Play interactive tour

Edit tour

Windows Analysis Report 5nXX3v5zWn

Overview

General Information

Sample Name:	5nXX3v5zWn (renamed file extension from none to exe)
Analysis ID:	448478
MD5:	e35a0bdb66b37b80c51a1559058e326b
SHA1:	42d31ffa8a8a38d5073220550cae44d3e91bf9d6
SHA256:	4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Yara detected MailPassView

Adds a directory exclusion to Windows Defender

Changes the view of files in windows explorer (hidden files and folders)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: Powershell Defender Exclusion

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

5nXX3v5zWn.exe (PID: 3440 cmdline: 'C:\Users\user\Desktop\5nXX3v5zWn.exe' MD5: E35A0BDB66B37B80C51A1559058E326B)

powershell.exe (PID: 4116 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5796 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4420 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2396 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

5nXX3v5zWn.exe (PID: 5712 cmdline: C:\Users\user\Desktop\5nXX3v5zWn.exe MD5: E35A0BDB66B37B80C51A1559058E326B)

5nXX3v5zWn.exe (PID: 3708 cmdline: C:\Users\user\Desktop\5nXX3v5zWn.exe MD5: E35A0BDB66B37B80C51A1559058E326B)

vbc.exe (PID: 2440 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 5356 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WindowsUpdate.exe (PID: 5096 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: E35A0BDB66B37B80C51A1559058E326B)

WindowsUpdate.exe (PID: 3412 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: E35A0BDB66B37B80C51A1559058E326B)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Sigma Overview

System Summary:

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\5nXX3v5zWn.exe' , ParentImage: C:\Users\user\Desktop\5nXX3v5zWn.exe, ParentProcessId: 3440, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', ProcessId: 4116

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\5nXX3v5zWn.exe' , ParentImage: C:\Users\user\Desktop\5nXX3v5zWn.exe, ParentProcessId: 3440, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe', ProcessId: 4116

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5nXX3v5zWn.exe.3708.17.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe	ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Show sources

Source: 5nXX3v5zWn.exe

Virustotal: Detection: 46%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 5nXX3v5zWn.exe

Joe Sandbox ML: detected

Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Source: 5nXX3v5zWn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 5nXX3v5zWn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,		29_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,		29_2_00407E0E

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 4x nop then jmp 0572A630h	17_2_0572A568
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 4x nop then jmp 0572A630h	17_2_0572A559
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	17_2_05729EF5
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	17_2_05722B75
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	17_2_05729A2D
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	17_2_078BFE8B

Source: global traffic

TCP traffic: 192.168.2.3:49736 -> 185.26.106.194:587

Source: Joe Sandbox View

IP Address: 91.199.212.52 91.199.212.52

Source: global traffic

TCP traffic: 192.168.2.3:49736 -> 185.26.106.194:587

Source: global traffic

HTTP traffic detected: GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: crt.sectigo.com

Source: vbc.exe

String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 231.29.2.0.in-addr.arpa

Source: powershell.exe, 00000009.00000002.498582062.00000000009B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: 5nXX3v5zWn.exe, 00000011.00000002.533674559.00000000078C0000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt5=
Source: 5nXX3v5zWn.exe, 00000011.00000003.287584915.00000000062C0000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: 5nXX3v5zWn.exe, 00000011.00000003.288794721.00000000062CB000.00000004.00000001.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.288891184.00000000062CB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comq
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	String found in binary or memory: http://mail.spamora.net
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0%
Source: powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngH
Source: powershell.exe, 00000007.00000002.519991834.0000000004DED000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.521443598.000000000485D000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.524687995.0000000004FC3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.509134453.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.518972104.0000000004631000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.508174098.00000000048E1000.00000004.00000001.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.519991834.0000000004DED000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.521443598.000000000485D000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.524687995.0000000004FC3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 5nXX3v5zWn.exe, 00000011.00000003.295694072.00000000062C8000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlH
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.314601492.00000000062BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 5nXX3v5zWn.exe, 00000011.00000003.315017748.00000000062BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 5nXX3v5zWn.exe, 00000011.00000003.317306866.00000000062EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 5nXX3v5zWn.exe, 00000011.00000003.315017748.00000000062BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersv
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comas
Source: 5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.287998940.00000000062CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: powershell.exe, 0000000E.00000003.461384834.0000000009399000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co_
Source: vbc.exe	String found in binary or memory: http://www.nirsoft.net/
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 5nXX3v5zWn.exe, 00000011.00000003.290027281.00000000062CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comt.j
Source: 5nXX3v5zWn.exe, 00000011.00000003.289228966.00000000062CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comtn
Source: 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterH
Source: powershell.exe, 00000007.00000003.429431833.000000000556E000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.525427017.00000000050E7000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000003.429673887.0000000004FDC000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro8
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

29_2_0040D674

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

29_2_00408836

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00388280	9_2_00388280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0038D4B0	9_2_0038D4B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0038F6A9	9_2_0038F6A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0038B688	9_2_0038B688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0038BC08	9_2_0038BC08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00387340	9_2_00387340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00385468	9_2_00385468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00385457	9_2_00385457
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0038B688	9_2_0038B688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00388AAC	9_2_00388AAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00386ED0	9_2_00386ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00399678	9_2_00399678
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00399BA0	9_2_00399BA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0039EC28	9_2_0039EC28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00398EB0	9_2_00398EB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00394640	9_2_00394640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00398958	9_2_00398958
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00399C98	9_2_00399C98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00399C88	9_2_00399C88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00394E00	9_2_00394E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_003A72D3	9_2_003A72D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00B80040	14_2_00B80040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00B8CB78	14_2_00B8CB78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DC85C8	14_2_00DC85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DCF708	14_2_00DCF708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DCE9F0	14_2_00DCE9F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DCA9B8	14_2_00DCA9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DCAF40	14_2_00DCAF40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DC7280	14_2_00DC7280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DC5399	14_2_00DC5399
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DC53A8	14_2_00DC53A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DCF708	14_2_00DCF708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DCA9B8	14_2_00DCA9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DC8DF8	14_2_00DC8DF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DC6E10	14_2_00DC6E10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DF6348	14_2_00DF6348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DFAE60	14_2_00DFAE60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DF18A8	14_2_00DF18A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DF0040	14_2_00DF0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DF6348	14_2_00DF6348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DFAE60	14_2_00DFAE60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00DFAE60	14_2_00DFAE60
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_078BB4E0	17_2_078BB4E0
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_078BB198	17_2_078BB198
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_078BEEC8	17_2_078BEEC8
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_078BBDB0	17_2_078BBDB0
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_078B0006	17_2_078B0006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00404419	29_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00404516	29_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00413538	29_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_004145A1	29_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_0040E639	29_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_004337AF	29_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_004399B1	29_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_0043DAE7	29_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00405CF6	29_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00403F85	29_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00411F99	29_2_00411F99

