fuzzy Hash: 9343f1c00bcf7b720b759749e1064f707ccdcb2a8093f39d07d6347a14618785
Instruction Fuzzy Hash: B001C934D4021ECBCB64CF54E984BADBBB2FB48202F1084E5C41AA7654EB309E86EF54

Uniqueness

Uniqueness Score: -1.00%

Function 050752CC, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506f8a275dbfd621bbb2ca7830f83783dfb4c9e23311a72af9dfb18e5fb09a3f
Instruction ID: 59cf9bb36f3bbad77c44a42d4aa3c12bd8e19015822964d5897fac4bb50ab5cf
Opcode Fuzzy Hash: 506f8a275dbfd621bbb2ca7830f83783dfb4c9e23311a72af9dfb18e5fb09a3f
Instruction Fuzzy Hash: 4F01D6389002189FDB00DFA4E984B9CBBB1FF48301F0140A6D909EB264D7309985DF11

Uniqueness

Uniqueness Score: -1.00%

Function 01200818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219912071.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 5deb97a86eef543d9cb4d475a401a692e8d823626ace2f4015ea7d334b20ff99
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 93F0FB35108645DFC306CB44D940B15FBA2EB89718F24C6A9E9490B663C337A813DE85

Uniqueness

Uniqueness Score: -1.00%

Function 050765B9, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131373af07a6a57234c1235435cfa67596b9bde09fd322e01c5e57675a1f1e8a
Instruction ID: cf9811b87036db26396471bc8ef1cd9e68312a6965bc32418c879da24080ab4d
Opcode Fuzzy Hash: 131373af07a6a57234c1235435cfa67596b9bde09fd322e01c5e57675a1f1e8a
Instruction Fuzzy Hash: D7F06DB1D04248AFCF41DFA4D941AEDBFB0EF49300F14819AE82196260D2754620EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0507243E, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e10f60304acc98035d552f3ace5e15294f9858408db4ac123a2eaac48d18b6
Instruction ID: dbfc080c788ceb4eb296ce0061e69cb33d376beed23634f7bcb58d240e9f8e37
Opcode Fuzzy Hash: 41e10f60304acc98035d552f3ace5e15294f9858408db4ac123a2eaac48d18b6
Instruction Fuzzy Hash: 23016CB4901268CFDBA0CF68C980B9DB7B1BF48305F2085DAD50AB7354D730AA81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 012005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219912071.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab63cb61e5fa037f52e32c547f52ef264c8ef84d45da62419f90385f9713392
Instruction ID: 9a8beb0b5245dd1e21c91d7136b44eab7bc7189417738cd02eb271789ee4423a
Opcode Fuzzy Hash: 3ab63cb61e5fa037f52e32c547f52ef264c8ef84d45da62419f90385f9713392
Instruction Fuzzy Hash: 5FE092B6A406008BD650CF0BEC41452F7D8EB88630B18C47FDC0D8B701E136B504CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 05078C18, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351ab515277a5a5ee59ccfcdd97967ea8818818cf625ca3450224a824c49033c
Instruction ID: c742590a5f3a4a3d92d8919274b2c952b4d401ed2f4f13dfd9c0ced4d095aea7
Opcode Fuzzy Hash: 351ab515277a5a5ee59ccfcdd97967ea8818818cf625ca3450224a824c49033c
Instruction Fuzzy Hash: 06F0E574D0A3485FCB94DBB8D41928CBFF09F09100F1081EEC404D6252D23449458F41

Uniqueness

Uniqueness Score: -1.00%

Function 0507CCB0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4a9d4e85f7074a62f255175db5981ac493588f16afbbbbe33a3d63c69a7f4d
Instruction ID: 804c3da2a3766edbf181e2f2dcecbc478371743ca59aca3c6289888cf82d02fb
Opcode Fuzzy Hash: 5a4a9d4e85f7074a62f255175db5981ac493588f16afbbbbe33a3d63c69a7f4d
Instruction Fuzzy Hash: 38F0D479A001089FDB01CB99C885E5DFBF2EF89300F0AC095A9089B361D635D940CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02CF8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f78a54eb83ff7a8a2d15fd3b35a70739af9561305732e187804ab38a68bded
Instruction ID: c9b272c4bb89fb407440a71b9aab93eb13fbdddf1bdf323c5f7891f01fafc5ab
Opcode Fuzzy Hash: a4f78a54eb83ff7a8a2d15fd3b35a70739af9561305732e187804ab38a68bded
Instruction Fuzzy Hash: D4019D70802229DFDB20CF65C9487DDBBB1AB09705F1084D9924AA7296DB345FC1DF41

Uniqueness

Uniqueness Score: -1.00%

Function 050791A1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e44e7a1d6d85cd82ea9d351a9914ba033f2ad0e4696ebcbfe0884881709d48e
Instruction ID: 60d90a95cc412eb5205bce0b59a953caa1d6a057bde45f8d6137704ef18b65b4
Opcode Fuzzy Hash: 3e44e7a1d6d85cd82ea9d351a9914ba033f2ad0e4696ebcbfe0884881709d48e
Instruction Fuzzy Hash: 92F052B0D04208AFCB45EFA8C842AAEBFB0AB49301F0486AAC814A2351D3759661DF81

Uniqueness

Uniqueness Score: -1.00%

Function 050755BD, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07eb68985be67b364c39456a84c686395af0acc11b28734d2c8da8e4b1cde662
Instruction ID: dfdd3458ed75140532cfb9cf0a8fccbd22b8de72d819d9723eb27507047af58c
Opcode Fuzzy Hash: 07eb68985be67b364c39456a84c686395af0acc11b28734d2c8da8e4b1cde662
Instruction Fuzzy Hash: 8FF01734D002189FCB40CFE0D899A9EBBB2FB48302F0084A5D51AEB274DB70A989DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05078A4A, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0f63fc7358718305065f8c34da175dd6fce427598cde1e1b78bbf2d9510c0c
Instruction ID: c7b5785d2522aa6376dda89dc977b06791e911a5bad5c5bec4cea183c36efc9b
Opcode Fuzzy Hash: 6a0f63fc7358718305065f8c34da175dd6fce427598cde1e1b78bbf2d9510c0c
Instruction Fuzzy Hash: E0F058B1C04208AFDF85EFA8D845AADBFF0FF15300F0081AAD85093320E2718A54DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0EE01F41, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d6e1888927e19268e6c2cc539703d88e6661b86b2f43eb271d36f69abfa17
Instruction ID: 6e28c20f0ff8ffa38117170481bad869ef65a1cf9bf277139c25b9c0532084c0
Opcode Fuzzy Hash: a39d6e1888927e19268e6c2cc539703d88e6661b86b2f43eb271d36f69abfa17
Instruction Fuzzy Hash: FCF0EC308483898FC305DFB0E854A69BFB0EF03305F1026CAC8849B6E2C3762801DB52

Uniqueness

Uniqueness Score: -1.00%

Function 050765C8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bc1ceeb356a5f7b407e8e938c331a76b05f95c247176554ca8f3f30ca2d4ac
Instruction ID: f921b7c920b8df1091455f05569d30a9c1927353bfb1a88b52b7986fd9696531
Opcode Fuzzy Hash: 86bc1ceeb356a5f7b407e8e938c331a76b05f95c247176554ca8f3f30ca2d4ac
Instruction Fuzzy Hash: B2F01CB4D0020CEFDB45EFA8D901ABEBBB5FF48300F10855AE914A6350D6319A20EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05078C58, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18573a3f3dc0025ed0e18847d1b7e6d24aa54cce164a619f3e550af50b538e72
Instruction ID: 677611fd6a294d920463088ce997a77478247a62f30476874a9ae8715843ba12
Opcode Fuzzy Hash: 18573a3f3dc0025ed0e18847d1b7e6d24aa54cce164a619f3e550af50b538e72
Instruction Fuzzy Hash: 36F052B0D46308DFCB85EFA8A8846ADBBB1FF06300F00C5AAD554A2211E3365A51EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02E0A, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b17ff7cfa2db1f50c9cd0caee982905bc265c0b218f9eaca09b103c48193ec
Instruction ID: 0dd40a6eb96b070a64d44fb2c02714ea31655a19a878cf390fe316fc38ce69f0
Opcode Fuzzy Hash: 02b17ff7cfa2db1f50c9cd0caee982905bc265c0b218f9eaca09b103c48193ec
Instruction Fuzzy Hash: C3F0ED3090226ACFDB24CF61CE48BCCBBB1AB88301F0080E9D54DAB254D6309E80DF20

Uniqueness

Uniqueness Score: -1.00%

Function 05075DC9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465a732d72dcb4c6efdf29a667db2108cf51676578745ad54bd0ff95054785c2
Instruction ID: 5cfb5bb588e5e94566b21d1189aec6425b802368b21218fe29ed9645002260a0
Opcode Fuzzy Hash: 465a732d72dcb4c6efdf29a667db2108cf51676578745ad54bd0ff95054785c2
Instruction Fuzzy Hash: 87E0923181534C9FC755EFB4DC05B897BA8EB05301F5040B9C500572A0E2329654DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05079008, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f2ebe82eb4e9a3daae35b8d9809e4aeb78ffc2cf26e3fc738412add3a3fa01
Instruction ID: dadcae655f4a5a59c05a86fc732b8d2d1e1d06e70ea27853de2ab04b33f44c38
Opcode Fuzzy Hash: c6f2ebe82eb4e9a3daae35b8d9809e4aeb78ffc2cf26e3fc738412add3a3fa01
Instruction Fuzzy Hash: A2F015B5E14208AFCB45EFA8C8457ADBFF0EB19300F1086AED82593351E2798641CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05077B2F, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b146fbaf53e9e70b35ea019104e959f4885884c76c6a62b1fc72cbc94950f48
Instruction ID: f2072a230ce6d5119240f86a2d1b1305f61308630a98e14fb69b3eeb9e087d59
Opcode Fuzzy Hash: 4b146fbaf53e9e70b35ea019104e959f4885884c76c6a62b1fc72cbc94950f48
Instruction Fuzzy Hash: D4E0DF70D493889FDF45EBB498517DDBFF0AB06301F1481FAC814A2291D1790A05EE41

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02F97, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43dfd3df70f7beb317245f99344629093af96c6c8de278deb6ecf4fb5726b06
Instruction ID: ae7ae610067991a2a60983aa0bc4b937e416c5d3c32b0f76365354924526fd3b
Opcode Fuzzy Hash: d43dfd3df70f7beb317245f99344629093af96c6c8de278deb6ecf4fb5726b06
Instruction Fuzzy Hash: 62F03971A843699EDB60CE60CD86FDDB7B4AB48700F1010A5A209BE2D0DAB46AC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0EE0306E, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c8925906f1e7412c11f4f6de3bc5afcd3f5530503b2b3505a85a8252e9f50e
Instruction ID: 0cd436c2718430ee0996d039ca8cf3325b5e718890f7b00cd7858d5e763eb39c
Opcode Fuzzy Hash: 82c8925906f1e7412c11f4f6de3bc5afcd3f5530503b2b3505a85a8252e9f50e
Instruction Fuzzy Hash: 20F0AFB5D412698FCB28DF64CE85BDCBBB5EB48301F0050E9A60AA6291D6345E84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05075D40, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4ef7b3824f6b14d05d0a6adb688d72fff6d09b003a543a80b4d8718ef82325
Instruction ID: 86eeae768c3f171503b4a0683a293d1a675fd27017a0c5e4f1bdfba5da2287fe
Opcode Fuzzy Hash: 9b4ef7b3824f6b14d05d0a6adb688d72fff6d09b003a543a80b4d8718ef82325
Instruction Fuzzy Hash: 82E09230D1938CAFCF51EBB8D85529C7FB0AB06220F1501EAC945D7251D5744A55CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05077960, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b17d60886d9b43316710284eb76f524860ce4c628bdb6780e3117eb3555f42
Instruction ID: 9ed2b0c225891f6bbf7dc05210e887e166c21c3eb0801d0367914894d0520628
Opcode Fuzzy Hash: 89b17d60886d9b43316710284eb76f524860ce4c628bdb6780e3117eb3555f42
Instruction Fuzzy Hash: 0AE0E530D5A348AFDB94EFA8E48979DBFB0FB4A311F2082BEC80A93210E6754555CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0507B1F2, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d5297c8e399d751324d65f237de5c4b410f9d23e9f2346bde48c973f5e6905
Instruction ID: 2839637232062b52ab52b45ae145e6a98efb30ec8d4a2659aa4c349a2a8bd998
Opcode Fuzzy Hash: a1d5297c8e399d751324d65f237de5c4b410f9d23e9f2346bde48c973f5e6905
Instruction Fuzzy Hash: 33F0A0B4805399CFCB16CF78C944AADBBB1FB06311F2406D9D8A01B2A1D3765502DF80

Uniqueness

Uniqueness Score: -1.00%

Function 050758D2, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd7456577f6a2a9fb1706eb2013f1a0297a8ed5d93f18effedf6787b950333b
Instruction ID: 151ee99f8934add350e38c937d22569e8186bbd9a64efd11342840201d34b5ca
Opcode Fuzzy Hash: dcd7456577f6a2a9fb1706eb2013f1a0297a8ed5d93f18effedf6787b950333b
Instruction Fuzzy Hash: CEF0D474E40319DFDB24CB61ED84BACBBB5FB98701F0080A5AA59AB254D7705A80DF54

Uniqueness

Uniqueness Score: -1.00%

Function 05077BB0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea34d0148ba6b25b5641f86519c18895a61585bac6195e1ea9cba7517d70c853
Instruction ID: e9015ae22a8fb87212ebeed8cdd6bf60e3ad8447aec356355acf40bd4d69b2f4
Opcode Fuzzy Hash: ea34d0148ba6b25b5641f86519c18895a61585bac6195e1ea9cba7517d70c853
Instruction Fuzzy Hash: 82E06D30D09388DFCB50DB749855A9DBFF0AB4A301F1081EEC845A7351C2341A04CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0507B200, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ade6f944634f4b09866088557e97a82faf337fde2c4b1a5ff4b7f36e0b7e3f
Instruction ID: d6d8a01b10435b315ac1a971560b17724c80734282d98521b71ef7fda9475432
Opcode Fuzzy Hash: e0ade6f944634f4b09866088557e97a82faf337fde2c4b1a5ff4b7f36e0b7e3f
Instruction Fuzzy Hash: 4EE032B4D0030CEFCB04EFA8D800AADBBB0FB08301F1085AAD814A3310D7319A02DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0EE01F50, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2465f33feef95b341268d9444df2afaef59c9c2ac1be3a3e65e1d23ff6c735ab
Instruction ID: 2427722d6fa929682d69e610b719f69a482a04298daefa54eeb42e27064f2125
Opcode Fuzzy Hash: 2465f33feef95b341268d9444df2afaef59c9c2ac1be3a3e65e1d23ff6c735ab
Instruction Fuzzy Hash: 11E04674E0030CEFC744EFB4E849AADBBB4EB46305F1051A9C809A3280EB756A40DF92

Uniqueness

Uniqueness Score: -1.00%

Function 0507599C, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91b9978e9be32d363a95e5732f3d4dd3609988e4caa7b870767f42e868d2091
Instruction ID: 8958a2fcd2ad85d200faedc49d8648c80e4de8128c709aaf96c06983bc866eda
Opcode Fuzzy Hash: f91b9978e9be32d363a95e5732f3d4dd3609988e4caa7b870767f42e868d2091
Instruction Fuzzy Hash: 0EF0C974D00209EFEB01CFA5DA41AADBBB1FF49300F5180A5E545EB265D7309A05DF61

Uniqueness

Uniqueness Score: -1.00%

Function 050790D2, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71daf719ed021e14bba0024ee62cd2fe76602f0c515869be02d3e776df759352
Instruction ID: 172bb9f9b5ebf753d108d6f951990dce110b184fafb6a110d912fd6a86ef9aca
Opcode Fuzzy Hash: 71daf719ed021e14bba0024ee62cd2fe76602f0c515869be02d3e776df759352
Instruction Fuzzy Hash: DFF0A574E043099FDB84EFA8D8457ADBBF0FB49301F1486EAE918A3361D3755A41DB82

Uniqueness

Uniqueness Score: -1.00%

Function 05077BF8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10646bf17f96096ff60b6556c568913ed1e7cd9245709646313fb83dee30240
Instruction ID: 01e6dc9ff1beb52a9f508b514bf03b8c4d3962f4480f89d3ee4910f81ebc53ff
Opcode Fuzzy Hash: d10646bf17f96096ff60b6556c568913ed1e7cd9245709646313fb83dee30240
Instruction Fuzzy Hash: F1E08671D093489FCB45AFB8AC4929C7FB0EB16311F1443B9D415E2191D13945549F56

Uniqueness

Uniqueness Score: -1.00%

Function 050722FA, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b916c15874167eda8168b7010bdb5d6768932e550deda9699153757973b1cad8
Instruction ID: 832e0129253a9a069d927ef2e184fe4a467fea333012294c6169512cee26017d
Opcode Fuzzy Hash: b916c15874167eda8168b7010bdb5d6768932e550deda9699153757973b1cad8
Instruction Fuzzy Hash: DBF05A74912329CFDB65CF68DD80ADEBBB1FB09301F0041D9E909A3210DB31AA81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0EE03BA1, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217a93e5a910db3b66d7aa3752fbd18aaaadfba4e9247a890dddd0a725cb6509
Instruction ID: dae93f9de36c97118a2ea579ae6271366b201c0bbe574de6520cb156a2281507
Opcode Fuzzy Hash: 217a93e5a910db3b66d7aa3752fbd18aaaadfba4e9247a890dddd0a725cb6509
Instruction Fuzzy Hash: 98E07D3082A3988FCB00DBB8C95575D7FF09F07201F2005EEC944932A0D1714D01CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0507911A, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ab1f23cddb5efc6f68e90d7950cb0ca2c48f50407dcaeed87097b711499e89
Instruction ID: 8276b93e1f4e6661495fe5ff35c99c5541f36437ba0f07e5f8942e4e32a47f6e
Opcode Fuzzy Hash: d7ab1f23cddb5efc6f68e90d7950cb0ca2c48f50407dcaeed87097b711499e89
Instruction Fuzzy Hash: 89E0E574D05248AFCB41EFB8D45A7ACBFF0AB09301F1542EED84592261E2755565CF42

Uniqueness

Uniqueness Score: -1.00%

Function 050791B0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87ea11af2250543c88f7bfc761741b01a878c15fc533c188659e2c65ef82ca
Instruction ID: ebc9b6382efd6b6e96299063175625438381f9e80f84d11ec519c5337910fa15
Opcode Fuzzy Hash: 4b87ea11af2250543c88f7bfc761741b01a878c15fc533c188659e2c65ef82ca
Instruction Fuzzy Hash: 18E01AB0D0030CEFCB44EFA8D9456AEBBB0FB44300F1089AAD814A3310D7719A51DF95

Uniqueness

Uniqueness Score: -1.00%

Function 05078C68, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3711c9c41d8c87cf3c6c0473e2b9af8ee11ac704863712f42c0c4743894583
Instruction ID: fd13a51c7172fb78dd3d87b9553a01e2d539c3c6377036a2899fc3537b9fd4ad
Opcode Fuzzy Hash: 7b3711c9c41d8c87cf3c6c0473e2b9af8ee11ac704863712f42c0c4743894583
Instruction Fuzzy Hash: 09E01A70D0130CEFDB44EFA8D9856ADBBB1FB44300F1085AAD814A3300D7759A51DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0507B8F7, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3154ad5a11a315c1101bf1c5bda98d2d0a97cb3d9824194e2914ea229f67fe8b
Instruction ID: 7b383d2697214d09790b596caf37f8836c4e5ab3e9598854e446012fb6dc5ea7
Opcode Fuzzy Hash: 3154ad5a11a315c1101bf1c5bda98d2d0a97cb3d9824194e2914ea229f67fe8b
Instruction Fuzzy Hash: 24F06C74A022A8DFDB60CF65D985B9CBBB5AB48305F1054DAE809AB350D6359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05078A58, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f72f5c7119cd12fc2295eb5c872c05ecee7bf48b25c4d09724ff7d760ba63b
Instruction ID: 97f3b3cc0dbcacd70cdaf2f772b293f7b69b2fc88889ed5fc6798ca01ae9ed74
Opcode Fuzzy Hash: 71f72f5c7119cd12fc2295eb5c872c05ecee7bf48b25c4d09724ff7d760ba63b
Instruction Fuzzy Hash: 82E0E574D0030CAFCB44EFA8D845AADBBF0FB08300F1085AAD814A3310D7719A54DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0EE0341D, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4473d1f7b2195bedc5ca7faa0e1bf7306aa2c13178995e32098e9f6274f239b
Instruction ID: a489c40cca7c077eacf482852350503306b6aada287c4083a436309f4d6f0b4b
Opcode Fuzzy Hash: f4473d1f7b2195bedc5ca7faa0e1bf7306aa2c13178995e32098e9f6274f239b
Instruction Fuzzy Hash: 74F0AAB889232D9EDB24CF21C9997DDBBB0BB29300F5056EA8149662A6C7340BC1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05074DB9, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e43741f82052091384f149d50ed76fa2bced3675a57e60ae9e4f7ad6a521d5
Instruction ID: e57e4b01a672bdb353fafb475a3e14c393687eccf9fd4b48cce00974ae4954e6
Opcode Fuzzy Hash: d2e43741f82052091384f149d50ed76fa2bced3675a57e60ae9e4f7ad6a521d5
Instruction Fuzzy Hash: 56E0C2B6C592988FCB56E778A81639CBFF08B02206F2402FEC88496251F17E4A14AA51

Uniqueness

Uniqueness Score: -1.00%

Function 05075DD8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05b6746523e53324573e81a9d3397cbdc0489f3a0d803db073b077a73746603
Instruction ID: 6ce39cb34db5450588878a9ee13de226cea0dd58bfa1821289b4ae2d8730fe13
Opcode Fuzzy Hash: b05b6746523e53324573e81a9d3397cbdc0489f3a0d803db073b077a73746603
Instruction Fuzzy Hash: 04E08C3085130CEFC744EFB4D808A89BBB4FB05201F5080A9CA0447260E7329AA4EF91

Uniqueness

Uniqueness Score: -1.00%

Function 05079018, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd998632294154ac2b34b3e1cc5dc21d38af57ac6ee7b1035f01007aa4db9861
Instruction ID: c472d330afd2db378d90d94b15c4470022d120899de0d6c5aedad495bf9a6969
Opcode Fuzzy Hash: dd998632294154ac2b34b3e1cc5dc21d38af57ac6ee7b1035f01007aa4db9861
Instruction Fuzzy Hash: 8AE01274D0030C9FCB84EFA8D8456ADBBF0FB08300F1085AAD818A3310D770AA40CF81

Uniqueness

Uniqueness Score: -1.00%

Function 050790E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fa9474f44c6b46e1414df76b31d7980376890d2f2ce2cccd2bdbe7067837c4
Instruction ID: 5f11eb726a774bb43fe3ffb9796d51fc446cfd3a1ab6317f15c56bbb566eb783
Opcode Fuzzy Hash: e2fa9474f44c6b46e1414df76b31d7980376890d2f2ce2cccd2bdbe7067837c4
Instruction Fuzzy Hash: DFE0EE74E003089FCB84EFA8D845AADBBF0FB08300F1085AA9818A3310D7706A40CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05079B87, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb257dae953dcb536041f4fb15f6bd14a755068a275fd63c840ce76d85dbc67e
Instruction ID: 808db8a01966d99c2a9dfc84c96b706400d82d1bbda27744f18ef36c1580d4bc
Opcode Fuzzy Hash: fb257dae953dcb536041f4fb15f6bd14a755068a275fd63c840ce76d85dbc67e
Instruction Fuzzy Hash: 8EE0C27281A388DFC791AF74A90E2AC7FB8EB52301F1445A78847C6062C7360450DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0EE028F9, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a508be74a46845c664fe4169f25bf1de090fbf6293bfc4d63bd33126c3346e8
Instruction ID: ce373587c8b9a8bbfa58ef0afd660e19efdd6bced36d852fddb62b90f19a01a4
Opcode Fuzzy Hash: 5a508be74a46845c664fe4169f25bf1de090fbf6293bfc4d63bd33126c3346e8
Instruction Fuzzy Hash: F0F06278C46269CFDB248F11C954BD9B6B0BB08381F4099D9D10976291C3759AC69F40

Uniqueness

Uniqueness Score: -1.00%

Function 05077970, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0182186f81db3fbb1ca55ac65118e9c3061cc44005e0bf0f5fc8d8fbc34e8f77
Instruction ID: b991e5ba9055dbab41e34c222858a6ae622aa4017e3fabdff1cda8c24b31ba8e
Opcode Fuzzy Hash: 0182186f81db3fbb1ca55ac65118e9c3061cc44005e0bf0f5fc8d8fbc34e8f77
Instruction Fuzzy Hash: E7E0B674D053089FC784EFA8D4497ADBBF4FB49301F1081A9980893350D6355A54DF86

Uniqueness

Uniqueness Score: -1.00%

Function 05077748, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb195e8728b2d9d2216fb573c16ffe5ece33004f54c4d3de148712e056ebd30
Instruction ID: 007ded813f2f7076090dbe403241c8b760a951ca540565defedce6fe5b1a9bcf
Opcode Fuzzy Hash: 5fb195e8728b2d9d2216fb573c16ffe5ece33004f54c4d3de148712e056ebd30
Instruction Fuzzy Hash: A8E0E270D0530CABCB58EFB8A9056ADBBB4EB45305F1085A9C808A7350D6399A51DF95

Uniqueness

Uniqueness Score: -1.00%

Function 05077BC0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792eb746dc5343a7c32929b865dd5aa4d614af6a36c3a1be1d44892ac905fca0
Instruction ID: d8f18a0f43f7e9b81d1ce522fe57e2a9d72253ff361caad4742090ea1354b229
Opcode Fuzzy Hash: 792eb746dc5343a7c32929b865dd5aa4d614af6a36c3a1be1d44892ac905fca0
Instruction Fuzzy Hash: 2BE0B674E04308DFC754EFA8E54969DB7F4EB49301F1081A99818A7354D6356A14DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02D88, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57370cb0eac2122499b499196bedb437c9bec6e154fbf8df4248d269a5bb1e4
Instruction ID: 847f01800f48afef47580eb8996d2bc2c2c8c8e6d8985acf34750613b1307c02
Opcode Fuzzy Hash: c57370cb0eac2122499b499196bedb437c9bec6e154fbf8df4248d269a5bb1e4
Instruction Fuzzy Hash: B7F0A5B5C0632DCFDB249F20CD897DEBAB0BB08350F0026D9822A662A5D3310EC0CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05079128, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adfc3211374afb2c54dbdeaf3a96e2a61af4e5ea012fd597581097c38a6ea0f
Instruction ID: 5e895aa2fdd5f80e0611995ddce4cd2c2ab06a786935a81da3a9321c520c6a24
Opcode Fuzzy Hash: 9adfc3211374afb2c54dbdeaf3a96e2a61af4e5ea012fd597581097c38a6ea0f
Instruction Fuzzy Hash: FFE0BD74E00308AFCB84EFA8D44969CBBF4AB08201F1041E9980893360E635AA54CF82

Uniqueness

Uniqueness Score: -1.00%

Function 05075D50, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cc7a56687b8405915ff5f8220069c33b12e6a51d656f6d7fa20df9cdf4c46f
Instruction ID: c3265fb0232dd253d6c3a1a76aa63351b3dc4d8a82e302cf7cfd1515ffae1de9
Opcode Fuzzy Hash: 79cc7a56687b8405915ff5f8220069c33b12e6a51d656f6d7fa20df9cdf4c46f
Instruction Fuzzy Hash: EDD01234D1034CABC754FBB8D84539C7BB4AB44201F1405E8890597250EA305B91DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05074D81, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ac1ce7b4d1036340094d616226df0f148ea03e1dc0b655b1c7db5d25794444
Instruction ID: 2cd2130dfdb3dad0c28136f5cac6c9e22ae397514d53f19231e0ae90e6dbbf7d
Opcode Fuzzy Hash: 32ac1ce7b4d1036340094d616226df0f148ea03e1dc0b655b1c7db5d25794444
Instruction Fuzzy Hash: BCD0977184A3884FC301C770A803BBE3BE08B01309F1001ACC484C32A2D1BA08228946

Uniqueness

Uniqueness Score: -1.00%

Function 05078C28, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9456ff57658c3f698c5fb57e8c728ff2a6718d9d9fa1908fef0ff0f2fd43cabe
Instruction ID: 1dd64e0327eb29fdb0cd14e3d6f7bf353927d50fa9bc6e49fa635e57c13627be
Opcode Fuzzy Hash: 9456ff57658c3f698c5fb57e8c728ff2a6718d9d9fa1908fef0ff0f2fd43cabe
Instruction Fuzzy Hash: 5FE01270D0230C9FCB94EFB8D40535DBBF4EB44201F5085BA880897340E63596508F81

Uniqueness

Uniqueness Score: -1.00%

Function 05077B40, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb1af739fd98a7d14003ca631d4556392c548b9dab1a97bec05443db5ca2bf6
Instruction ID: a34bcbea42f9d4dc523d3b7962d87956b30300d37a34ff06ed28a865d82ebc33
Opcode Fuzzy Hash: acb1af739fd98a7d14003ca631d4556392c548b9dab1a97bec05443db5ca2bf6
Instruction Fuzzy Hash: E5D01770D0935CABCB84EBB8A9053ADBBF4AB45201F1081EA8818A3341E6341B10EE95

Uniqueness

Uniqueness Score: -1.00%

Function 05078BA8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bc6f21057d4b5f71356a764e168e4bb17b85f1839ad13bc57b426707b417b4
Instruction ID: 718f72ee359f3326553626a0d09eb663618f6b3fe971d47b295d24bbbe0fc006
Opcode Fuzzy Hash: e0bc6f21057d4b5f71356a764e168e4bb17b85f1839ad13bc57b426707b417b4
Instruction Fuzzy Hash: 28E0E270D0130CEFCB94EFB8D40529DBBB4AB44201F1081AA8808A2340EA75AA91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05077C08, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9a59ede3d585df47805dfd46cb0a49fe0080a380fe84fddd4f343fb9599e09
Instruction ID: 120f53af359a4cd722ef3925458258b0ff554caac4b807671b264d966cce51ee
Opcode Fuzzy Hash: dc9a59ede3d585df47805dfd46cb0a49fe0080a380fe84fddd4f343fb9599e09
Instruction Fuzzy Hash: 32D05E70C0430C9BC784AFB8A80A25DBBF4E705202F0081A98508A3200D63445509F96

Uniqueness

Uniqueness Score: -1.00%

Function 050753A1, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc17d63e995ee2d279d81f29b6091530eb1ea39071bcd97dd2104d45142fffd
Instruction ID: 9dca289a7d21b448f4e752b40b959eeb1fb3c2f1d1f8bf705424aa65925da54e
Opcode Fuzzy Hash: fdc17d63e995ee2d279d81f29b6091530eb1ea39071bcd97dd2104d45142fffd
Instruction Fuzzy Hash: D9E07574D142189FC750DF64E945B9CBBB6EB49301F0050AA991AE7255D7305941DF44