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times

Source: 5nXX3v5zWn.exe, 00000001.00000000.210021618.0000000000F60000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeLsaPolicyHand.exe" vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe	Binary or memory string: OriginalFilename vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 0000000F.00000002.274022671.0000000000430000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeLsaPolicyHand.exe" vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe	Binary or memory string: OriginalFilename vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536121035.00000000089F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536223795.0000000008A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.486267754.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeLsaPolicyHand.exe" vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.482058861.0000000000482000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536186099.0000000008A00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 5nXX3v5zWn.exe
Source: 5nXX3v5zWn.exe, 00000011.00000002.536347422.0000000008F20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 5nXX3v5zWn.exe

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: 5nXX3v5zWn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 17.2.5nXX3v5zWn.exe.7d90000.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.7d80000.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.5nXX3v5zWn.exe.335ed8c.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: 5nXX3v5zWn.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: egGZqtIOrEmq.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@23/23@3/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

29_2_00415AFD

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

29_2_00415F87

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

29_2_00411196

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,

29_2_00411EF8

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

File created: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:120:WilError_01
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Mutant created: \Sessions\1\BaseNamedObjects\gUNensdasyPYNch
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_01

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp

Jump to behavior

Source: 5nXX3v5zWn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 5nXX3v5zWn.exe

Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

File read: C:\Users\user\Desktop\5nXX3v5zWn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe 'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: 5nXX3v5zWn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 5nXX3v5zWn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 5nXX3v5zWn.exe

Static file information: File size 1261056 > 1048576

Source: 5nXX3v5zWn.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x131800

Source: 5nXX3v5zWn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

29_2_004422C7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0038E2E0 push es; ret	9_2_0038E2F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_003832E5 push eax; ret	9_2_00383351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00391C3D push ebx; iretd	9_2_00391C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0039CC70 push eax; retf 0037h	9_2_0039CC71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00B86979 push eax; mov dword ptr [esp], edx	14_2_00B8698C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00B86D30 push eax; mov dword ptr [esp], edx	14_2_00B86D34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00B89E20 push eax; mov dword ptr [esp], ecx	14_2_00B89E74
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 15_2_0033A133 push eax; ret	15_2_0033A136
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 15_2_0033A228 push cs; ret	15_2_0033A229
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 15_2_0042E5DC push ss; iretd	15_2_0042E5DD
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 15_2_0033B29B push cs; ret	15_2_0033B29C
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 15_2_00428F7F push cs; ret	15_2_00428F80
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 15_2_00339FD5 push cs; ret	15_2_00339FD6
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_00B5A133 push eax; ret	17_2_00B5A136
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_00C4E5DC push ss; iretd	17_2_00C4E5DD
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_00B5A228 push cs; ret	17_2_00B5A229
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_00B5B29B push cs; ret	17_2_00B5B29C
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_00C48F7F push cs; ret	17_2_00C48F80
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_00B59FD5 push cs; ret	17_2_00B59FD6
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Code function: 17_2_0572AC12 pushfd ; ret	17_2_0572AC21
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00442871 push ecx; ret	29_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00442A90 push eax; ret	29_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00442A90 push eax; ret	29_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00446E54 push eax; ret	29_2_00446E61

Source: initial sample	Static PE information: section name: .text entropy: 7.61581587782
Source: initial sample	Static PE information: section name: .text entropy: 7.61581587782
Source: initial sample	Static PE information: section name: .text entropy: 7.61581587782

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe			Jump to dropped file
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	File created: C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

29_2_00441975

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB Blob

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

29_2_00408836

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Code function: 15_2_00431D21 sldt word ptr [eax]

15_2_00431D21

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3857	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3223	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4132	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2786	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4396	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2498	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Window / User API: threadDelayed 2800

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 3340	Thread sleep time: -54672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 5092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5992	Thread sleep count: 4132 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6036	Thread sleep count: 2786 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3544	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4144	Thread sleep count: 4396 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5980	Thread sleep count: 2498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 5236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 2132	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4000	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 64	Thread sleep time: -36800s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 5404	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99807s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99687s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99568s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99310s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -99031s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98777s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98327s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98201s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -98047s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 5392	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -97903s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe TID: 4824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,		29_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 29_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,		29_2_00407E0E

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_004161B0 memset,GetSystemInfo,

29_2_004161B0

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 54672	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99807
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99687
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99568
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99310
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 99031
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98777
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98671
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98327
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98201
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 98047
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 97903
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 97797
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000009.00000003.445755391.0000000004F42000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.454009166.000000000531D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: 5nXX3v5zWn.exe, 00000011.00000002.534050302.0000000007988000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWve MAC Layer LightWeight Filter-0000
Source: 5nXX3v5zWn.exe	Binary or memory string: []qET]m8Z\3QqeMUKe4Ip]oUJD]gKD}{Z\4I[UoQpeoM[]pYpXDXI]DnKel4Z]}Q[TDnKel4Z]}Q[TiU[]qEjeyoJgks[dvIp\y{5Ux3Z]3Q[hWEzep8ZVoM[g3{ZgGEzf
Source: 5nXX3v5zWn.exe, 00000011.00000002.534173269.00000000079A7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: 5nXX3v5zWn.exe, 00000001.00000000.210021618.0000000000F60000.00000002.00020000.sdmp, 5nXX3v5zWn.exe, 0000000F.00000002.274022671.0000000000430000.00000002.00020000.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.486267754.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: 385eGEzfv<pf385eG<IgogJD3Y6e8IJWo4Zg}YpXDTKhoU4[3Y5fDj[]n8ZVlIJYiU[]}ET]9o5XiU[]}Ez]xo5gkMKUx3Z]3Q[hWET]9o5XDXZek83[3Y5fDXJelI5fyE6fsUXVDL[]xoZ\385eGoHD}gpesUKgoQIDtYIDdsJD}gpesUKgoQ4[3Y5]DTKe4Ip]oUHD[UIDOMID}jIDnYphs85e\|k5\xo6XDX5fkM3fq8Zd3U[]WETU}EDgvY[\pYJUiU[]qET]m8Z\3QqeMUKe4Ip]oUJD]gKD}{Z\4I[UoQpeoM[]pYpXDXI]DnKel4Z]}Q[TDnKel4Z]}Q[TiU[]qEjeyoJgks[dvIp\y{5Ux3Z]3Q[hWEzep8ZVoM[g3{ZgGEzfoQpf4<5foMoOwYJg}o6XDL[]qIpek4X]mM[gyQ[]VEz\xEDdP<HD7{XgDXZgvIpYiU[]}ET]4{
Source: powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.520573220.0000000004773000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