Uniqueness

Uniqueness Score: -1.00%

Function 05075644, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fb47943785c4b56aa90adbdc7cd9cbfb00612f5224a185764757b53982ac33
Instruction ID: f0784026d154f22fdf0b216d72f24bb399e488e6a21d4db46079178447c7df5b
Opcode Fuzzy Hash: 97fb47943785c4b56aa90adbdc7cd9cbfb00612f5224a185764757b53982ac33
Instruction Fuzzy Hash: 59E01A30E013099FCB50DF68D94469CBBB2FB48302F10C0A5995DE7364DA309981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0507556F, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cef9b7478be4c6953018930d53ec526ebd03e88159b02e408b0d923eee2ca4d
Instruction ID: c336ebfa68dfe1aae17d18edf281a49b446034d32be4a80870cda39d70dfa17f
Opcode Fuzzy Hash: 0cef9b7478be4c6953018930d53ec526ebd03e88159b02e408b0d923eee2ca4d
Instruction Fuzzy Hash: 82E01A74C0526D9FC758DB64D8497EDBBB1BB89306F1085E9920ADB661DB304A41DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05074DC8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cb21ef7aeb150d324f650277bf89ac160d11f09c5bd23bd1ada990f849d25e
Instruction ID: 0fc5d501c3f16d4f57d8e6eb7a4b04a7c681b3b72803ded3aa407c2ab932749a
Opcode Fuzzy Hash: b8cb21ef7aeb150d324f650277bf89ac160d11f09c5bd23bd1ada990f849d25e
Instruction Fuzzy Hash: 95D0A774C0535C9BCB44FBB8A90535DBBF49B01501F1001B9884452240E5344B109A91

Uniqueness

Uniqueness Score: -1.00%

Function 0EE03BB0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b500a2de7637565cc7dad8d53a63e17441ac3aaaf877bede6164da2158ed958c
Instruction ID: 0e5c67d740ea3f09c1b702357e91ab269612bb88d03574db8d13ed08acd51562
Opcode Fuzzy Hash: b500a2de7637565cc7dad8d53a63e17441ac3aaaf877bede6164da2158ed958c
Instruction Fuzzy Hash: 4CD0A73081130C9BD744FBB8D90535D7BB49740605F1001B9880853250E6315E50DE91

Uniqueness

Uniqueness Score: -1.00%

Function 0507A0D6, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa82268f6fd6f4c8cbcb3436a084b79ac5afc6eb1ee53293113e96076efe57e0
Instruction ID: f82b404eae7fb0d0421f8ca81d01f9b713f9cdb3d98e8a525c3d086fee21a862
Opcode Fuzzy Hash: fa82268f6fd6f4c8cbcb3436a084b79ac5afc6eb1ee53293113e96076efe57e0
Instruction Fuzzy Hash: 66E0B670D1221ADFDB94DF64DD80F8CBBB5BB45200F4096A9D80DAB224DB705E8ACF14

Uniqueness

Uniqueness Score: -1.00%

Function 05079B98, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982abb819a0b3c457e7553638e95a21669acee6d54aac8577c6c6363981e9b8e
Instruction ID: ef906a123d5a20f85453d142179de1e0f0c582656f6a3347ac33c9589638ffb0
Opcode Fuzzy Hash: 982abb819a0b3c457e7553638e95a21669acee6d54aac8577c6c6363981e9b8e
Instruction Fuzzy Hash: FFD0127140534CDFC380EFB4E90E75D77ACE705352F105965940AC3550DB765440DAE6

Uniqueness

Uniqueness Score: -1.00%

Function 0507595C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126aada457c29a4b1139b48b29b863a723648d683826d2d9f58a650ddf0ac9e3
Instruction ID: 73ccb196a6f1aac65901b3e531ee6bdb3087ee390fa637b191c2585073d5c820
Opcode Fuzzy Hash: 126aada457c29a4b1139b48b29b863a723648d683826d2d9f58a650ddf0ac9e3
Instruction Fuzzy Hash: 52D02238C09108EBC3108BE7C44505CBF70EB00302788D5D090C2EB202C738C20C8F85

Uniqueness

Uniqueness Score: -1.00%

Function 05074D90, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46cace404d11a99228f215e1a487e9b7017b8c379e6df07d6ba57d3ad8c8933
Instruction ID: 9ccd0fe4b54163eb5340121bc39bfbf13d4e2d1a3eca141f6e67f6c9b83702c0
Opcode Fuzzy Hash: b46cace404d11a99228f215e1a487e9b7017b8c379e6df07d6ba57d3ad8c8933
Instruction Fuzzy Hash: 50C08C6090630C9BC780EBB4A80671A73EC9702506F1049A4880883200E9729E1099E6

Uniqueness

Uniqueness Score: -1.00%

Function 0507544A, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72adade93dbe4f4d3bd0352bbde3fce881ae0fbcab1707cd53959d965ca099eb
Instruction ID: f20b8431c1fda6b422027d33443ae559ca2a559215e115c362afedf082fd31f2
Opcode Fuzzy Hash: 72adade93dbe4f4d3bd0352bbde3fce881ae0fbcab1707cd53959d965ca099eb
Instruction Fuzzy Hash: 96E0EC34D00208CFCB10CFA4D9585DCBBB1FB49302F10D5A5C455A7224CB709981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05070070, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec6c8cced43d119f13beab27c1a73eb5044606afec9f00293332a8021472998
Instruction ID: 32c699b9cbe4374cc77c629020f4ba23908993566c53f019de0250a7c92efa38
Opcode Fuzzy Hash: 5ec6c8cced43d119f13beab27c1a73eb5044606afec9f00293332a8021472998
Instruction Fuzzy Hash: 72C0807040530CDBC341EFF4AD0D71A77DCE706113F004664950DC3150E6715550DEE6

Uniqueness

Uniqueness Score: -1.00%

Function 05075224, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2102a53dcbc0f128e6fa3bbffdce3b27b2f1a2aa67ecb8ecec88dbda421350c7
Instruction ID: a7758c52ba5a12890f9dc468ebf23061ee8e10826530af565fc2a003b3752923
Opcode Fuzzy Hash: 2102a53dcbc0f128e6fa3bbffdce3b27b2f1a2aa67ecb8ecec88dbda421350c7
Instruction Fuzzy Hash: 86E0BD78C06218ABEB208BA0C994B9CBBB1FB88300F008AD5D916A7390D6348A40EE11

Uniqueness

Uniqueness Score: -1.00%

Function 05072135, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299bfcefa4d5cd2e540a2a38bd616cde05d580d1e43dd27d1026b34e2203640f
Instruction ID: 0f959608f861ec5a10c6f94912d2ae68fc972fddc10f4020ff2df00117cf5ee0
Opcode Fuzzy Hash: 299bfcefa4d5cd2e540a2a38bd616cde05d580d1e43dd27d1026b34e2203640f
Instruction Fuzzy Hash: FCC08075D141CECD8B1CCAE0D18104DFFA5E790789F1456054146FF148CF319526894C

Uniqueness

Uniqueness Score: -1.00%

Function 0507BFDC, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbf8a4a506d7ecd50ab25dd2f77b50358ec409b476d49ecd460bdfb0d86fffd
Instruction ID: 9ec350c7dc0af0091327bb12143df5e7bf67ea5d19ecfb95ab2536a724fdf752
Opcode Fuzzy Hash: afbf8a4a506d7ecd50ab25dd2f77b50358ec409b476d49ecd460bdfb0d86fffd
Instruction Fuzzy Hash: D2D06C74901358DFCB64CF60CA849EEBBB2FF09301F201499E80967314C732AE82CE05

Uniqueness

Uniqueness Score: -1.00%

Function 05070A14, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ee1087aad8e15343a17536778e504c5a8442a8875cc8863a8c72fa02c3a482
Instruction ID: 27b63e47d38e938816783b04de18f389671f4d7231afd86f87578deae98a323d
Opcode Fuzzy Hash: 37ee1087aad8e15343a17536778e504c5a8442a8875cc8863a8c72fa02c3a482
Instruction Fuzzy Hash: 7DD0173490226DDFCB10CF54EC84AADBBB2FB40208F1056999409AB214C7709E84CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0507C0BB, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca3cd8e2f0976b2c284b632c175fe6b4ebbd4674272c25433feb27e2842d04a
Instruction ID: 3ac61b8838e7b617f48a52a827ab254f3fe33b4c8fb21ded59b32f955f4e1d63
Opcode Fuzzy Hash: 0ca3cd8e2f0976b2c284b632c175fe6b4ebbd4674272c25433feb27e2842d04a
Instruction Fuzzy Hash: 4CD012718091889FCB50CF95D14A45DB771EF4035179011A288168D15DD3328242CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05075B29, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6713bdc3f225ca26d879f0d9a096c7034e0704c2882633c6ab826d70e85ebef
Instruction ID: 759593914be9b14cd5b02d2305ef85366068e623193f05996f963198a9051dd5
Opcode Fuzzy Hash: c6713bdc3f225ca26d879f0d9a096c7034e0704c2882633c6ab826d70e85ebef
Instruction Fuzzy Hash: A8C04C35E001089BCB108FD5E8441ECF331E7C9332F1052559579976E4CA3259559651

Uniqueness

Uniqueness Score: -1.00%

Function 0EE018B3, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcebbb7e38a6974a8ac0ad9edf169018d17aa6008148514574219e1d39ac5657
Instruction ID: 9723172d7e1572d53dbdfca5b110c44d2a8e4c8f554d85db184cfddfe86cfc8e
Opcode Fuzzy Hash: fcebbb7e38a6974a8ac0ad9edf169018d17aa6008148514574219e1d39ac5657
Instruction Fuzzy Hash: 28C01235C6B2099A8B40CF94E98845CF6B4BB41220F9432028431E72D9D12885445694

Uniqueness

Uniqueness Score: -1.00%

Function 05072162, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56299971a2937e82e1e90df28ae3de99b83ea4cac4b5b3173c6b2e5f26e3494a
Instruction ID: 3c297b7b6ca4cb81fb2a9df659d6d3cb4b9b2bafa4fee5e527d0b6f79972f6bc
Opcode Fuzzy Hash: 56299971a2937e82e1e90df28ae3de99b83ea4cac4b5b3173c6b2e5f26e3494a
Instruction Fuzzy Hash: A1D0C971802388CFC714CBA4D54049CFB72BB49342B510498D00AAA254CB35DA40CA08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0507E5E0, Relevance: 3.9, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

Ram, xrefs: 0507E714
Ram, xrefs: 0507E704
rxx1, xrefs: 0507E69C

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: Ram$Ram$rxx1
API String ID: 0-1526886719
Opcode ID: 4f2477ec1d0d2d63b8b79e48f912fe634ae7e37bce9123a96608014658de1b9a
Instruction ID: 1a7b623c199f624fc65b6206b206d9c539302285c42fa720306dc6860004a7ba
Opcode Fuzzy Hash: 4f2477ec1d0d2d63b8b79e48f912fe634ae7e37bce9123a96608014658de1b9a
Instruction Fuzzy Hash: 0C51E174D1621DDFCB04CFAAD9809AEFBF6FB89240F1495AAD415BB210D3349A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0507E5D0, Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

Ram, xrefs: 0507E714
Ram, xrefs: 0507E704

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: Ram$Ram
API String ID: 0-4234961553
Opcode ID: 89a9ddb32793370b1a214e2348ed069ca92dca37cbf27d8951ebdbbb8660bac2
Instruction ID: b57f19db91b6045c88169930c4e24dc1e094ae37176c5ad3e35ea4a0beafbc4e
Opcode Fuzzy Hash: 89a9ddb32793370b1a214e2348ed069ca92dca37cbf27d8951ebdbbb8660bac2
Instruction Fuzzy Hash: 0151D074D16219DFCB04CFA9D981AAEBBF6FF89240F1485AAD415BB210D7389A01CF58

Uniqueness

Uniqueness Score: -1.00%

Function 050700A8, Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

f]?r, xrefs: 0507011B
P ~, xrefs: 0507013F

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: P ~$f]?r
API String ID: 0-1714216790
Opcode ID: 87198fd2901be59976aba373d0819b6661632a25fd3d168ac9b6fb6eef41ae94
Instruction ID: 69ac220d347e08ff36945a60594fad170c822d531c4a9af820acbf467ce34164
Opcode Fuzzy Hash: 87198fd2901be59976aba373d0819b6661632a25fd3d168ac9b6fb6eef41ae94
Instruction Fuzzy Hash: 0F21F671E016189BEB18CFABD80469EFBF7AFC9210F08C17AD808AA255DB745A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 05070099, Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

f]?r, xrefs: 0507011B
P ~, xrefs: 0507013F

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: P ~$f]?r
API String ID: 0-1714216790
Opcode ID: 0ad7d8554dca938c1d1932fd91b819e992ba8c7cac14ea805bdaf88965a74b56
Instruction ID: 20dcb048ec60d6e8e12770da9fd5ae04ed5580f4de712ded08920f43997addc6
Opcode Fuzzy Hash: 0ad7d8554dca938c1d1932fd91b819e992ba8c7cac14ea805bdaf88965a74b56
Instruction Fuzzy Hash: E121F871E016188FEB18CF6BD84579EBAF3AFC9300F18C17AD808AA255D7745941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0EE008E0, Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

Qlb/, xrefs: 0EE00A0C

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: Qlb/
API String ID: 0-4012028387
Opcode ID: af5d0bbd8e7f3ad4f07894eb9a4fb6e5e24f000829adff3128bf49f4e096a95a
Instruction ID: e03a95db9de33445c5fecbf657dd2cc5fd26321e58c5eb9c065f482b2cb5a8ba
Opcode Fuzzy Hash: af5d0bbd8e7f3ad4f07894eb9a4fb6e5e24f000829adff3128bf49f4e096a95a
Instruction Fuzzy Hash: 96A12CB0D0524ADFDB04CFAAC5806AEFBF2FF88314F54A915D415AB295D7349A82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0EE008D0, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

Qlb/, xrefs: 0EE00A0C

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: Qlb/
API String ID: 0-4012028387
Opcode ID: 660dd44ae37064179465726414a3ddf6438fe6b77cbaf4aefc8e8813e3fd127a
Instruction ID: 7a84dd49145a6b5578bd3ea2b969432f41e51a0af1bfa55228c88cf8bbe02504
Opcode Fuzzy Hash: 660dd44ae37064179465726414a3ddf6438fe6b77cbaf4aefc8e8813e3fd127a
Instruction Fuzzy Hash: FBA13DB0D0524ADFDB04CFAAC5806AEFBF2FF88314F54A916D415AB295D7349A82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0507DDF0, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

f"j1, xrefs: 0507DEDB

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: f"j1
API String ID: 0-3389810266
Opcode ID: 81cb5d6b9bb09f385dbf17b84f3fdfb90ec377f8c9fa3ec497b020c4c1435867
Instruction ID: 1bb942541d6b71475a4f9a3bd6ec2ba3dccdac9dad56f2426d67177345e64392
Opcode Fuzzy Hash: 81cb5d6b9bb09f385dbf17b84f3fdfb90ec377f8c9fa3ec497b020c4c1435867
Instruction Fuzzy Hash: B451E2B5D1521AEFCB04DFA5E5819AEFBF2FF58310B149956D415AB200C330AA41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0507DE00, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

f"j1, xrefs: 0507DEDB

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: f"j1
API String ID: 0-3389810266
Opcode ID: e8c7903205e8cd5e7ac7474bd3de8f2d8946dd6f75b7e11a8f6abb7cf9c38a05
Instruction ID: 9fbd1e6ea16b210eb6c18155c561e7dcc21037765920142a987b339421b6e75a
Opcode Fuzzy Hash: e8c7903205e8cd5e7ac7474bd3de8f2d8946dd6f75b7e11a8f6abb7cf9c38a05
Instruction Fuzzy Hash: 6651C0B5D1521EDFCB04DFA9E5819AEFBB2FF58310F14995AD415AB200C330AA41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 05079BC0, Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

f]?r, xrefs: 05079C43

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: f]?r
API String ID: 0-3183013900
Opcode ID: 361fa3530bf65c6cff0681c61e49041166a61c5f115551a88dd32d588dc66a93
Instruction ID: f0d94200507be580b66c674268aff3599f2c288d8d54d6aade7228ffb0a8b556
Opcode Fuzzy Hash: 361fa3530bf65c6cff0681c61e49041166a61c5f115551a88dd32d588dc66a93
Instruction Fuzzy Hash: D551F670E012188FDB58CF6AD944A9EFBF3BF89311F04C5AAD408AB211D7709A81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02480, Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

3hR, xrefs: 0EE02549

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: 3hR
API String ID: 0-964585046
Opcode ID: 9aafa88aafea2861ec6230f2bc6e62c73aa1f967da778b3bfc89d843ecd5c6c9
Instruction ID: 291f656fc35aea42fc3e00540d7d242b5ccf477c9c3bdcd00e0586bc6420e053
Opcode Fuzzy Hash: 9aafa88aafea2861ec6230f2bc6e62c73aa1f967da778b3bfc89d843ecd5c6c9
Instruction Fuzzy Hash: 7F511C74E0522A8FDB68CF2AD9447DABBF6EB88300F14D0F9D51DA7250EB305A818F00

Uniqueness

Uniqueness Score: -1.00%

Function 0EE02470, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

3hR, xrefs: 0EE02549

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID: 3hR
API String ID: 0-964585046
Opcode ID: 84aaa981a24b3716362420eab0a084a7f1e570d669122d2dcfd1433c0eeb02ef
Instruction ID: f4f78c063862f7bb0bc22979f61bdf51977294c8b83fbba435f46c5c78216e44
Opcode Fuzzy Hash: 84aaa981a24b3716362420eab0a084a7f1e570d669122d2dcfd1433c0eeb02ef
Instruction Fuzzy Hash: 8641FC74E1161A8FDB68CF6AD944799BBF2EF88300F14C5FAD51DA7264EB305A818F01

Uniqueness

Uniqueness Score: -1.00%

Function 0507E7B8, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Xab,, xrefs: 0507E809

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: Xab,
API String ID: 0-66796672
Opcode ID: 8c83333242c4b981072443623447b1d4f18ff3fe6daa8d706c01dd04665a0a59
Instruction ID: 3f3ef171db1e40966a1c09781164e167c29f91183821f764a5a7006b038f0199
Opcode Fuzzy Hash: 8c83333242c4b981072443623447b1d4f18ff3fe6daa8d706c01dd04665a0a59
Instruction Fuzzy Hash: 39412871D0A20ADFDB44CFE9D5854AEFBB6FF89300F24C4AAC015AB245E7349A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0507E7C8, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Xab,, xrefs: 0507E809

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: Xab,
API String ID: 0-66796672
Opcode ID: 3462a19bc4d4ec043b485be0fbc376554ee2d5bb725c9e6b5dd137fd40b53f8f
Instruction ID: 55d3cc99b5f4fe49c7ba92bae136fee614c1c8c81876fb6603f7c8de7c0b6e64
Opcode Fuzzy Hash: 3462a19bc4d4ec043b485be0fbc376554ee2d5bb725c9e6b5dd137fd40b53f8f
Instruction Fuzzy Hash: DA410670D0620EDBDB44CFEAD5815AEFBB6BF88300F2484AAC415B7204E7349A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0507E3D0, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

^=h, xrefs: 0507E476

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ^=h
API String ID: 0-3504490089
Opcode ID: 831fcdf6d15e4d89c7198d12bb18f466fc00f7394710bee90bcd58b0abac20e3
Instruction ID: 43a40ad35183351545c4a96c25d261ee184f1a4ccc6ae1e6f1e7a9d4676f42c5
Opcode Fuzzy Hash: 831fcdf6d15e4d89c7198d12bb18f466fc00f7394710bee90bcd58b0abac20e3
Instruction Fuzzy Hash: FF41F670D0521ADFDB08CFA6D5815AEFBB6FF89300F10D4AAD912AB254D734A641CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0507E3E0, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

^=h, xrefs: 0507E476

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: ^=h
API String ID: 0-3504490089
Opcode ID: e864247d83321105da5386545838ee13e02f4d1a1d220fa39d744ef09d9b30d7
Instruction ID: 6ba285fd4fb88801c3ddc1c0142bca71b3df82a24ea040c7e6eba5b9072bdf95
Opcode Fuzzy Hash: e864247d83321105da5386545838ee13e02f4d1a1d220fa39d744ef09d9b30d7
Instruction Fuzzy Hash: 04410870D0521EDBDB08CFA6D5815AEFBB6FF88300F10D45AD911AB254D734A6418F98

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00007, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0433129563797d0174992103279acbb18d7e045c6873c110a3f67ffde2f558
Instruction ID: df814ec632294688bf198ab4ee5e059a7a7a72c93514b08b7f394c0ed00b0961
Opcode Fuzzy Hash: fa0433129563797d0174992103279acbb18d7e045c6873c110a3f67ffde2f558
Instruction Fuzzy Hash: 2C717D70D19399DFDB15CFA5C99069DBBB2EF86304F14859BC448AB296C3349E82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0EE01F91, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19598c16ce0d41f26668a96e8eac6aaabad4f2b631b06b443661c6ad2924070
Instruction ID: 5a7344e547390247c6b4a1e8cbdb462edea83bc9653e9efaff9699a37e3a11ef
Opcode Fuzzy Hash: b19598c16ce0d41f26668a96e8eac6aaabad4f2b631b06b443661c6ad2924070
Instruction Fuzzy Hash: CE71F3B4D1620EDFCB04CFA6D5815AEBBF6FF49340F60681AD411BB294D7345A818BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0507D330, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bd961b0dc01f5a9e4f0f843ef7c97f8488cb38027ae07a7918dc79fe3a9255
Instruction ID: e501d97690da9f1db6b9b32a0a1a6a96ca4091ae7e992bbec6c9109350246056
Opcode Fuzzy Hash: 82bd961b0dc01f5a9e4f0f843ef7c97f8488cb38027ae07a7918dc79fe3a9255
Instruction Fuzzy Hash: 4F71EEB5E25209EFCB44CFA9E58499DBBF1FF49350F14D499E415AB224D334AA40CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0507D340, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7013e956a3bcca1e4d2f612127971de4831e45cc726ef4ba0f0324b9f88b36f0
Instruction ID: 7587b6ec6114742328a8592889e2b8a948d3acf6bbcc9599a45374e56d36d7cc
Opcode Fuzzy Hash: 7013e956a3bcca1e4d2f612127971de4831e45cc726ef4ba0f0324b9f88b36f0
Instruction Fuzzy Hash: EC71ECB5E25209EFCB04CFA9E58499DBBF1FF49350F24D499E425AB224D334AA40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 050736E8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e768dd504defd4ff7bfa49012a9526033bde061a019fda861419d70f128325cd
Instruction ID: 66ffca3b39f2b13d8f9f76f2fe9e39e5e0466b25d48d659844cb89b20a1b0628
Opcode Fuzzy Hash: e768dd504defd4ff7bfa49012a9526033bde061a019fda861419d70f128325cd
Instruction Fuzzy Hash: 6D71FDB4E15219EFDB44CFA9E58599EFBF1FB48350F10989AE415AB220D338AA40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 050736D9, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c2e40ace3c79f4cbd82aabda39a7f55e40ca0c68949b86d5c8600e4111e0bb
Instruction ID: be29e000e1b018784a443b003bec4ce8da0012e22ed9c04f9f67137786d0ee03
Opcode Fuzzy Hash: e7c2e40ace3c79f4cbd82aabda39a7f55e40ca0c68949b86d5c8600e4111e0bb
Instruction Fuzzy Hash: 8671FDB4E25209EFDB44CFA9E58599EFBF1FB49350F54989AE405AB220D334AA40CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00D40, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb7dae3ac860cd6657b869909db623c356788aeb48ef1b78faa83b72a5b4185
Instruction ID: 0fcdacb25c4fe4d44bb6d043a8b0db485409c43696f5e1675aa936593f39b2d4
Opcode Fuzzy Hash: 3cb7dae3ac860cd6657b869909db623c356788aeb48ef1b78faa83b72a5b4185
Instruction Fuzzy Hash: 66517D70D0520E8FDB04CFA6C5406EEFBB2FF89310F54A966D415BB295D334AA81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00D50, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd239ef0689a2844dc3c61bd9a4d17466266b0f808deb430aafeb7d934d5e5e1
Instruction ID: 3918787478103df36b38cdb343973abf64be73d6382e42e22a523109d44285af
Opcode Fuzzy Hash: dd239ef0689a2844dc3c61bd9a4d17466266b0f808deb430aafeb7d934d5e5e1
Instruction Fuzzy Hash: 24514970D0520ECFDB04CFA6C5406EEBBB2FF89314F54A96AD415BB294D734AA818B60

Uniqueness

Uniqueness Score: -1.00%

Function 050748D1, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1071dc1b8b04ac8896af1436edc395cd2229077c07f750935d7e13d342abdbe
Instruction ID: 7e2388cafd0d7c98e4df9849051b53804811a92e620821d36a09c511dc50a164
Opcode Fuzzy Hash: a1071dc1b8b04ac8896af1436edc395cd2229077c07f750935d7e13d342abdbe
Instruction Fuzzy Hash: AE51FFB4D1520DAFCF44CFA9E5809AEFBF2FB89201F14966AD815B7214D3389A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 050748E0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5623603cc3c7f8147bb38aed02cd067050e3de6a33298ece0631f5a073b78abd
Instruction ID: 71a435ebb23b4e4392387ff713a694f59d02c66d60ac81464d9b26b32ecc2f70
Opcode Fuzzy Hash: 5623603cc3c7f8147bb38aed02cd067050e3de6a33298ece0631f5a073b78abd
Instruction Fuzzy Hash: A351D0B4D1520DAFCF44CFA9E5809AEFBF2FB89201F14966AD415BB214D3389A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 05071678, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc697095d65802066e52c9d0ee9ba5043743a87b2af32f7149dbfbbb21a1f03
Instruction ID: 5cdc79e704aeac28ec1a5025f8f53f096e552e73ac260924fe1cf16cfb0e580c
Opcode Fuzzy Hash: 6bc697095d65802066e52c9d0ee9ba5043743a87b2af32f7149dbfbbb21a1f03
Instruction Fuzzy Hash: 4C51D1B4D1520ACFCB44CF99D6809EEBBF2FB48340F249699D415BB254C770AA41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 05071668, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8e074683b4a9ed3fd26e19d955ab2f523e21952a131b464a0f573a6920679c
Instruction ID: d60e2f5b398136364d7ea134e3a5158b36f94483b2462cb48555742c0c56ba33
Opcode Fuzzy Hash: 7e8e074683b4a9ed3fd26e19d955ab2f523e21952a131b464a0f573a6920679c
Instruction Fuzzy Hash: D251F6B0D19209DFCB44CFA4D6819EEBBF2FB48340F249699D415BB254C730AA41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0507E0A8, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501063be7b677caa5238d7314834c6a2f7f586330e971c11eec2f987a3f0227d
Instruction ID: ed3dc4d815ff19284b87b6565ec67eb00572d32ee9368942387cc38dee2d8ada
Opcode Fuzzy Hash: 501063be7b677caa5238d7314834c6a2f7f586330e971c11eec2f987a3f0227d
Instruction Fuzzy Hash: 415126B0D0625DEFCB04CFA9D5819AEBBB5BF49300F24959AD511BB204D3349A81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00070, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908a537db29e3c150c4937d1a3c19aaf0fe546c512691637e9d3331fe4ab464a
Instruction ID: c0ebbf0691a2f246e1813098f549030306523d6b97a33e04cf9ca844db81e35a
Opcode Fuzzy Hash: 908a537db29e3c150c4937d1a3c19aaf0fe546c512691637e9d3331fe4ab464a
Instruction Fuzzy Hash: 68511774D05219DFDB14CFA6C5806ADFBB3BF89300F24856AD408AB255D7349E82CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05076BC2, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81751f9c971631ad19a968af503dd1b80b7f8c8c2426671a519cac102fb8b1a
Instruction ID: d882051eb5ac8479f5f4ee23f0f64eb4408bd152c760b01c3c5e81770785d3f5
Opcode Fuzzy Hash: f81751f9c971631ad19a968af503dd1b80b7f8c8c2426671a519cac102fb8b1a
Instruction Fuzzy Hash: 54414971D04609CFDB54CFA9D981AAEBBB2FF89300F20C1AAD416AB255D7359A41CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05076BF0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6661c4d6b048a55493a72a70ad0f618c8e9fcfd54817aedad3a9b0ce07a12e9f
Instruction ID: 26371e059eba1cf21349d1269de26d7c9a3b553b88d3d3838e7ee6e19fd84d17
Opcode Fuzzy Hash: 6661c4d6b048a55493a72a70ad0f618c8e9fcfd54817aedad3a9b0ce07a12e9f
Instruction Fuzzy Hash: 1641F374D04609CFDB54CFA9D985AAEBBF2FF88300F2081A9D41AAB355DB359A41CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05074AF0, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98a39475ba21a2f38094543737cf2ef17a6fef7996d7ffae94a3172fd44fba9
Instruction ID: 1f1636a02dc5a77df36fc3abbf58c174cb6746dd7d5101d78543c55e2cc92f8a
Opcode Fuzzy Hash: a98a39475ba21a2f38094543737cf2ef17a6fef7996d7ffae94a3172fd44fba9
Instruction Fuzzy Hash: F9412574D0520EDFCF08CFA9D6826AEFBB2BB88300F20846AC415B7214D7359A41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 05074B00, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f094e7c3c3b91914aeed20d512750baa10f967c335915af615d18d988584e3
Instruction ID: 2c960a64bc14d4195b79bcb8853f86375bd7689162d390cb1a58d2afcee3846c
Opcode Fuzzy Hash: a7f094e7c3c3b91914aeed20d512750baa10f967c335915af615d18d988584e3
Instruction Fuzzy Hash: 1D41F474D0524EDBCF04CFA9D6826AEFBB2BB89300F20946AC415B7204D7359A51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 05074700, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a774f2baf922b224cfe42d79faf544d6b328499f4d98f161a8042ad16cf309
Instruction ID: e0ad5edd8cd1ed91e6bc0309a435bd34319ee3d713180dca8a62b8c4706e797e
Opcode Fuzzy Hash: 03a774f2baf922b224cfe42d79faf544d6b328499f4d98f161a8042ad16cf309
Instruction Fuzzy Hash: B141D275D0420E9BCF08DFAAD5815AEFBF2FB89300F20946AD415AB214D7349A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 050746F1, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cd8bfcefa2621b3f053c558e82ff6a2d9fce0fa69b4ab53f1e4641c040f512
Instruction ID: da7c0730564b0dc67a38c6f6cd9db6a98e7857303dcdc449ddbed6143d5440cb
Opcode Fuzzy Hash: c5cd8bfcefa2621b3f053c558e82ff6a2d9fce0fa69b4ab53f1e4641c040f512
Instruction Fuzzy Hash: A241F575D0424E9BCF08DFAAD9815AEFBF1EF85300F2494AAD415AB214D3349641CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0507715E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e974d2ece218ba52a0cd4997fac9dfb57da12385c866a0d5afb5329200c854d9
Instruction ID: ff498d607fbb4bb368b7b6fc0d5f7f985cd8e7637051373a52dc3de346a765fc
Opcode Fuzzy Hash: e974d2ece218ba52a0cd4997fac9dfb57da12385c866a0d5afb5329200c854d9
Instruction Fuzzy Hash: 2721B272D0A6888FD709CF76D8412DEBFB2AF86200F18C16BD401EB262D6384B028F55

Uniqueness

Uniqueness Score: -1.00%

Function 05078378, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052e22bd1c2d90be8314cf85ccc92602a6a3c50f79f41a6b75260477add0c46a
Instruction ID: 7e3310dbe5d8165498564dba70e9188285fc0f8172b195600f42f968694b1981
Opcode Fuzzy Hash: 052e22bd1c2d90be8314cf85ccc92602a6a3c50f79f41a6b75260477add0c46a
Instruction Fuzzy Hash: 701129B1D04208DFEB18DFAAD9445AEBBF2AFC8300F14C07AC410AB255E63446029F95

Uniqueness

Uniqueness Score: -1.00%

Function 05078388, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0919e95720fc326726c9ed7d1d10273e6800ace92e3d1b2f75ba7a3f224838ae
Instruction ID: 38308c4dcd98d064c8121eaf212a458001e69757514b19fc982cc48b32098cb2
Opcode Fuzzy Hash: 0919e95720fc326726c9ed7d1d10273e6800ace92e3d1b2f75ba7a3f224838ae
Instruction Fuzzy Hash: 2B11D771E0520DDBEB18CFAB95455AEFBF3AFC8200F14C16A8414AB255E63456029F95