29_2_00408836

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

29_2_004422C7

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Memory written: C:\Users\user\Desktop\5nXX3v5zWn.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Users\user\Desktop\5nXX3v5zWn.exe C:\Users\user\Desktop\5nXX3v5zWn.exe	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: powershell.exe, 00000007.00000002.502841281.0000000003420000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.518251451.0000000003220000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.503427661.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000007.00000002.502841281.0000000003420000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.518251451.0000000003220000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.503427661.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000007.00000002.502841281.0000000003420000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.518251451.0000000003220000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.503427661.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: powershell.exe, 00000007.00000002.502841281.0000000003420000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.518251451.0000000003220000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.503427661.00000000033B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Users\user\Desktop\5nXX3v5zWn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Users\user\Desktop\5nXX3v5zWn.exe VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

29_2_0041604B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 29_2_00407674 GetVersionExW,

29_2_00407674

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 5nXX3v5zWn.exe, 00000011.00000002.533674559.00000000078C0000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\5nXX3v5zWn.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE

Yara detected MailPassView

Show sources

Source: Yara match	File source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.4329930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.4329930.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.45fa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.4341b50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.4329930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.4341b50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Source: 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.5nXX3v5zWn.exe.334b1ec.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Credentials in Registry1	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Scheduled Task/Job1	Process Injection212	Obfuscated Files or Information4	Credentials In Files1	System Information Discovery19	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Software Packing3	NTDS	Query Registry1	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	DLL Side-Loading1	LSA Secrets	Security Software Discovery251	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion151	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Modify Registry1	DCSync	Process Discovery4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion151	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection212	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5nXX3v5zWn.exe	46%	Virustotal		Browse
5nXX3v5zWn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
29.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
17.2.5nXX3v5zWn.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
17.2.5nXX3v5zWn.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File

Domains

Source	Detection	Scanner	Link
mail.spamora.net	1%	Virustotal	Browse
crt.sectigo.com	1%	Virustotal	Browse
231.29.2.0.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt5=	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://fontfabrik.comq	0%	Avira URL Cloud	safe
http://www.fontbureau.comas	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://mail.spamora.net	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://www.tiro.comt.j	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.tiro.comtn	0%	Avira URL Cloud	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://ocsp.sectigo.com0%	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://go.micro8	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngH	0%	Avira URL Cloud	safe
http://www.microsoft.co_	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.spamora.net	185.26.106.194	true	false	1%, Virustotal, Browse	unknown
crt.sectigo.com	91.199.212.52	true	false	1%, Virustotal, Browse	unknown
231.29.2.0.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.founder.com.cn/cn/bThe	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/PesterH	powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt5=	5nXX3v5zWn.exe, 00000011.00000002.533674559.00000000078C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	5nXX3v5zWn.exe, 00000011.00000003.314601492.00000000062BE000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.comq	5nXX3v5zWn.exe, 00000011.00000003.288891184.00000000062CB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comas	5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	5nXX3v5zWn.exe, 00000011.00000003.288794721.00000000062CB000.00000004.00000001.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	false		high
http://mail.spamora.net	5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersv	5nXX3v5zWn.exe, 00000011.00000003.315017748.00000000062BE000.00000004.00000001.sdmp	false		high
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.fonts.com	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.site.com/logs.php	5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	vbc.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.509134453.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.518972104.0000000004631000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.508174098.00000000048E1000.00000004.00000001.sdmp, 5nXX3v5zWn.exe, 00000011.00000002.506900664.0000000003321000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	5nXX3v5zWn.exe, 00000011.00000003.295694072.00000000062C8000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	false		high
http://www.fontbureau.comF	5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comc	5nXX3v5zWn.exe, 00000011.00000003.287998940.00000000062CB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.519991834.0000000004DED000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.521443598.000000000485D000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.524687995.0000000004FC3000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000003.429431833.000000000556E000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.525427017.00000000050E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comt.j	5nXX3v5zWn.exe, 00000011.00000003.290027281.00000000062CB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlH	powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.528319560.0000000005944000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comtn	5nXX3v5zWn.exe, 00000011.00000003.289228966.00000000062CB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.come.com	5nXX3v5zWn.exe, 00000011.00000002.501039730.0000000001717000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.517938539.0000000004A23000.00000004.00000001.sdmp	false		high
http://en.w	5nXX3v5zWn.exe, 00000011.00000003.287584915.00000000062C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0%	5nXX3v5zWn.exe, 00000011.00000002.522566342.00000000037CC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn	5nXX3v5zWn.exe, 00000011.00000002.532711160.00000000074C2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	5nXX3v5zWn.exe, 00000011.00000003.317306866.00000000062EA000.00000004.00000001.sdmp	false		high
https://go.micro8	powershell.exe, 00000009.00000003.429673887.0000000004FDC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngH	powershell.exe, 00000007.00000002.518108271.0000000004D02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.519991834.0000000004DED000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.521443598.000000000485D000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.524687995.0000000004FC3000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	5nXX3v5zWn.exe, 00000011.00000003.315017748.00000000062BE000.00000004.00000001.sdmp	false		high
http://www.microsoft.co_	powershell.exe, 0000000E.00000003.461384834.0000000009399000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.199.212.52	crt.sectigo.com	United Kingdom		48447	SECTIGOGB	false
185.26.106.194	mail.spamora.net	France		24935	ATE-ASFR	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	448478
Start date:	14.07.2021
Start time:	09:33:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5nXX3v5zWn (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@23/23@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 78.5% Quality standard deviation: 14.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 267 Number of non-executed functions: 164
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 23.54.113.53, 13.88.21.125, 52.147.198.201, 95.100.54.203, 20.82.210.154, 40.112.88.60, 20.82.209.183, 23.10.249.25, 23.10.249.26, 20.50.102.62 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:34:48	API Interceptor	24x Sleep call for process: 5nXX3v5zWn.exe modified
09:35:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
09:35:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
09:35:52	API Interceptor	154x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.199.212.52	H8KFZGwAkB.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	Cmh_Fax-Message-3865.html	Get hash	malicious	Browse	zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
	guesZQt4Yz.exe	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	2naHs0NOfi.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	3.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	3.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	saturo[1].htm	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	cat.exe	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	OW73NJTujh.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	Ak6qIKCI0f.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	DOCUMENT.DLL	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	PNmTyT6wHi.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	DOCUMENT.DLL	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	Documents.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	s.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	s.dll	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
	publiclicense.vbs	Get hash	malicious	Browse	zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
	3PL0-MDEO3H-GOF4.html	Get hash	malicious	Browse	zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
	pieChart2.exe	Get hash	malicious	Browse	crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.spamora.net	Doc_386384934.xlsx	Get hash	malicious	Browse	185.26.106.194
	Doc_38464835648343.xlsx	Get hash	malicious	Browse	185.26.106.194
	pfI78aQqmv.exe	Get hash	malicious	Browse	185.26.106.194
	Inquiry.xlsx	Get hash	malicious	Browse	185.26.106.194
	Doc_87654334567.exe	Get hash	malicious	Browse	185.26.106.194
	PO-4600017931.xlsx	Get hash	malicious	Browse	185.26.106.194
	HTOj2DnVlw.exe	Get hash	malicious	Browse	185.26.106.194
	i7Qs22QuKz.exe	Get hash	malicious	Browse	185.26.106.194
	Doc.xlsx	Get hash	malicious	Browse	185.26.106.194
	Doc_3956385638364836437638364738365483647383648373638463836483648363846383.exe	Get hash	malicious	Browse	185.26.106.194
	Doc_987945678.exe	Get hash	malicious	Browse	185.26.106.194
	Ref-2021-05-14.exe	Get hash	malicious	Browse	185.26.106.194
	Doc_38464856384683648364.exe	Get hash	malicious	Browse	185.26.106.194
	Document_printout_copy_34853936483648364393743836384.exe	Get hash	malicious	Browse	185.26.106.194
	DHL_SHIPMENT_ADDRESS_4495749574946596484658458458,pdf.exe	Get hash	malicious	Browse	185.26.106.194
	RFQ_38463846393646388368364834.exe	Get hash	malicious	Browse	185.26.106.194
	Doc_3847468364836483638463,pdf.exe	Get hash	malicious	Browse	185.26.106.194
	9385839583309483484303843094034.exe	Get hash	malicious	Browse	185.26.106.194
	SIN_TONG_HWA_TRADING,pdf.exe	Get hash	malicious	Browse	185.26.106.194
	9qyjV3QacT.exe	Get hash	malicious	Browse	185.26.106.194