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00FC8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaeb1e82c7903cdb046f28ea4f8bb4c88eb2a155985c692341c86f4064666fb
Instruction ID: 31571d3d0c58eaa461efe5142f2ddd360c35c490d63c597957487d48fb178590
Opcode Fuzzy Hash: ebaeb1e82c7903cdb046f28ea4f8bb4c88eb2a155985c692341c86f4064666fb
Instruction Fuzzy Hash: C311DAB1E05609CBDB18CFAB854059EFBF7AFC8300F24C17A8518AB254EB345A428F50

Uniqueness

Uniqueness Score: -1.00%

Function 0EE00FB9, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238163727.000000000EE00000.00000040.00000001.sdmp, Offset: 0EE00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f785353122e21569732be04518c9e0e9a6b32c02a8ee83ebe546cfc90bf71e
Instruction ID: c1787feefd64035b33fabcf0a62bbb1ef4618cb677d3b29cf686e9b0e873cd1c
Opcode Fuzzy Hash: b3f785353122e21569732be04518c9e0e9a6b32c02a8ee83ebe546cfc90bf71e
Instruction Fuzzy Hash: 1211F8B1E056098BEB18CFAB854169EFBF3AFC9700F14C47EC418AB255EB3446428F50

Uniqueness

Uniqueness Score: -1.00%

Function 05075E20, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e356609948b149882d7fe56813f0a2d2ff9e0e8995e33a77160a1954597e28
Instruction ID: 033158eee1c9e4da981f73e6bb66fbbff6186c6064f6f33e390d9108d8004b8e
Opcode Fuzzy Hash: b1e356609948b149882d7fe56813f0a2d2ff9e0e8995e33a77160a1954597e28
Instruction Fuzzy Hash: FA11E5B1D04608DBDB18CFABD9411AEFBF6BF89200F24C57AD418AB225EB344602DF44

Uniqueness

Uniqueness Score: -1.00%

Function 05075E11, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956e20c4a20829b04857ce81a43bca247c4f358ebe824fe1336a22a5d5ce10d5
Instruction ID: fe1709a5e3610447e17f4cba5312616043e91a4560381cd57f03678666f6dc94
Opcode Fuzzy Hash: 956e20c4a20829b04857ce81a43bca247c4f358ebe824fe1336a22a5d5ce10d5
Instruction Fuzzy Hash: 2F11DAB2D14608DFDB18CFABD9415DEFBF2AF89200F14C53EC414AB215E63446019F40

Uniqueness

Uniqueness Score: -1.00%

Function 050771A8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219818664ad7b9b9350aef946fcd828f390fedfdbdfb264bad50021d26936ff
Instruction ID: cd0fcea86f84dc4ebb7a8e1fe6ea68e2e3ac3238d9a590dbb48150925e1ae08e
Opcode Fuzzy Hash: 6219818664ad7b9b9350aef946fcd828f390fedfdbdfb264bad50021d26936ff
Instruction Fuzzy Hash: 411109B1E016098BDB18CFAB95411AEFBF7BBC8200F24C17A9818A7215DB3446029F94

Uniqueness

Uniqueness Score: -1.00%

Function 05076670, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7982a35364b29e1bfdfd0a2e0d19d7efdd75f7adbe41e723e1890a21e1342e42
Instruction ID: 21065703fb1cf9fd38aa5344ecd49e268a0d62787a36822abedbb2261f6d579e
Opcode Fuzzy Hash: 7982a35364b29e1bfdfd0a2e0d19d7efdd75f7adbe41e723e1890a21e1342e42
Instruction Fuzzy Hash: C4111BB0D01609DBDB08CFABD5011AEFBF3ABC9200F24C13A8809AB254DB3546518F44

Uniqueness

Uniqueness Score: -1.00%

Function 05076660, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.224813756.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34411910a59ccf52c3560c817367eb6e295292470b97df62d386e840621ab90
Instruction ID: 73c3c3fece820a5aaa2151a1f7200abec6c1332b6b64170bbd1897b5a2eb999a
Opcode Fuzzy Hash: a34411910a59ccf52c3560c817367eb6e295292470b97df62d386e840621ab90
Instruction Fuzzy Hash: A51139B0D056499FDB08CFAB890019EFFF3AFC9200F18C17AC805AB265DA354601CF55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BILL-OOO566876.exe PID: 1156 Parent PID: 1308 BILL-OOO566876.exeCOMMON

Executed Functions

Function 00F9AA18, Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F9B16D

Strings

X1ar, xrefs: 00F9B2C0
X1ar, xrefs: 00F9B372
X1ar, xrefs: 00F9B03A
X1ar, xrefs: 00F9AAF6
X1ar, xrefs: 00F9B090
X1ar, xrefs: 00F9AB9A
X1ar, xrefs: 00F9B0B6
X1ar, xrefs: 00F9B059
X1ar, xrefs: 00F9AB2E
X1ar, xrefs: 00F9B251
X1ar, xrefs: 00F9B2EF
X1ar, xrefs: 00F9B227

Memory Dump Source

Source File: 00000002.00000002.473041998.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar
API String ID: 2994545307-51262497
Opcode ID: 1c06c6447f563a668cdc9a45c8b99c8cc11169085c66865d07ca0dd2c2fd5c5c
Instruction ID: 5a499ce0fa8a5358109cbc1c0376dfa42195e183097ca912a8dda68d501c3ff8
Opcode Fuzzy Hash: 1c06c6447f563a668cdc9a45c8b99c8cc11169085c66865d07ca0dd2c2fd5c5c
Instruction Fuzzy Hash: EC626E31E00219CFDF15DFA8C944B9EBBB2AF89300F1581AAE909AB365DB719D41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C948, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F9C9AD

Memory Dump Source

Source File: 00000002.00000002.473041998.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac63c9bca8ff6ed7572bc161ad3875421a50a0f2bc4a860483750042d849136a
Instruction ID: 5c0a3f036e61f121b0c30cd0ca766fc56a2fa7d19acf83d0395a983fdf1a51ec
Opcode Fuzzy Hash: ac63c9bca8ff6ed7572bc161ad3875421a50a0f2bc4a860483750042d849136a
Instruction Fuzzy Hash: 24514170B002469BDB04EFB4D855AAEB7B6FF88314F24852AE506DB344EF30D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00DCAF87

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 29d04b0d31a42f1c3420ca334126f9c98e6ebcaff393150322ced8c2579b98f8
Instruction ID: 4466743884fbcad8552d853541a7a68a0ea6a031ddbf606158e165b16147d116
Opcode Fuzzy Hash: 29d04b0d31a42f1c3420ca334126f9c98e6ebcaff393150322ced8c2579b98f8
Instruction Fuzzy Hash: F021ADB5509384AFDB228F25DC40B52BFB4AF06314F09859EE9858F163D2709908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00DCB0F5

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 3cb7e50892462d0ec964e59da3cfdcb1b179d39b387c1bde40fbcb4ccd12bfe6
Instruction ID: 3f80f5e6fc5ea8565fda54901469fd87a82dec6064f288018ebe35468ff1b9f1
Opcode Fuzzy Hash: 3cb7e50892462d0ec964e59da3cfdcb1b179d39b387c1bde40fbcb4ccd12bfe6
Instruction Fuzzy Hash: 28117C72409384AFDB228B25DC45E52FFB4EF16324F0D84DAE9848B163D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00DCAF87

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f8a8e1d3ccee8d075676a8d7d189ead36bc6862ea487ce0d09e94575c7a30989
Instruction ID: 279082d4ffb1b9c6db49323fef7adca84ee081a3c62883e9e009049b22869547
Opcode Fuzzy Hash: f8a8e1d3ccee8d075676a8d7d189ead36bc6862ea487ce0d09e94575c7a30989
Instruction Fuzzy Hash: 6B115E755006059FDB20CF69D884B56FBE4EF04324F18C5AEED468B612D271E818DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00DCB0F5

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 20619480ea0882def2d112d5240ea18206defe7b49c00974bea7f5360f825a5b
Instruction ID: c9e1f2cb94b5788f5c5c5f95d5da52d6790dc7239c59fd62babcb71783c74b7f
Opcode Fuzzy Hash: 20619480ea0882def2d112d5240ea18206defe7b49c00974bea7f5360f825a5b
Instruction Fuzzy Hash: 92017835400644DFDB208F56D886B22FFA0EF08320F18C49ADE894B212C3B5E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 011230C8, Relevance: 8.1, APIs: 1, Strings: 3, Instructions: 1148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0112337D

Strings

:@:r, xrefs: 0112437F
:@:r, xrefs: 0112340E
:@:r, xrefs: 011247AB

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r$:@:r$:@:r
API String ID: 2994545307-2477124705
Opcode ID: 8654a1a4826f14b0622ce95c3b7bf529b1675528b194682a2df5e8bee068936f
Instruction ID: fd9992d535310f1613755e9b01862b872ed7d66ab172739e5c7c63b13fc5369a
Opcode Fuzzy Hash: 8654a1a4826f14b0622ce95c3b7bf529b1675528b194682a2df5e8bee068936f
Instruction Fuzzy Hash: 54C2B674A012288FCB64DF68DC94AAEBBB6BF88311F1081E6D549E7351DB349E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011230F8, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 621libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0112337D

Strings

:@:r, xrefs: 0112340E

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: c561a10486233a2bbd75b37a0506b8e1f32036cc53e3ad2b6d2c952d44a065db
Instruction ID: 8889524dd444ed69ddaea3ed975c84f645bad7cf54d63e24a181240da84fc7aa
Opcode Fuzzy Hash: c561a10486233a2bbd75b37a0506b8e1f32036cc53e3ad2b6d2c952d44a065db
Instruction Fuzzy Hash: FF628474A112288FCBA5DF68DC84AAEBBB5FB48311F1181E6D949E3311DB349E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0112314C, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 611libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0112337D

Strings

:@:r, xrefs: 0112340E

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: 21f5705fbc9d59905064160c75d001ffd7713621126048d6490a8983d28e3824
Instruction ID: a05dbb7a02a05dd9dbce517e15eefdfdb8501ba200206525cf9f6bc60b5828d9
Opcode Fuzzy Hash: 21f5705fbc9d59905064160c75d001ffd7713621126048d6490a8983d28e3824
Instruction Fuzzy Hash: F0628474A112288FCBA5DF68DC84AAEBBB5FB48311F1181E6D949E3311DB349E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 011231A0, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 601libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0112337D

Strings

:@:r, xrefs: 0112340E

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: cd62b6a61254128c0a0f99d2bf16509c8173bc642d4bdd4bebb66930485df3a4
Instruction ID: 2794b70c76410642355f593f80b638f4d772b3a21450c73bf58435fc7ded1602
Opcode Fuzzy Hash: cd62b6a61254128c0a0f99d2bf16509c8173bc642d4bdd4bebb66930485df3a4
Instruction Fuzzy Hash: 1E628474A112288FCBA5DF68DC84AAEBBB5FB48311F1181E6D949E3311DB349E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 011231F4, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 591libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0112337D

Strings

:@:r, xrefs: 0112340E

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: e1343ec9d2817811e1d986a69720873c32b4c2e47eeccfbbb4fa0032a2155692
Instruction ID: a731ec73f575073eaeaa81b93b2c577fc17adca87dc5136dbf7f32c122f20cea
Opcode Fuzzy Hash: e1343ec9d2817811e1d986a69720873c32b4c2e47eeccfbbb4fa0032a2155692
Instruction Fuzzy Hash: 38528574A112288FCBA5DF68DC84AAEBBB5FB48311F1181E6D949E3311DB349E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 01123248, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0112337D

Strings

:@:r, xrefs: 0112340E

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@:r
API String ID: 2994545307-1441432688
Opcode ID: 14ed75616344f2f264ad6cf3408e55cd0dd833893f57dc8e245aa792a8b80ed4
Instruction ID: 00153fb41cd7780ca0a172be1280ca16d3f44a93ed2dccde2426992f6398f47c
Opcode Fuzzy Hash: 14ed75616344f2f264ad6cf3408e55cd0dd833893f57dc8e245aa792a8b80ed4
Instruction Fuzzy Hash: 13529574A112288FCBA5DF68DC84AAEBBB5FB48311F1181E6D949E3311DB349E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C898, Relevance: 1.7, APIs: 1, Instructions: 203libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F9C9AD

Memory Dump Source

Source File: 00000002.00000002.473041998.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ff386f3c30d4064c706ac53e018e18387994e9f48a96967ea1c6ebfd932794c
Instruction ID: 16e010b926d7d170520123cd977358977ea4a64027368640924a8c1ee0323a14
Opcode Fuzzy Hash: 0ff386f3c30d4064c706ac53e018e18387994e9f48a96967ea1c6ebfd932794c
Instruction Fuzzy Hash: 77618030B003469FDB04EBB4D854AAA7BB6EF89304F25857AE505DB295EF34DC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01129C78, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01129CB8

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4df191ae81de96357062663eb807bca347f873a7587b0132c12d76b4b7d925b6
Instruction ID: d84c30cf60f7dfe33a15d095bb42b72a851a6388ceeb74f277eb2952fceacf92
Opcode Fuzzy Hash: 4df191ae81de96357062663eb807bca347f873a7587b0132c12d76b4b7d925b6
Instruction Fuzzy Hash: D3714E30A00229CFDB18DFB8D854BAEBFF6AF84319F158529D405E7395DB749841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 058E1C2D, Relevance: 1.6, APIs: 1, Instructions: 109networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 058E1CF6

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 685c587fe459d86acab89d83317728e101a626e1680cde479fc98632effa5faa
Instruction ID: c33a1d41fbd4c15743e10c771d720ece0644575a62b42dcb3babf2353f4a6999
Opcode Fuzzy Hash: 685c587fe459d86acab89d83317728e101a626e1680cde479fc98632effa5faa
Instruction Fuzzy Hash: A6416D7140D7C0AFD7238B258C58B66BFB4AF07210F0985DBE985DF1A3C3659809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058E2A07, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 058E2ADB

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 58357f922a16e227fcb77f7040f96efddb7d5710910e8a717d0803876695958b
Instruction ID: 5bddce7bb7626a31a7b538b251ac447ed4dcbba0ebea5eb493dd45ee2b19a778
Opcode Fuzzy Hash: 58357f922a16e227fcb77f7040f96efddb7d5710910e8a717d0803876695958b
Instruction Fuzzy Hash: 3131A572004340AFF7229F61CC85FA6BFBCEF46710F14499AF9859B142D375A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E2CB9, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2D6D

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 82bde2438526410391932a666d97c9266c3beaa8e4a918987d1952d1f356ca18
Instruction ID: 29682774559cc8cc5e881d5b1e41f13eb9191b36d1b394936aa1be8da19ddc30
Opcode Fuzzy Hash: 82bde2438526410391932a666d97c9266c3beaa8e4a918987d1952d1f356ca18
Instruction Fuzzy Hash: B1318375105784AFE7228F25CC40FA2BFB8EF06310F08859BEE85CB162D374A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E0DF4, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 058E0E95

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99572c10aae18a8be130ed2dc9099a34fc2c528ac04882d6e6f3f2896a9b5bff
Instruction ID: b143dd23490b0a96d4441d1fc49b8fa94140b811df47a7db4ffe6bd2525850f8
Opcode Fuzzy Hash: 99572c10aae18a8be130ed2dc9099a34fc2c528ac04882d6e6f3f2896a9b5bff
Instruction Fuzzy Hash: 82316B71504344AFE722CB65CC44F66BFE8EF46610F0888AAED858B252D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DCA989

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 435393a8bb05c1cd1849445589e30c86e2f19d99e2e87d3013f6f689341fb92d
Instruction ID: 8c2e1bcc9bfde419d4f1e05b6de2772c8612fd83fb34848d60bb533d2d1313b5
Opcode Fuzzy Hash: 435393a8bb05c1cd1849445589e30c86e2f19d99e2e87d3013f6f689341fb92d
Instruction Fuzzy Hash: 8431B472404384AFE7228B25CC85F67FFBCEF06314F09859BE9859B152D364A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E206C, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 058E2103