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SECTIGOGB	H8KFZGwAkB.dll	Get hash	malicious	Browse	91.199.212.52
	Cmh_Fax-Message-3865.html	Get hash	malicious	Browse	91.199.212.52
	guesZQt4Yz.exe	Get hash	malicious	Browse	91.199.212.52
	2naHs0NOfi.dll	Get hash	malicious	Browse	91.199.212.52
	3.dll	Get hash	malicious	Browse	91.199.212.52
	3.dll	Get hash	malicious	Browse	91.199.212.52
	saturo[1].htm	Get hash	malicious	Browse	91.199.212.52
	cat.exe	Get hash	malicious	Browse	91.199.212.52
	OW73NJTujh.dll	Get hash	malicious	Browse	91.199.212.52
	Ak6qIKCI0f.dll	Get hash	malicious	Browse	91.199.212.52
	DOCUMENT.DLL	Get hash	malicious	Browse	91.199.212.52
	PNmTyT6wHi.dll	Get hash	malicious	Browse	91.199.212.52
	DOCUMENT.DLL	Get hash	malicious	Browse	91.199.212.52
	Documents.dll	Get hash	malicious	Browse	91.199.212.52
	s.dll	Get hash	malicious	Browse	91.199.212.52
	s.dll	Get hash	malicious	Browse	91.199.212.52
	publiclicense.vbs	Get hash	malicious	Browse	91.199.212.52
	3PL0-MDEO3H-GOF4.html	Get hash	malicious	Browse	91.199.212.52
	pieChart2.exe	Get hash	malicious	Browse	91.199.212.52
ATE-ASFR	Doc_386384934.xlsx	Get hash	malicious	Browse	185.26.106.165
	Doc_38464835648343.xlsx	Get hash	malicious	Browse	185.26.106.165
	pfI78aQqmv.exe	Get hash	malicious	Browse	185.26.106.194
	Inquiry.xlsx	Get hash	malicious	Browse	185.26.106.165
	Doc_87654334567.exe	Get hash	malicious	Browse	185.26.106.194
	PO-4600017931.xlsx	Get hash	malicious	Browse	185.26.106.165
	HTOj2DnVlw.exe	Get hash	malicious	Browse	185.26.106.194
	i7Qs22QuKz.exe	Get hash	malicious	Browse	185.26.106.194
	Doc.xlsx	Get hash	malicious	Browse	185.26.106.165
	Doc_3956385638364836437638364738365483647383648373638463836483648363846383.exe	Get hash	malicious	Browse	185.26.106.194
	Doc_987945678.exe	Get hash	malicious	Browse	185.26.106.194
	Ref-2021-05-14.exe	Get hash	malicious	Browse	185.26.106.194
	Doc_38464856384683648364.exe	Get hash	malicious	Browse	185.26.106.194
	Document_printout_copy_34853936483648364393743836384.exe	Get hash	malicious	Browse	185.26.106.194
	DHL_SHIPMENT_ADDRESS_4495749574946596484658458458,pdf.exe	Get hash	malicious	Browse	185.26.106.194
	DOCUMENT_395849584954.exe	Get hash	malicious	Browse	185.26.106.165
	RFQ_38463846393646388368364834.exe	Get hash	malicious	Browse	185.26.106.194
	Doc_3847468364836483638463,pdf.exe	Get hash	malicious	Browse	185.26.106.194
	9385839583309483484303843094034.exe	Get hash	malicious	Browse	185.26.106.194
	Order_364537463746347485945454.xlsx	Get hash	malicious	Browse	185.26.106.165

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	data
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	7.399832861783252
Encrypted:	false
SSDEEP:	48:B4wgi+96jf8TXJgnXpxi4sVtcTtrdoh+S:KiIq0eZnep
MD5:	ADAB5C4DF031FB9299F71ADA7E18F613
SHA1:	33E4E80807204C2B6182A3A14B591ACD25B5F0DB
SHA-256:	7FA4FF68EC04A99D7528D5085F94907F4D1DD1C5381BACDC832ED5C960214676
SHA-512:	983B974E459A46EB7A3C8850EC90CC16D3B6D4A1505A5BCDD710C236BAF5AADC58424B192E34A147732E9D436C9FC04D896D8A7700FF349252A57514F588C6A1
Malicious:	false
Preview:	0...0..........}[Q&.v...t...S..0....H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...181102000000Z..301231235959Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0.."0....H.............0.........s3..< ....E..>..?.A.20.l.......-?.M......b..Hy...N..2%.....P?.L.@*.9.....2A.&.#z. ... .<.Do.u..@.2.....#>...o]Q.j.i.O.ri..Lm.....~......7x...4.V.X....d[.7..(h.V...\......$..0......z...B......J.....@..o.BJd..0.....'Z..X......c.oV...`4.t........_.........n0..j0...U.#..0...Sy.Z.+J.T.......f.0...U........^.T...w.......a.0...U...........0...U.......0.......0...U.%..0...+.........+.......0...U. ..0.0...U. .0...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v..+........j0h0?..+.....0..3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%..+.....0.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	data
Category:	modified
Size (bytes):	282
Entropy (8bit):	3.1368173556949515
Encrypted:	false
SSDEEP:	3:kkFklhLpwkNvfllXlE/lPbXx8bqlF8tlije9DZl2i9XYolzlIlMltuN7ANJbZ15z:kK6RNyjXxp9jKFlIaYM2+/LOjA/
MD5:	E46482A591E6E2926D676D36A231C676
SHA1:	2B62C2F4D903CAFA707B0C2927D378E1FD42BFAF
SHA-256:	C4153C1C2F053DFF266A528F81CEBCC2464F1B922F4060D62C141715EA593989
SHA-512:	A8A9E1B516C7C619CD8DA30DFEFC935ED9324A99CF694D7F0A9A4582AD59E2F75720A80C8341D00B1C6F220F6AD326880D0C8028A04FC0A76354CFEDF3E46BD3
Malicious:	false
Preview:	p...... ........T....x..(....................................................... ........@u.>r..@8..................h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.R.S.A.D.o.m.a.i.n.V.a.l.i.d.a.t.i.o.n.S.e.c.u.r.e.S.e.r.v.e.r.C.A...c.r.t...".5.b.d.b.9.3.8.0.-.6.1.7."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5nXX3v5zWn.exe.log Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxx5djHWrxbXX35PYoGib4J:cBV3IpNBQkj2Lh4iUxx5djHWrxbH3RYH
MD5:	456B58368F1597035565FF5661D0A2CE
SHA1:	DAC873BF6060F400AB309C040948848CD3019B11
SHA-256:	C1273918592A45B7B6CEABC376395C6701D5C83642143C824BE3E316F9131AA9
SHA-512:	B55743EFD8588B68A89983553BE54FEDBB45F1877513CBA477CBCA36EA2E4D6F6140D61FC342EB326CB0B485E26BAC515B234DCD34909129C4339AAEF18B4889
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_102g4eb0.ed4.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53yqb03u.w2f.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3j5vb2e.zhc.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfl5jaou.44l.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyn15uet.dem.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vth45tfl.sdf.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.193776238895854
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBvutn:cbh47TlNQ//rydbz9I3YODOLNdq39I
MD5:	54A7468F56A3A2CD1077D5BC5F5E1CF5
SHA1:	546DB1F0DA9CBFC04C741F850261FB3862C7E653
SHA-256:	03E45CEFC430010C346C2A0A872644AA1CC0EA468BC0897ED3D9D764C7DFF8BF
SHA-512:	8C305AA91EA03F18D21BAC550E34A2AF142A8E85667173B6B5C741BBFC09BCF553AB2686313E2AD78A8A971E0D4907E2B2A48D138E144C7D2D8D2911F8D5228A
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\WindowsUpdate.exe Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1261056
Entropy (8bit):	7.612252755280688
Encrypted:	false
SSDEEP:	24576:J57dzqnUYOCGSfCuuBIRzCa6RMdLAEDv+tgd3gD:hgN97ugl6sUEHd3g
MD5:	E35A0BDB66B37B80C51A1559058E326B
SHA1:	42D31FFA8A8A38D5073220550CAE44D3E91BF9D6
SHA-256:	4D16AC850F443E678E5CDC8C104F9369A97E8347C3A64F3FCE173329072FEE53
SHA-512:	ECF25580F0877CD47826BD23C60C1A871FC8A68C12E300776681B97A55406DD6523981755C477F4E76D09FFC67471E96E784CAE65D1A32F1F023504D26F8E186
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..`.....................$.......5... ........@.. ....................................@..................................5..W....@..."........................................................................... ............... ..H............text........ ...................... ..`.rsrc...."...@..."..................@..@.reloc...............<..............@..B.................5......H............2......t........`............................................(....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o......,.r...p......(....s....z..+..s..........~.........(.....o......(...+..tu....%-.&.+.%(........o................&r;..p..

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1261056
Entropy (8bit):	7.612252755280688
Encrypted:	false
SSDEEP:	24576:J57dzqnUYOCGSfCuuBIRzCa6RMdLAEDv+tgd3gD:hgN97ugl6sUEHd3g
MD5:	E35A0BDB66B37B80C51A1559058E326B
SHA1:	42D31FFA8A8A38D5073220550CAE44D3E91BF9D6
SHA-256:	4D16AC850F443E678E5CDC8C104F9369A97E8347C3A64F3FCE173329072FEE53
SHA-512:	ECF25580F0877CD47826BD23C60C1A871FC8A68C12E300776681B97A55406DD6523981755C477F4E76D09FFC67471E96E784CAE65D1A32F1F023504D26F8E186
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..`.....................$.......5... ........@.. ....................................@..................................5..W....@..."........................................................................... ............... ..H............text........ ...................... ..`.rsrc...."...@..."..................@..@.reloc...............<..............@..B.................5......H............2......t........`............................................(....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o......,.r...p......(....s....z..+..s..........~.........(.....o......(...+..tu....%-.&.+.%(........o................&r;..p..