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 426f089bb449cfdf51deb308717cb8d080f7999c5fa446282a9c2029d7e24e72
Instruction ID: 12bca97b73adedcb9c75d1fa05c5281399ebc0a2a295c4632e689372fd3d9c37
Opcode Fuzzy Hash: 426f089bb449cfdf51deb308717cb8d080f7999c5fa446282a9c2029d7e24e72
Instruction Fuzzy Hash: 7531C372504344AFE722DB25DC45F67BFACEF46310F0884AAED45DB252D364A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCAA8C

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 117aa6018a67f77c3abb4dbcd5fc7a8244ca7089f08b615efb80ea8ded3d0d92
Instruction ID: 1f41fe512bf7446b97378aa34f206fd494411e7fc70f9bd427d8b282d889e33b
Opcode Fuzzy Hash: 117aa6018a67f77c3abb4dbcd5fc7a8244ca7089f08b615efb80ea8ded3d0d92
Instruction Fuzzy Hash: 05319371105784AFE722CB65CC45F52BFE8EF06314F18849AE985CB252D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E2DB7, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2E5E

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 78c899ace05be3d1205e0e12e9269233e8ab8c64c877ab5d993f1d42820f1fe5
Instruction ID: 2626ee096921b91ba493ee146f6c60a13aeb96449e033437e45d41ff8c9aac19
Opcode Fuzzy Hash: 78c899ace05be3d1205e0e12e9269233e8ab8c64c877ab5d993f1d42820f1fe5
Instruction Fuzzy Hash: 9A319CB2409384AFE7128B25DC51F96BFB8EF07314F0884DBEA849B153D224A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E2304, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 058E23B6

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b539686aed0146d30098ac6684af0a20c75eeb0d699ef4af7773be129c85d7f3
Instruction ID: db0938bfe28c22670ee18d2288cb95c218b42076e5939fecbd6d52914c63de09
Opcode Fuzzy Hash: b539686aed0146d30098ac6684af0a20c75eeb0d699ef4af7773be129c85d7f3
Instruction Fuzzy Hash: D231D672404780AFE722CB55DC45F96FFF8FF06320F04459AE9859B262D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E1F6E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2018

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b9be7f94561096c2b0d612be6da6bf5af0b2f1b3f15cb1eb9805f9462a51aba7
Instruction ID: ac12bad8349cc2a0c43f497088a00e6c8a38d041734a2ca6967d5c491b2de6e0
Opcode Fuzzy Hash: b9be7f94561096c2b0d612be6da6bf5af0b2f1b3f15cb1eb9805f9462a51aba7
Instruction Fuzzy Hash: 75318176509380AFD7228B65DC44F92BFB8EF07310F0884DBE985DB1A3D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB21C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCB2B0

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 416b1ff03f39e82d8577f367a487ca4cd0c7aa5bf3cc25489360a0dc7895f0b4
Instruction ID: b6cb1d79d81db48a661208e8cb62569dc7c89a2970959ffac99921a36e61f8c6
Opcode Fuzzy Hash: 416b1ff03f39e82d8577f367a487ca4cd0c7aa5bf3cc25489360a0dc7895f0b4
Instruction Fuzzy Hash: FB21B172509380AFEB128B25DC45F96BFB8EF47324F0884EBE984DF193C2649905C761

Uniqueness

Uniqueness Score: -1.00%

Function 058E25B9, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058E2659

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6ccc424b2d8ae375a2f5b68146aae3bd47de76719dcff1f1a1f51e609e511951
Instruction ID: d6976e8226989465c2b625526805688cd65fbeb5429add57077d0a6c9baf4b46
Opcode Fuzzy Hash: 6ccc424b2d8ae375a2f5b68146aae3bd47de76719dcff1f1a1f51e609e511951
Instruction Fuzzy Hash: 063150B5509380AFE722CF25CC85F56FFF8EF46210F18859AE985CB292D365E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB309, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 00DCB3B6

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d6077f2ba646ef7bbbcb77da34a7fd0ac82ce98ec31b28ade925dd294a05245c
Instruction ID: f0116fd91b06b2d02bbab5814a0662b83611c765e5133c6325a1366ecb02ebb7
Opcode Fuzzy Hash: d6077f2ba646ef7bbbcb77da34a7fd0ac82ce98ec31b28ade925dd294a05245c
Instruction Fuzzy Hash: 1131937154D3C05FD7139B218C51B66BFB4EF87610F0984CBD984CF2A3D6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01129C18, Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01129CB8

Memory Dump Source

Source File: 00000002.00000002.473416547.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5301edf7ff9452a4fe22b8f0fc8f553f9252236222aeab409d77c3e7878f4e8
Instruction ID: ab772568c0bb662ba84705603f8397fad8f16b74dfd29edf38878f03d2a08ecd
Opcode Fuzzy Hash: c5301edf7ff9452a4fe22b8f0fc8f553f9252236222aeab409d77c3e7878f4e8
Instruction Fuzzy Hash: 2031B370A00368CFDB09DF78D858BADBFF2AF85305F148169D404AB296DB358841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 058E2A36, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 058E2ADB

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: f5ef50f151bd0ec34b45397f8e1e3b60236f90a119f4740e1f0c9fc4cca2c60a
Instruction ID: ddcba29609a6dfd7b2f067e083dc1f47013ca95cb73ed959fa1a19ccd9d15cb0
Opcode Fuzzy Hash: f5ef50f151bd0ec34b45397f8e1e3b60236f90a119f4740e1f0c9fc4cca2c60a
Instruction Fuzzy Hash: CD21D172100304AFFB21DF24DC85FABFBACEF44710F14895AFE459A181D6B4A9098B71

Uniqueness

Uniqueness Score: -1.00%

Function 058E1744, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E17E0

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 57d9e5f4e98a15d8227b0b6ab565333f2ea3ce819dc3c29054c796b0d95ee122
Instruction ID: ba752f9cf68705564dfe043cccf51f6b33f946095eba21328cd5ff474a0cfb31
Opcode Fuzzy Hash: 57d9e5f4e98a15d8227b0b6ab565333f2ea3ce819dc3c29054c796b0d95ee122
Instruction Fuzzy Hash: AD218F72109380AFD7228F65DC45F57BFB8EF46610F0884ABED85DB252D264A848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E1642, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 058E16D6

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d22b5a23f44b2802794184ee892c50e724ba2bca61a0cef18b7ec79d185b3704
Instruction ID: 7d4587ae446f48eb3f5a247aed05ea3e5206d997ee3596ccf560af926d952f16
Opcode Fuzzy Hash: d22b5a23f44b2802794184ee892c50e724ba2bca61a0cef18b7ec79d185b3704
Instruction Fuzzy Hash: 86218DB2504344AFE7228F65DC49F67FFB8EF46710F08889AED45DB252D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00DCA1C2

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 058b07d6542aa45db5c3a775c71c5f4e75e8595b80f89adf98236e9f104f39b0
Instruction ID: 5349362439bae8ac4003f60f186003fd8a029746113bb04e00c481d4f3c75dc5
Opcode Fuzzy Hash: 058b07d6542aa45db5c3a775c71c5f4e75e8595b80f89adf98236e9f104f39b0
Instruction Fuzzy Hash: EC31B17140D3C06FD7128B758C55B62BFB4EF87620F1985DBD9848F1A3D225A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB711, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCB7A2

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 515fc3526abce2cb841d3b0df27e26f937cf39c3202fbc90567df90b74a582bd
Instruction ID: 58fe8ff88eb776243796c86e7619123618b27c978123a2549266a0604c09e183
Opcode Fuzzy Hash: 515fc3526abce2cb841d3b0df27e26f937cf39c3202fbc90567df90b74a582bd
Instruction Fuzzy Hash: 9E21A171505384AFE7228B25CC45F66BFACEF46320F0884ABED45DB292D364E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB808, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 00DCB8AE

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: bb105e8b2a7c1d70f47ec937ed20614a1bd3b70666bd554b6026ce877029d2c9
Instruction ID: 03cd1aad4e8ae6123a65e92584f7ba3a752ca7c218a8093a26e3d5b84ecb6fde
Opcode Fuzzy Hash: bb105e8b2a7c1d70f47ec937ed20614a1bd3b70666bd554b6026ce877029d2c9
Instruction Fuzzy Hash: 7521A0714093C06FD7128B65CC55F66BFB4EF87610F0984DBE8848F1A3D624A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 058E2794, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E281D

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: be338a9d41148fc41f3a06327ae9bd2310d86ed7c9a0011435b3b8809f42ea0a
Instruction ID: ebb29eabeae04dbc0c0721c4f0873365a137d97f26d65ad21719c6bf953d0ad6
Opcode Fuzzy Hash: be338a9d41148fc41f3a06327ae9bd2310d86ed7c9a0011435b3b8809f42ea0a
Instruction Fuzzy Hash: 8D21B271105380AFEB228F25DC45F67BFB8EF46310F08849BEE45DB152C275A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E2222, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 058E22AD

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: b06341c90e42f46430328f541afdc65c16a8e961e6a00ab2852cbe1e7147c3c0
Instruction ID: 8cbeaeacc4792aea0bb73e245f50f68ae9012bd66b061f958f71eaacc1f5e35d
Opcode Fuzzy Hash: b06341c90e42f46430328f541afdc65c16a8e961e6a00ab2852cbe1e7147c3c0
Instruction Fuzzy Hash: 27219FB1509380AFE721CB65CC45F66FFE8EF46210F18849AED859B252D375A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E1570, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 058E1616

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: aef2fbc3864708bb985b303478b8437daf11d50cd3abe1710a216791ee734dd8
Instruction ID: ad4309c6e5dfb83b9e1628b6f4e10b651ae1bf4364dc5056c796cf408d9d3cbb
Opcode Fuzzy Hash: aef2fbc3864708bb985b303478b8437daf11d50cd3abe1710a216791ee734dd8
Instruction Fuzzy Hash: 1721717550E3C06FC3138B358C55A12BFB4EF87A10F1E81DFD8848B6A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 058E069C, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 058E0737

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4bd148ecbcf931864a2b42c022352adeec9a796d8063e3b2d573c85650ff6bd9
Instruction ID: f35f07e2d22e60b5dd77867f066d0b97d34e34c7d3df881fdcc36893987ee3bb
Opcode Fuzzy Hash: 4bd148ecbcf931864a2b42c022352adeec9a796d8063e3b2d573c85650ff6bd9
Instruction Fuzzy Hash: 2121CB71005380AFE7228B15DC45F66FFB8DF47710F1484DAED859F152C2A5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E2092, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 058E2103

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: bb5cd1239ffae409bc378bf7e6fd9e847265da4dbcca5fca25546e9fbcd1aab1
Instruction ID: 0073c1ab50e8ea74f1b0c7c1849ddd9504aabc10eeef21f5448122ab5aca32ca
Opcode Fuzzy Hash: bb5cd1239ffae409bc378bf7e6fd9e847265da4dbcca5fca25546e9fbcd1aab1
Instruction Fuzzy Hash: 2D21CF71500304AFEB20DF29DC85F6BBBACEF45720F14886AEE46DB241D674A9098B71

Uniqueness

Uniqueness Score: -1.00%

Function 058E0E16, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 058E0E95

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a8e35b182d8382e25e6d8c76dd8a7969eb097e675dd5887b22285c4921db6ac
Instruction ID: 74186c43d3ca7716f07d5f9d939046d805bfbc4123b004c116561d954930cb17
Opcode Fuzzy Hash: 9a8e35b182d8382e25e6d8c76dd8a7969eb097e675dd5887b22285c4921db6ac
Instruction Fuzzy Hash: 16217C71504644EFE721DF65C849F66FBE8EF09610F18886AEE85DB251D3B1E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB570, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00DCB60A

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9288c09e1c5179055350c6c0e6dac6d0d89f5ccb005c68bdbc84ecd6963b30dd
Instruction ID: 11a183fc24b8d1d41b86ce1f07dae267183f3853ec795460fcbc90e751cdd22e
Opcode Fuzzy Hash: 9288c09e1c5179055350c6c0e6dac6d0d89f5ccb005c68bdbc84ecd6963b30dd
Instruction Fuzzy Hash: ED2107754093C06FD3138B25CC51F62BFB8EF87A10F0A85CBE8848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 058E2BE6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2C6F

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 396fac42285cdf8336ddb854f9b3a57520b184b80930fbd83d6cadad4cefd001
Instruction ID: 715dd09a4b74473fd9f014e50f3ad853effa5397fc7784532d8fd6076edbbcd4
Opcode Fuzzy Hash: 396fac42285cdf8336ddb854f9b3a57520b184b80930fbd83d6cadad4cefd001
Instruction Fuzzy Hash: 6B21B371409384AFE7128B65DC84F96BFB8EF46310F0884DBEE85DF152C264A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 058E10F0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E1181

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2a7ebfcd389dc26422a1f25ab7b6d7e78739a732ab8b6bd8500f9530564c1c9b
Instruction ID: 333a9a3e458b3f107794178c08c5f455a8b1f22f7912daca85b5f4805c92642b
Opcode Fuzzy Hash: 2a7ebfcd389dc26422a1f25ab7b6d7e78739a732ab8b6bd8500f9530564c1c9b
Instruction Fuzzy Hash: 35216271409380AFDB228B65DC44F56BFB8EF46314F08859BE9459B153C265A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DCA989

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d37f01ca6b01e0b00a7923e0aee81e233b0b5dc1439b679d26ddb0091fdb3c38
Instruction ID: 36bc7bc55a6ac759624e8242100fd68c18ed0eee3eac0870e7e0ef36de2c9ac0
Opcode Fuzzy Hash: d37f01ca6b01e0b00a7923e0aee81e233b0b5dc1439b679d26ddb0091fdb3c38
Instruction Fuzzy Hash: AE21A172500608AFEB219B59CC85F6BFBECEF14714F14895BEE459B241D670E8098B72

Uniqueness

Uniqueness Score: -1.00%

Function 058E2EA8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2F3D

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 53744be0286bb20b90f9c97bc1bff29ba00cff76e7a293811c9642f83b8c83db
Instruction ID: 5cef12df85674166dcee3651ac0ca388421ffac4939fbab2f726c39a39384fed
Opcode Fuzzy Hash: 53744be0286bb20b90f9c97bc1bff29ba00cff76e7a293811c9642f83b8c83db
Instruction Fuzzy Hash: DA21F875408384AFDB228B11DC45F66FFB8EF06314F0984DBED859B153C265A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E1662, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 058E16D6

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b3bc75bbdc9713dea72bb789c8e34c30921c76cdffa6a153efafd015d25999d8
Instruction ID: b041d4bf6fb3bea5f068c3436f9aa59d4c333e2888dde5d52e77aa144ceb795a
Opcode Fuzzy Hash: b3bc75bbdc9713dea72bb789c8e34c30921c76cdffa6a153efafd015d25999d8
Instruction Fuzzy Hash: 4121AE71500304AFEB209F25DC89F6BFBA8EF45710F18886AEE45DB251D274E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB636, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCB6B2

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 6bb33ee886598a33f90a135e00ee2b3437043cdc8cfe6fcdb0f99accca2527d7
Instruction ID: dcf1a15bc6e1198c7a478f88ab4384478b3ac0951b68602ec3b6e049d04989e2
Opcode Fuzzy Hash: 6bb33ee886598a33f90a135e00ee2b3437043cdc8cfe6fcdb0f99accca2527d7
Instruction Fuzzy Hash: 66219272505380AFEB228F65DC45F57FFA8EF46320F1884ABEA45DB152C264A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E25E6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058E2659

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f594546fa9e64b37b83c7b1448bf59e0578ee56354a8411c1736997ddc655ef7
Instruction ID: ae70e60e4d64f710e6a31154e195234832d44df4a5daf6e6ac9a05f993e73428
Opcode Fuzzy Hash: f594546fa9e64b37b83c7b1448bf59e0578ee56354a8411c1736997ddc655ef7
Instruction Fuzzy Hash: 9521ACB5500244AFE720DF25C885F66FBE8EF06610F1485AAED46CB251D770E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E2CF2, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2D6D