C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:V3:V
MD5:	34FFEB359A192EB8174B6854643CC046
SHA1:	B6356EEB8338BF9C15899584BBB23135B40452E9
SHA-256:	AAF68675C4BEA5600C273F6D4371E8D1B9F383A6DD96DB30D628CF77DD91C09C
SHA-512:	7125DC16314E6314E32BE5A58539CA75B0E7B6C93B5F1F443FD79E991EDBDBA5BD11F8333EF60EB6CD193149339D547DEB837284165D0805FA98BDE473DC5323
Malicious:	false
Preview:	3708

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\Desktop\5nXX3v5zWn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.378240189894803
Encrypted:	false
SSDEEP:	3:oNWXp5vQzJan:oNWXpFQzJa
MD5:	9B2E0EF287AECA34C538735F6911FF16
SHA1:	799321AE3A0E0AB5DF00271838F3474413A1E65E
SHA-256:	9624C88E7D3593FBEE0AD1F0260CFA8790B1B9120F0C620965A5C70545B15F48
SHA-512:	4474C7CE433130E3D2936E541F85DEA3656EE2ADCCD26E4267C9BA4C9A0C0A34FCC186F2AFD67D85941C386678271B958636F2A401961F58DF6437746DAA6638
Malicious:	false
Preview:	C:\Users\user\Desktop\5nXX3v5zWn.exe

C:\Users\user\Documents\20210714\PowerShell_transcript.138727.JIVpCcrj.20210714093452.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	830
Entropy (8bit):	5.332111071096532
Encrypted:	false
SSDEEP:	24:BxSAWyxvBnEx2DOXUWeSunWoHjeTKKjX4CIym1ZJX+Quf:BZWuvhEoO+SZoqDYB1ZUQi
MD5:	94588FD4A32EB364C910B1E6AD32D23B
SHA1:	1DA2A4FCC3BC452A1E7398B5CB45A624E942E216
SHA-256:	E1848E3832F83A9069FE97556CE8EDA2218FF98CEC263E9F20E171015E42AB4D
SHA-512:	69007B309A4DFEDB1E4F61969EEE428CCD276C44BC563B3555A9164531FFC6EBAA8DA15254AF0A9D44C27C7FD1594F4F6FED6BD4CB3D05AA97652ED11F027C82
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210714093523..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\5nXX3v5zWn.exe..Process ID: 4116..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210714093523..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\5nXX3v5zWn.exe..

C:\Users\user\Documents\20210714\PowerShell_transcript.138727.fYco6+D0.20210714093453.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	850
Entropy (8bit):	5.377039057069052
Encrypted:	false
SSDEEP:	24:BxSAWIyxvBnEx2DOXUWeSu7+W9HjeTKKjX4CIym1ZJX++u7S:BZWVvhEoO+Sap9qDYB1ZU+aS
MD5:	4EF8EF97D8E4E08A184CD43F7097033C
SHA1:	F92F94AFDF384855D165E1BFED84ED7F600E812B
SHA-256:	E613E0385939AD5341FC47B3263DE8607323989F917C1200B141E8E09746700D
SHA-512:	718FFAA99783B53F1BA0381A270C92BDB2E3E065F583B4A2868E0488B6B7A0DD234CE14694DD07D751708EA85745C0A689F16B1A5CE0E4C348D917F2A5F4C16E
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210714093524..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe..Process ID: 5796..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210714093525..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe..

C:\Users\user\Documents\20210714\PowerShell_transcript.138727.oUfNsHgU.20210714093455.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	850
Entropy (8bit):	5.375135860207132
Encrypted:	false
SSDEEP:	24:BxSAWDyxvBnEx2DOXUWeSu7+W4HjeTKKjX4CIym1ZJX+PFu7S:BZWCvhEoO+Sap4qDYB1ZUNaS
MD5:	2C05EFF153AF7A0EAC8540EA6E272E53
SHA1:	C2B06ADB191827F59E9B52DF54FE22DFA8144469
SHA-256:	FD4FEEAE6F18B3D8F1D1430AE723887D80DC4971E8D2E74BEEEC0D25EC637F35
SHA-512:	900A1FA87F9ED873B99BC9EF95EEECCC4D70EE844467C0E02D145A0CAF4DF77DC1E7B6EC18EFA0C496F1DE6C577F43E7C7B953970E081CF4538C1D76AA3F4144
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210714093534..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe..Process ID: 2396..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210714093535..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.612252755280688
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	5nXX3v5zWn.exe
File size:	1261056
MD5:	e35a0bdb66b37b80c51a1559058e326b
SHA1:	42d31ffa8a8a38d5073220550cae44d3e91bf9d6
SHA256:	4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53
SHA512:	ecf25580f0877cd47826bd23c60c1a871fc8a68c12e300776681b97a55406dd6523981755c477f4e76d09ffc67471e96e784cae65d1a32f1f023504d26f8e186
SSDEEP:	24576:J57dzqnUYOCGSfCuuBIRzCa6RMdLAEDv+tgd3gD:hgN97ugl6sUEHd3g
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..`.....................$.......5... ........@.. ....................................@................................

File Icon


Icon Hash:	97194b4a5b6f575b

Static PE Info

General
Entrypoint:	0x5335fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60ECE62B [Tue Jul 13 01:02:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1335a4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x134000	0x2200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x138000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x131604	0x131800	False	0.847971115487	data	7.61581587782	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x134000	0x2200	0x2200	False	0.474954044118	data	5.89003096224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x138000	0xc	0x200	False	0.041015625	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x134130	0x1024	data
RT_GROUP_ICON	0x135154	0x14	data
RT_VERSION	0x135168	0x2fc	data
RT_MANIFEST	0x135464	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.0.0.0
InternalName	SafeLsaPolicyHand.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion	1.0.0.0
FileDescription
OriginalFilename	SafeLsaPolicyHand.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 09:35:52.628036022 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:52.655786991 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.657706976 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:52.686177015 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.693514109 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:52.721534014 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.788518906 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.825865984 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.825978994 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:52.826230049 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:52.853890896 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.853914022 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:52.952632904 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:53.060065031 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:53.089978933 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:53.090007067 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:53.090989113 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:53.122945070 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:53.151575089 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:53.209902048 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.205885887 CEST	49737	80	192.168.2.3	91.199.212.52
Jul 14, 2021 09:35:54.251441956 CEST	80	49737	91.199.212.52	192.168.2.3
Jul 14, 2021 09:35:54.251749992 CEST	49737	80	192.168.2.3	91.199.212.52
Jul 14, 2021 09:35:54.279583931 CEST	49737	80	192.168.2.3	91.199.212.52
Jul 14, 2021 09:35:54.325375080 CEST	80	49737	91.199.212.52	192.168.2.3
Jul 14, 2021 09:35:54.325414896 CEST	80	49737	91.199.212.52	192.168.2.3
Jul 14, 2021 09:35:54.325436115 CEST	80	49737	91.199.212.52	192.168.2.3
Jul 14, 2021 09:35:54.325598001 CEST	49737	80	192.168.2.3	91.199.212.52
Jul 14, 2021 09:35:54.454888105 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.484308958 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.486139059 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.514178991 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.529757977 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.563894987 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.564508915 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.594780922 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.595267057 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.628005028 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.628619909 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.657972097 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.660993099 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.661223888 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.661422968 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.661521912 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.673924923 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:35:54.690023899 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.690052986 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.706425905 CEST	587	49736	185.26.106.194	192.168.2.3
Jul 14, 2021 09:35:54.761907101 CEST	49736	587	192.168.2.3	185.26.106.194
Jul 14, 2021 09:36:54.392821074 CEST	49737	80	192.168.2.3	91.199.212.52
Jul 14, 2021 09:36:54.438581944 CEST	80	49737	91.199.212.52	192.168.2.3
Jul 14, 2021 09:36:54.439341068 CEST	49737	80	192.168.2.3	91.199.212.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 09:34:14.153791904 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:14.167798996 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:15.143529892 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:15.156552076 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:16.109354019 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:16.122440100 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:17.168165922 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:17.180888891 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:17.212044001 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:17.235883951 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:17.878555059 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:17.895771980 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:18.798983097 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:18.813405991 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:19.885710001 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:19.910291910 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:21.299381971 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:21.312798977 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:23.515237093 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:23.537030935 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:24.619398117 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:24.634793997 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:26.219448090 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:26.232230902 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:27.254019022 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:27.268445015 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:28.226284027 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:28.238859892 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:30.274197102 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:30.287271023 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:31.288048029 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:31.302531004 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:43.895723104 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:43.910121918 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:44.745511055 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:44.757719994 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:45.756835938 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:45.771595001 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:50.885093927 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:50.906476974 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 14, 2021 09:34:51.007097960 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:34:51.020021915 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 14, 2021 09:35:21.432971001 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:35:21.463717937 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 14, 2021 09:35:22.495374918 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:35:22.508961916 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 14, 2021 09:35:27.864989996 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:35:27.892158985 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 14, 2021 09:35:38.012465954 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:35:38.031193018 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 14, 2021 09:35:52.507955074 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:35:52.521961927 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 14, 2021 09:35:54.149662018 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:35:54.163563967 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 14, 2021 09:36:11.957442045 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:36:11.991754055 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 14, 2021 09:36:16.340375900 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 14, 2021 09:36:16.370692968 CEST	53	61292	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 14, 2021 09:35:22.495374918 CEST	192.168.2.3	8.8.8.8	0x1959	Standard query (0)	231.29.2.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jul 14, 2021 09:35:52.507955074 CEST	192.168.2.3	8.8.8.8	0xca54	Standard query (0)	mail.spamora.net	A (IP address)	IN (0x0001)
Jul 14, 2021 09:35:54.149662018 CEST	192.168.2.3	8.8.8.8	0x4c29	Standard query (0)	crt.sectigo.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 14, 2021 09:35:22.508961916 CEST	8.8.8.8	192.168.2.3	0x1959	Name error (3)	231.29.2.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Jul 14, 2021 09:35:52.521961927 CEST	8.8.8.8	192.168.2.3	0xca54	No error (0)	mail.spamora.net		185.26.106.194	A (IP address)	IN (0x0001)
Jul 14, 2021 09:35:54.163563967 CEST	8.8.8.8	192.168.2.3	0x4c29	No error (0)	crt.sectigo.com		91.199.212.52	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

crt.sectigo.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49737	91.199.212.52	80	C:\Users\user\Desktop\5nXX3v5zWn.exe