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 6bf533c0870d906b347b002c071bd15b356ed9b2f4b7aa241c502ce39500cc7e
Instruction ID: 48452e87952fa9f3469105d69b4371588ca6702b6bd2db33d13a104ba772df21
Opcode Fuzzy Hash: 6bf533c0870d906b347b002c071bd15b356ed9b2f4b7aa241c502ce39500cc7e
Instruction Fuzzy Hash: DC216A75600608AFEB21CF55DC80FA6BBE8EF05710F04896AEE46CB251D270E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00DCAD6A

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 14cc97f05d4401dd7e05c50410907cd0f59ede7e54273f12b700f6ed3ae66b0d
Instruction ID: 45fdce7f601f9eda9fe1cbc2aaaee7964732e71162d4cbd63327b2c24d2b82a4
Opcode Fuzzy Hash: 14cc97f05d4401dd7e05c50410907cd0f59ede7e54273f12b700f6ed3ae66b0d
Instruction Fuzzy Hash: B621AFB65093845FD7128B65DC85B92BFE8AF02210F0D84EAD985CF263E2649808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058E102E, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E10B5

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d3036c605aa5eda02ee4f6ff7be05272df283d50f98bf1f27525f1610aa310df
Instruction ID: 332907da847bfbf9abfd81bc077a20d27ed20855ac362f9bc645eb131004f0cd
Opcode Fuzzy Hash: d3036c605aa5eda02ee4f6ff7be05272df283d50f98bf1f27525f1610aa310df
Instruction Fuzzy Hash: E4219F714093C0AFE7128B25CC45F56BFB8EF07310F1980DBED849B293C264A848C762

Uniqueness

Uniqueness Score: -1.00%

Function 058E176E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E17E0

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 650e3e400a22054a68976ca115455ad4fd20e11c20c06b0170a24537064d8d96
Instruction ID: a794a0edf8f05e155ad94c707c34850e4ea46cf7453a90b3e291d47b6e208691
Opcode Fuzzy Hash: 650e3e400a22054a68976ca115455ad4fd20e11c20c06b0170a24537064d8d96
Instruction Fuzzy Hash: 82218C72500204AFEB21DF65DC85FA7BBE8EF09720F18856AEE45DB251D770E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 058E2F7A, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 058E2FFE

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: be9979c14ce203d75a35f0eacb0dd58cb840489f9eafedbe2992b642a793bad7
Instruction ID: 55930ea5a34192be4496eb6260b2d58f056b5fb26ddbb83edde8a9506bddb3c0
Opcode Fuzzy Hash: be9979c14ce203d75a35f0eacb0dd58cb840489f9eafedbe2992b642a793bad7
Instruction Fuzzy Hash: 38218C764093C0AFDB228F61D884A92FFF4EF06210F0984DAED858B163D275A909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCAA8C

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 92d4c6c120d2ec19660714cdb55e97ed07480a98dcbba6bd52daa7acd4351cbd
Instruction ID: 44431ea2d024e0d61aa0510dd691ef7a5269ea664ead88dcda8e9d559ab96cb5
Opcode Fuzzy Hash: 92d4c6c120d2ec19660714cdb55e97ed07480a98dcbba6bd52daa7acd4351cbd
Instruction Fuzzy Hash: 8D218E71600604AFEB20CF19CD85FA7BBECEF04714F18856AEE45DB251D660E909CA72

Uniqueness

Uniqueness Score: -1.00%

Function 058E1A87, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E1B08

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 2e53d9dabdc0be5892c3b608f8eb7605a13a118bd2c17ae6d5f517dc9685f326
Instruction ID: afba22cd6892b76ee17c5f51cecab51d22b6eb6999dae895e9549060448486c9
Opcode Fuzzy Hash: 2e53d9dabdc0be5892c3b608f8eb7605a13a118bd2c17ae6d5f517dc9685f326
Instruction Fuzzy Hash: 1221E471408384AFEB128B15CC44FA6FFB8EF46320F0884DBED849F253C264A849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E2242, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 058E22AD

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 24c878828a170bc41d05c77b5903a9fee5ec3508bc6495cddf758b49ba98bba5
Instruction ID: a397cdb8005683f8123cea9d3ffd050d5fd623fbaf645a1cf0581907b45be8c8
Opcode Fuzzy Hash: 24c878828a170bc41d05c77b5903a9fee5ec3508bc6495cddf758b49ba98bba5
Instruction Fuzzy Hash: CD21AE75504240AFE720DF25CC85F66FBE8EF05320F14846AED459B241D775E804CA75

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCB040

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3bb639bb33054c20a153f5f63d76320e2bae95b414f5aac090ef484778561f15
Instruction ID: b97987d1308f1bd73849b850f745dffdb9f7123a9cc6b42a9ef170f4042b9d6c
Opcode Fuzzy Hash: 3bb639bb33054c20a153f5f63d76320e2bae95b414f5aac090ef484778561f15
Instruction Fuzzy Hash: E421D1724093C09FDB028B25DC51B92BFA4AF03324F0D80DBED858F263D2659908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAAFB, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 00DCAB7E

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 8396ae306e93602a335d6bf43f75571c9331d0b99caaeadec3c9f88093118914
Instruction ID: 7fa352e846f67b67474e3ec4101a1d0da2b2b2fcab648821e9ad7c28ed544444
Opcode Fuzzy Hash: 8396ae306e93602a335d6bf43f75571c9331d0b99caaeadec3c9f88093118914
Instruction Fuzzy Hash: 9021A5715493806FD3128B26DC41F72BFB8EF87620F0981DBED848B652D224A915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 058E1C8A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 058E1CF6

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 24bbbf64c9a041c11212c6d9176ba01ccd142a90a8fc8fc8bf9e0469b4592375
Instruction ID: 76ab78d973f51ab64aac81046f3c76736b2ce7c582eb92e1d9a8391d1bb04f2e
Opcode Fuzzy Hash: 24bbbf64c9a041c11212c6d9176ba01ccd142a90a8fc8fc8bf9e0469b4592375
Instruction Fuzzy Hash: 3721CF71500600AFEB21DF65DC84F66FFE9EF09310F14895AEE859A251C3B1A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E2342, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 058E23B6

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 3775128ba0bf94eae1259beca16ca6660ebe620243948436e13f29564c894516
Instruction ID: ee73635eca22c3e524543aec265f0bb0a9c8faf2cde9cb719aa13f8cdbc4b6f2
Opcode Fuzzy Hash: 3775128ba0bf94eae1259beca16ca6660ebe620243948436e13f29564c894516
Instruction Fuzzy Hash: 8421BB71500204AFE721DF15D885FA6FBE9EF09320F04845AEA859A251D2B1A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB73E, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCB7A2

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 00494198d7d8725c651b9f06d328a8082d9c8408f317067b1ae4460cafb2035e
Instruction ID: a081799034ae13cbaea58bebe81493a0695b48ea81219b3e8c3111f5d2b1c7ea
Opcode Fuzzy Hash: 00494198d7d8725c651b9f06d328a8082d9c8408f317067b1ae4460cafb2035e
Instruction Fuzzy Hash: D911AF71500344AFEB20CF25DC86F6ABBA8EF45320F18846BEE45DB291D764E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAC3B, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCACA8

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 13735df5e3398c739b6d042f134b14dc88c57551b103e2f9cf80b431651febb3
Instruction ID: e0a0a28e46395e3baf970a1a158842fbbb8a873f1a1422d747697183cc93723e
Opcode Fuzzy Hash: 13735df5e3398c739b6d042f134b14dc88c57551b103e2f9cf80b431651febb3
Instruction Fuzzy Hash: 3D218EB54093C0AFEB128B25D891B92BFA4EF07224F0984DBED858F153D2659948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E1FA6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2018

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f297aa20fe6b7f477ced654b09f4667e3b33281881edf568b3a7378aabea9ef7
Instruction ID: b88cd366688798354c4188a8d4e7b8671745cf0c250b3dee26935b50e48b7f96
Opcode Fuzzy Hash: f297aa20fe6b7f477ced654b09f4667e3b33281881edf568b3a7378aabea9ef7
Instruction Fuzzy Hash: EE119A76500604AEEB21CF15CC84F67FBACEF05720F08846AEE46DA291D6A4E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E27BE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E281D

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 7ac156d900ecc299c81ad8520d194c2cd867796752776692d23c0cdec6e96b79
Instruction ID: e40533deb8b916098c1043732b67a2e0ad80315d1fdd2c9d2a1051ed55b6e020
Opcode Fuzzy Hash: 7ac156d900ecc299c81ad8520d194c2cd867796752776692d23c0cdec6e96b79
Instruction Fuzzy Hash: BB11BE71500204AFEB21CF65DC41F6ABBA8EF05720F1484AAEE46CA251C670A804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058E2DFA, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2E5E

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 243aaac71dc600edbc078195f0be3cf57de36f9da8923f06780477d608a6ca8f
Instruction ID: 43790edcf2452507eb46b4cdaed20eef5038d7bca3334510ef1eabc96810949a
Opcode Fuzzy Hash: 243aaac71dc600edbc078195f0be3cf57de36f9da8923f06780477d608a6ca8f
Instruction Fuzzy Hash: 7711B671400204EEEB11DF55DC84FA7FBACEF45314F148867EE45DB241D674A5058B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB656, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCB6B2

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f8189c7a06902151c8d849ca05c1a128e53c5c3b14a1c44259599cf3ba72863f
Instruction ID: 178b5dc943f54ba22baa1a047c4fdc99967eb43904543a8ed2162fe3174636da
Opcode Fuzzy Hash: f8189c7a06902151c8d849ca05c1a128e53c5c3b14a1c44259599cf3ba72863f
Instruction Fuzzy Hash: F3119071500204AFEB219F69DC46F66FFA8EF45720F28846BEE459B251D774E8048B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DCA8A8

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 54a32ef7f663d5dfa6a8d0e1b676e69b233dc6d69e6668807844593a5adf74c6
Instruction ID: 341a81547639ad9de29d427789b958ee5109f856bdd3f1ca4213f6f894aea631
Opcode Fuzzy Hash: 54a32ef7f663d5dfa6a8d0e1b676e69b233dc6d69e6668807844593a5adf74c6
Instruction Fuzzy Hash: DF216A714093C4AFDB138B258C54A52BFB4DF07624F0D80DBDD858F1A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB25A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 00DCB2B0

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: b9376bc256e30e51a91c96ba286d84c7f46db603677ee431a2dcd2420c01150e
Instruction ID: 2abd84fadc3c64825ccb0cff3f24fa6014201a9cd71f1d16778479cc2a4c9529
Opcode Fuzzy Hash: b9376bc256e30e51a91c96ba286d84c7f46db603677ee431a2dcd2420c01150e
Instruction Fuzzy Hash: 71119171500205EFEB109B29DC85F6BFF98EF45320F1884ABEE45DB241D6B4E8048BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCA7F6

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4332b4edee077d5fa153fc554d80db9786e298d330e9678811b903b9495b1d90
Instruction ID: c1c3e7fe5a2e5b1c364230a1ad5ecff2001a32b833124185bfa29dd55358c88c
Opcode Fuzzy Hash: 4332b4edee077d5fa153fc554d80db9786e298d330e9678811b903b9495b1d90
Instruction Fuzzy Hash: F211A271409380AFDB228F55DC44F62FFF4EF4A310F0885DAEE858B162D275A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E1122, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E1181

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a3d25cf15e1d90d013bf16370797e28e3d205146556608db1f1f9fd0b7b6d8b4
Instruction ID: ba0d6cef8aee25f104864cad2356dc9961b242495cf6d98a12eb9559a8c3e0e2
Opcode Fuzzy Hash: a3d25cf15e1d90d013bf16370797e28e3d205146556608db1f1f9fd0b7b6d8b4
Instruction Fuzzy Hash: 9B11BF71400204EFEB21DF55DC44FA6FBA8EF45324F14856BEE459B251C274A808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 058E2C16, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2C6F

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d8b2c9dff9cfbb3e43f17cec4da32455105d6d58133c2eb682f9eae50acd0d16
Instruction ID: 53c401925f94e5d4c2b1cdc941f3481cffcea4cc086435de2bdb3f462064f01d
Opcode Fuzzy Hash: d8b2c9dff9cfbb3e43f17cec4da32455105d6d58133c2eb682f9eae50acd0d16
Instruction Fuzzy Hash: D811E371400204AFEB20DF15DC80F66FBACEF45320F14C4ABEE06DB241C674A8048B72

Uniqueness

Uniqueness Score: -1.00%

Function 058E183A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 058E1898

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7822027a065b4ee1b49748018bfe7c16ca655e5eea8a62d0ec3265a45745a782
Instruction ID: de8eafd4d57c80ea2607801e5444ddd43108d712e2bc536f228f182805ef93dd
Opcode Fuzzy Hash: 7822027a065b4ee1b49748018bfe7c16ca655e5eea8a62d0ec3265a45745a782
Instruction Fuzzy Hash: 7E1190715093C4AFDB128B65DC45B52BFF8EF47220F0884EAED858F262C275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058E06CE, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 058E0737

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ec08111b53c09f9c96cd523cb280e03db64c399b97fe4af660af551cd073e475
Instruction ID: 85b708259205faac24ec0d909730afc939be15cb8fa7ccd5cc0f15056b13577d
Opcode Fuzzy Hash: ec08111b53c09f9c96cd523cb280e03db64c399b97fe4af660af551cd073e475
Instruction Fuzzy Hash: BD11E571500704EFF720DB15DC89F66FBA8DF05720F14C89AEE459A281D2F5A948CE71

Uniqueness

Uniqueness Score: -1.00%

Function 058E2EDE, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E2F3D

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: ff6e3e903397aa9a54535dc7fe6d04686520a23e158ce61fdd951deff25a2a3c
Instruction ID: 1dda7d1d7c04e8c29d944e5d0aacacbf1ea8784335482d4909ba03810df4b870
Opcode Fuzzy Hash: ff6e3e903397aa9a54535dc7fe6d04686520a23e158ce61fdd951deff25a2a3c
Instruction Fuzzy Hash: 9511AC75400604EEEB218F15DC85F66FBA8EF05720F14849BEE469A251C6B5A819CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA44B, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00DCA4AC

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: f22522771e48a52e6eeea60ab960367f5926c240f639bc7e7234f0aadb06b764
Instruction ID: b22ec5e06fcfc596c5e5b1e43a5d9567d1df6ce930d5a015a695a9f66372f4f2
Opcode Fuzzy Hash: f22522771e48a52e6eeea60ab960367f5926c240f639bc7e7234f0aadb06b764
Instruction Fuzzy Hash: 7B118F714493C4AFDB128F25DC45B52BFB4EF46224F1884DBED498F253D2B9A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00DCA0D5

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4cf379a628e53bf1f3d1d2ac779683e6ef8e6b0ca9f366e618bb708a159cd2da
Instruction ID: 6f93d78cc69f79b953d43b117632bf807dad0a1ec43618df31d312b09149eac3
Opcode Fuzzy Hash: 4cf379a628e53bf1f3d1d2ac779683e6ef8e6b0ca9f366e618bb708a159cd2da
Instruction Fuzzy Hash: D0116D75409384AFDB228F15DC44F52FFB4EF46224F08849AED858B152C275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058E1AB2, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E1B08

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: f29daab3a5e0fd872b790c48a42cb368465a9d23d404a9f48a3d2f79730bd9fa
Instruction ID: b2975935abdd0cfeeadaca2070cd31065bc271c68bd7b1213a77359896c7de0b
Opcode Fuzzy Hash: f29daab3a5e0fd872b790c48a42cb368465a9d23d404a9f48a3d2f79730bd9fa
Instruction Fuzzy Hash: 3901D271500204EEEB20DF15DC85F67FFA8EF86724F1484ABEE459B241D6B4A809CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00DCAD6A

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 86068dea7add805c3f6bf47e45924607f87207c5d78ceef08bd7e35c71a8cf74
Instruction ID: a43d32eff224802a386c2327aa44da6a3caf5bdcea0af9f3ef65052745525170
Opcode Fuzzy Hash: 86068dea7add805c3f6bf47e45924607f87207c5d78ceef08bd7e35c71a8cf74
Instruction Fuzzy Hash: 35118EB1A002059FDB60DF69D885B56FBE8EF44325F18C4AEDD4ACB641E674E804CA72