Timestamp	kBytes transferred	Direction	Data
Jul 14, 2021 09:35:54.279583931 CEST	5271	OUT	GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/10.0 Host: crt.sectigo.com
Jul 14, 2021 09:35:54.325414896 CEST	5273	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 14 Jul 2021 07:35:54 GMT Content-Type: application/pkix-cert Content-Length: 1559 Connection: keep-alive Last-Modified: Fri, 02 Nov 2018 00:00:00 GMT ETag: "5bdb9380-617" X-CCACDN-Mirror-ID: mscrl2 Cache-Control: max-age=14400, s-maxage=3600 X-CCACDN-Proxy-ID: mcdpinlb6 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes Data Raw: 30 82 06 13 30 82 03 fb a0 03 02 01 02 02 10 7d 5b 51 26 b4 76 ba 11 db 74 16 0b bc 53 0d a7 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 81 88 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 4e 65 77 20 4a 65 72 73 65 79 31 14 30 12 06 03 55 04 07 13 0b 4a 65 72 73 65 79 20 43 69 74 79 31 1e 30 1c 06 03 55 04 0a 13 15 54 68 65 20 55 53 45 52 54 52 55 53 54 20 4e 65 74 77 6f 72 6b 31 2e 30 2c 06 03 55 04 03 13 25 55 53 45 52 54 72 75 73 74 20 52 53 41 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 31 38 31 31 30 32 30 30 30 30 30 30 5a 17 0d 33 30 31 32 33 31 32 33 35 39 35 39 5a 30 81 8f 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 04 08 13 12 47 72 65 61 74 65 72 20 4d 61 6e 63 68 65 73 74 65 72 31 10 30 0e 06 03 55 04 07 13 07 53 61 6c 66 6f 72 64 31 18 30 16 06 03 55 04 0a 13 0f 53 65 63 74 69 67 6f 20 4c 69 6d 69 74 65 64 31 37 30 35 06 03 55 04 03 13 2e 53 65 63 74 69 67 6f 20 52 53 41 20 44 6f 6d 61 69 6e 20 56 61 6c 69 64 61 74 69 6f 6e 20 53 65 63 75 72 65 20 53 65 72 76 65 72 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d6 73 33 d6 d7 3c 20 d0 00 d2 17 45 b8 d6 3e 07 a2 3f c7 41 ee 32 30 c9 b0 6c fd f4 9f cb 12 98 0f 2d 3f 8d 4d 01 0c 82 0f 17 7f 62 2e e9 b8 48 79 fb 16 83 4e ad d7 32 25 93 b7 07 bf b9 50 3f a9 4c c3 40 2a e9 39 ff d9 81 ca 1f 16 32 41 da 80 26 b9 23 7a 87 20 1e e3 ff 20 9a 3c 95 44 6f 87 75 06 90 40 b4 32 93 16 09 10 08 23 3e d2 dd 87 0f 6f 5d 51 14 6a 0a 69 c5 4f 01 72 69 cf d3 93 4c 6d 04 a0 a3 1b 82 7e b1 9a b9 ed c5 9e c5 37 78 9f 9a 08 34 fb 56 2e 58 c4 09 0e 06 64 5b bc 37 dc f1 9f 28 68 a8 56 b0 92 a3 5c 9f bb 88 98 08 1b 24 1d ab 30 85 ae af b0 2e 9e 7a 9d c1 c0 42 1c e2 02 f0 ea e0 4a d2 ef 90 0e b4 c1 40 16 f0 6f 85 42 4a 64 f7 a4 30 a0 fe bf 2e a3 27 5a 8e 8b 58 b8 ad c3 19 17 84 63 ed 6f 56 fd 83 cb 60 34 c4 74 be e6 9d db e1 e4 e5 ca 0c 5f 15 02 03 01 00 01 a3 82 01 6e 30 82 01 6a 30 1f 06 03 55 1d 23 04 18 30 16 80 14 53 79 bf 5a aa 2b 4a cf 54 80 e1 d8 9b c0 9d f2 b2 03 66 cb 30 1d 06 03 55 1d 0e 04 16 04 14 8d 8c 5e c4 54 ad 8a e1 77 e9 9b f9 9b 05 e1 b8 01 8d 61 e1 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 1b 06 03 55 1d 20 04 14 30 12 30 06 06 04 55 1d 20 00 30 08 06 06 67 81 0c 01 02 01 30 50 06 03 55 1d 1f 04 49 30 47 30 45 a0 43 a0 41 86 3f 68 74 74 70 3a 2f 2f 63 72 6c 2e 75 73 65 72 74 72 75 73 74 2e 63 6f 6d 2f 55 53 45 52 54 72 75 73 74 52 53 41 43 65 72 74 69 66 69 63 61 74 69 6f 6e 41 75 74 68 6f 72 69 74 79 2e 63 72 6c 30 76 06 08 2b 06 01 05 05 07 01 01 04 6a 30 68 30 3f 06 08 2b 06 01 05 05 07 30 02 86 33 68 74 74 70 3a 2f 2f 63 72 74 2e 75 73 65 72 74 72 75 73 74 2e 63 6f 6d 2f Data Ascii: 00}[Q&vtS0H010UUS10UNew Jersey10UJersey City10UThe USERTRUST Network1.0,U%USERTrust RSA Certification Authority0181102000000Z301231235959Z010UGB10UGreater Manchester10USalford10USectigo Limited1705U.Sectigo RSA Domain Validation Secure Server CA0"0H0s3< E>?A20l-?Mb.HyN2%P?L@*92A&#z <Dou@2#>o]QjiOriLm~7x4V.Xd[7(hV\$0.zBJ@oBJd0.'ZXcoV`4t_n0j0U#0SyZ+JTf0U^Twa0U0U00U%0++0U 00U 0g0PUI0G0ECA?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v+j0h0?+03http://crt.usertrust.com/
Jul 14, 2021 09:35:54.325436115 CEST	5273	IN	Data Raw: 55 53 45 52 54 72 75 73 74 52 53 41 41 64 64 54 72 75 73 74 43 41 2e 63 72 74 30 25 06 08 2b 06 01 05 05 07 30 01 86 19 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 75 73 65 72 74 72 75 73 74 2e 63 6f 6d 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 03 82 Data Ascii: USERTrustRSAAddTrustCA.crt0%+0http://ocsp.usertrust.com0H2aHOGMxopR13WR1kT@h\|U69QF~I6h9zNVo{;w8_~FHh4g8f^(:@'rN)!<\|,1D

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 14, 2021 09:35:52.686177015 CEST	587	49736	185.26.106.194	192.168.2.3	220-mail.spamora.net ESMTP Postfix (Debian/GNU)
Jul 14, 2021 09:35:52.693514109 CEST	49736	587	192.168.2.3	185.26.106.194	EHLO 138727
Jul 14, 2021 09:35:52.788518906 CEST	587	49736	185.26.106.194	192.168.2.3	220 mail.spamora.net ESMTP Postfix (Debian/GNU)
Jul 14, 2021 09:35:52.825865984 CEST	587	49736	185.26.106.194	192.168.2.3	250-mail.spamora.net 250-PIPELINING 250-SIZE 80000000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Jul 14, 2021 09:35:52.826230049 CEST	49736	587	192.168.2.3	185.26.106.194	STARTTLS
Jul 14, 2021 09:35:52.853914022 CEST	587	49736	185.26.106.194	192.168.2.3	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 5nXX3v5zWn.exe PID: 3440 Parent PID: 5584

General

Start time:	09:34:24
Start date:	14/07/2021
Path:	C:\Users\user\Desktop\5nXX3v5zWn.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Imagebase:	0xe60000
File size:	1261056 bytes
MD5 hash:	E35A0BDB66B37B80C51A1559058E326B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 4116 Parent PID: 3440

General

Start