Uniqueness

Uniqueness Score: -1.00%

Function 058E0FA0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 058E0FF4

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 94e4f956d4f984c5482b6e720a6ddbdaa40cdabf0f5e79027979cddf5769f3ee
Instruction ID: 19d02f87917df52faa5adce9082cb34b18ab0da04b28a7bab502f615bf5182d4
Opcode Fuzzy Hash: 94e4f956d4f984c5482b6e720a6ddbdaa40cdabf0f5e79027979cddf5769f3ee
Instruction Fuzzy Hash: 861182755093C49FDB128B25DC95B56FFB4EF07220F0880DAED858B253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058E1062, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,35FB16BD,00000000,00000000,00000000,00000000), ref: 058E10B5

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a06719bddfcb4d3a722f899ade1c3349076003965eaf09a5eb7ef5a8e327c6df
Instruction ID: 411fdc0095c969268659584307ed0218f1460ef4474c950765895bad01005736
Opcode Fuzzy Hash: a06719bddfcb4d3a722f899ade1c3349076003965eaf09a5eb7ef5a8e327c6df
Instruction Fuzzy Hash: F101D271500644EEEB21DB16DC85FABFBA8EF06720F14C097EE459B241C6B4A808CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 058E2FB2, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 058E2FFE

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 4c26ec3fea8e59a9bb79178cfd90f0829d2e77e6ff1a380f5d7a5d7c7708191b
Instruction ID: 7a55f5d053272a03eddcb0d6e26a01f80635511d849d0b65b9e20d7625baad4f
Opcode Fuzzy Hash: 4c26ec3fea8e59a9bb79178cfd90f0829d2e77e6ff1a380f5d7a5d7c7708191b
Instruction Fuzzy Hash: 80115A35400644DFDB21CF55D844B62FBF5EF09320F0889AADE4A8B622D771E818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB85E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 00DCB8AE

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 1ea76c8f4eb8fd92b6bcded5d4a00761ebe1a882e0d84c3f2c6614a6af1494df
Instruction ID: aa61be7b12189d3057c591b17dd7d19d2fd38cfdeb4c4b6c227951b329d65d62
Opcode Fuzzy Hash: 1ea76c8f4eb8fd92b6bcded5d4a00761ebe1a882e0d84c3f2c6614a6af1494df
Instruction Fuzzy Hash: 14017176500600ABD710DF16DC86F26FBA8EB88B20F14856AED089B741E371B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00DCA1C2

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 1c4c459f3ed0d0549e51c22c142e057970a81e0289bc05e37d57a9fdd12bb7fc
Instruction ID: 0cf9fdda5b31cbd63ea62f20ba0c1f74c973b24de3a7222ee46bce94ed8bbcba
Opcode Fuzzy Hash: 1c4c459f3ed0d0549e51c22c142e057970a81e0289bc05e37d57a9fdd12bb7fc
Instruction Fuzzy Hash: 25017175500600ABD710DF16DC86F26FBA8EB88A20F14856AED089B741E375B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB366, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 00DCB3B6

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: db769fdfebd3295d98d1b10abae19571fd59e027cb310c8817cf2a427248eab7
Instruction ID: 456a173c2a528b919d514afc9de94c103900b29785a26beb73bb51771e84bc32
Opcode Fuzzy Hash: db769fdfebd3295d98d1b10abae19571fd59e027cb310c8817cf2a427248eab7
Instruction Fuzzy Hash: 7B017176500600ABD710DF16DC86F26FBA8EB88B20F14856AED099B741E371B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCA7F6

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88fd4e4c41536a7ddf7f0256f31398acbb7d9191efbf4ac24065849012b77b5a
Instruction ID: a0cfe4064cfcab7ded7d30adcb898fcdf246108e8c0bef4d4d5a81250f3e1851
Opcode Fuzzy Hash: 88fd4e4c41536a7ddf7f0256f31398acbb7d9191efbf4ac24065849012b77b5a
Instruction Fuzzy Hash: CE015B31400644EFDB218F59D844B66FFE0EF48324F18C9AAEE894B611D275A819DF72

Uniqueness

Uniqueness Score: -1.00%

Function 058E15C6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 058E1616

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 03cd1f5ef084df8f5622e4f07b7318b8132a71bddb01c3f47c4c4de693b58b89
Instruction ID: be1ef0c65c668cf59e928a84d427e5922cf05c15943027aaf8c4d8b5778d357e
Opcode Fuzzy Hash: 03cd1f5ef084df8f5622e4f07b7318b8132a71bddb01c3f47c4c4de693b58b89
Instruction Fuzzy Hash: 5101AD76500600ABD210DF16DC82F26FBA8FB88B20F14815AED088B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 058E1866, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 058E1898

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d7db57a4261c78f81d9fbd95bc555a97ef3d38ba7574cfffc6032c88f2bf08b3
Instruction ID: 98639641dfa12b416952aaea23a3fa35e7ebf7129f2de4e7d3f8c4296a266a65
Opcode Fuzzy Hash: d7db57a4261c78f81d9fbd95bc555a97ef3d38ba7574cfffc6032c88f2bf08b3
Instruction Fuzzy Hash: 8B0184755002449FDB10CF16D889B66FFA4EF45220F18C4ABDD09CF651D6759844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCACA8

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3c79036578d7d0fa8c6016c9fa97e17f9ac10df0ad2e513167edc8d9acb0d2c4
Instruction ID: 9868e49cc436fbda0fe92bda622224d5b643ff1fa36640b1b68c56a4c6948071
Opcode Fuzzy Hash: 3c79036578d7d0fa8c6016c9fa97e17f9ac10df0ad2e513167edc8d9acb0d2c4
Instruction Fuzzy Hash: BC01DF755002449FDB108F2AD984B66FF94EF40324F28C4AFDD498F252D2B8E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCB040

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b7600a575987662c0eeeee00710286990a7846becf195c2063d310e5915910ba
Instruction ID: fc755f155ee042e6140171e9780202da1697b1bf586311e19095999f4c978d24
Opcode Fuzzy Hash: b7600a575987662c0eeeee00710286990a7846becf195c2063d310e5915910ba
Instruction Fuzzy Hash: F1019A715006409BDB208F29D886B56FBA4EB41320F18C0ABDD4A8B612C6B5E8089A72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB5BA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00DCB60A

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a550501cfc369e8f09e7891cefc5d76de4c7af11753909c23dc0268b9dff2c7b
Instruction ID: 2a0743860f4087026a12b1cf45106c38306b56b75825f0a8696026ab5698c59c
Opcode Fuzzy Hash: a550501cfc369e8f09e7891cefc5d76de4c7af11753909c23dc0268b9dff2c7b
Instruction Fuzzy Hash: A901AD76500600ABD210DF16DC82F26FBA8FB88B20F14815AED088B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 00DCAB7E

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: c8d943dd90727cfa803d57263bfed2aeceb025d1a88d51da0cb5791f2d25f68b
Instruction ID: b203269f9b2f57fa344823bb3c6ec683b831cdc6fec166b7d51605ab493bda2e
Opcode Fuzzy Hash: c8d943dd90727cfa803d57263bfed2aeceb025d1a88d51da0cb5791f2d25f68b
Instruction Fuzzy Hash: 42016D76500600ABD650DF16DC86F26FBA8FB88B20F14815AED089B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00DCA0D5

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6c9c41e9681e46cf4bfcf72a07e5edf3eb01707e25e33845d147f75b69664e37
Instruction ID: 7a817ae22b10e1462c1bd974e5f4c64dbaac9cead33b284245387063ef1d7d54
Opcode Fuzzy Hash: 6c9c41e9681e46cf4bfcf72a07e5edf3eb01707e25e33845d147f75b69664e37
Instruction Fuzzy Hash: 56019A31400644DFDB20DF59D884B66FFA0EF44324F18C5AAEE898B216D2B5A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 058E0FC2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 058E0FF4

Memory Dump Source

Source File: 00000002.00000002.477956749.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0209d4776551ba019584e5491b0e38444ad4bbed6c56409d8e36a86a52a8d0af
Instruction ID: 683e4a7bbec9b6c1805d6ccdf1d63735fbeea76a7da5d57d4f5ca072dae0ea18
Opcode Fuzzy Hash: 0209d4776551ba019584e5491b0e38444ad4bbed6c56409d8e36a86a52a8d0af
Instruction Fuzzy Hash: D601D135500684DFDB118F1AD889B66FFA4EF06220F08C0AADD098B256D6B5E848CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00DCA4AC

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b934250cda729af09389ca3ee3932198bfe5a0817a0a44f2bec8a2ce048541f0
Instruction ID: 0d1f6ab232e7e06cae4ff60cf05f064a9de2f481567f7ddcb1cf7b992b625b72
Opcode Fuzzy Hash: b934250cda729af09389ca3ee3932198bfe5a0817a0a44f2bec8a2ce048541f0
Instruction Fuzzy Hash: 4B016275804244DFDB10DF19D889B66FF94EF44324F18C4AADD4D8F216D2B5A804DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DCA8A8

Memory Dump Source

Source File: 00000002.00000002.472584286.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bc10a48d66660b247bcf80d860467e917b8932feefe6c84c019c9a4b82edb41f
Instruction ID: 9e658b0880b773ea12e4f26a35fd09b9811f432cc27face59aa92f9adf9897e8
Opcode Fuzzy Hash: bc10a48d66660b247bcf80d860467e917b8932feefe6c84c019c9a4b82edb41f
Instruction Fuzzy Hash: C4F0AF34900648DFDB208F1AD885B62FFA4EF04724F28C49BDD494B212D3B5A809DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 058F328B, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.477968562.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8e4eb5e7cb3c61babdccf20bdaadf82521568a2c1ad27df6de200b715f4598
Instruction ID: c61138ced4e6a756ac21f84466adafa651ab9920ed41bc3ff72c7f7f9d308bd8
Opcode Fuzzy Hash: fa8e4eb5e7cb3c61babdccf20bdaadf82521568a2c1ad27df6de200b715f4598
Instruction Fuzzy Hash: C0312B75508341AFD341CF19DC41A6BFFE4EB89624F0489AEFD88DB211D235A905CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 058F300E, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.477968562.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06ce69664a5e87003a157e39ae0e4b994afc7fa7b87cfa6d6f4ac13ec55689c
Instruction ID: abc31626ec613ee3682fc4ae057d7403e6e239d89171ac66adc660c80f5325a2
Opcode Fuzzy Hash: b06ce69664a5e87003a157e39ae0e4b994afc7fa7b87cfa6d6f4ac13ec55689c
Instruction Fuzzy Hash: 1321B4B5608341AFD340CF19D881A5BFBE4FB89664F14896EF988D7311D275E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 058F3A80, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.477968562.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b43ebadef865d471a7c7cf6e2e40b4a25d866a643b1523278dca12bcf44f15
Instruction ID: 640fd4266b90cb269eaea3beb8ef4719320826c226037384f7725b1d3e417c52
Opcode Fuzzy Hash: 73b43ebadef865d471a7c7cf6e2e40b4a25d866a643b1523278dca12bcf44f15
Instruction Fuzzy Hash: 5311BAB5508341AFD350CF19D881A5BFBE4FB88664F14896EF998D7311D371EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B0075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.473711280.0000000002B00000.00000040.00000040.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb929c78b6c2a827d692a75060175b0ff219357a100fde78cb1cf2f6cc51766a
Instruction ID: 420911b137b0eaf3eab3b0a7a1cd8cc5e23b779de3ba5776032ed7a3c789f460
Opcode Fuzzy Hash: cb929c78b6c2a827d692a75060175b0ff219357a100fde78cb1cf2f6cc51766a
Instruction Fuzzy Hash: 36119334204684DFD716DB14C984B26BF95EB48708F24C9DDE9491B692C77BE403CE51

Uniqueness

Uniqueness Score: -1.00%

Function 02B005CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.473711280.0000000002B00000.00000040.00000040.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d91b1b0efbfa844f14189541dfd6489ebfbcc4aae1316c6aaf9a2ece536e3c4
Instruction ID: 813a6c3b9f010a7385cb369d7db4612cf8a7837dcb9930ae50449cf26970c4e6
Opcode Fuzzy Hash: 5d91b1b0efbfa844f14189541dfd6489ebfbcc4aae1316c6aaf9a2ece536e3c4
Instruction Fuzzy Hash: 7801D6B65083805FD7128B17EC40863FFA8EE86220749C09FED498B612D265A905CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02B00818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.473711280.0000000002B00000.00000040.00000040.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 67ddcbfeaf8dedcaf232c066d914903f18b440558ea70b438bdc52bf7a83e275
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: CCF0FB35108644DFC206DB40D980B15FBA2EB89718F24CAA9E9490B652C737E813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 02B005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.473711280.0000000002B00000.00000040.00000040.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218473113fe52af0caa6d275ffffe2adfc696c9c362889920fe2261380c88dd0
Instruction ID: 30eed11e4d583f63539fb639401297f65698b72d40e57d5e2a68c684ceaad18c
Opcode Fuzzy Hash: 218473113fe52af0caa6d275ffffe2adfc696c9c362889920fe2261380c88dd0
Instruction Fuzzy Hash: 01E092766006008BD650DF0BEC41852F7D8EB88630B18C47FDC0D8B700E275B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 058F3083, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.477968562.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7369571262057e5396296bf41a9c3d6aae3735e97d753d8fbaf8df80693cc660
Instruction ID: b2cc7549d92ed2f68406785ea4e0169abf8312ce212a030c823b0e092f8ba537
Opcode Fuzzy Hash: 7369571262057e5396296bf41a9c3d6aae3735e97d753d8fbaf8df80693cc660
Instruction Fuzzy Hash: 68E0D87250030067D2109F07DC46F63FB58EB80A30F18C557EE085F342D1B1B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 058F3397, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.477968562.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1345c09ee010f4bcce7688438dfb6f06b2861c59c80a857774e4fa41d582a787
Instruction ID: b08e628ad656ee81f00aa1d7a0b9c6b496aeda48b31f18ce317499e688b50057
Opcode Fuzzy Hash: 1345c09ee010f4bcce7688438dfb6f06b2861c59c80a857774e4fa41d582a787
Instruction Fuzzy Hash: BDE0927250020067D2109A06DC42F63FB98DB80A30F18C557EE095A202D1B2A514CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 058F3AEB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.477968562.00000000058F0000.00000040.00000001.sdmp, Offset: 058F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15ca2bc7537ffb84e77f8a0301105168323ce96f2ba4d04204a91cc93547e77
Instruction ID: d017ec26f005ed1a3a8a2e4ceb07617badf9e050ad2addbf45b9f052f55e47a9
Opcode Fuzzy Hash: e15ca2bc7537ffb84e77f8a0301105168323ce96f2ba4d04204a91cc93547e77
Instruction Fuzzy Hash: B4E0D8B254030067D2109F07DC42F63FB98DB84A30F18C567ED0C5F302D1B1B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.472564999.0000000000DC2000.00000040.00000001.sdmp, Offset: 00DC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c015f2c0dd824ad8228986bb0238c17c93fb52fe1e992d181cfb7a12b2c23f6
Instruction ID: 594a372794dd0d931e02fbcdf8fb9f839936c2c66f2f2cbaac201278a36602bf
Opcode Fuzzy Hash: 1c015f2c0dd824ad8228986bb0238c17c93fb52fe1e992d181cfb7a12b2c23f6
Instruction Fuzzy Hash: 70D05B752156814FD3168A1CC165F653B94AB51B04F4A44FDE8008B663C364D981D110

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.472564999.0000000000DC2000.00000040.00000001.sdmp, Offset: 00DC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c306588d81552df4ebc73ffb3f4932be51ea05c15613b6236996f88a4fd4a58
Instruction ID: 63c02186fffa4de3eb530360d656b222702939ac97aef37498b573e8c6ec7114
Opcode Fuzzy Hash: 5c306588d81552df4ebc73ffb3f4932be51ea05c15613b6236996f88a4fd4a58
Instruction Fuzzy Hash: 60D05E343002828BC715DB0CC594F6937D4AB41B00F0A44ECEC008B662C3B9DC81C610

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BILL-OOO566876.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre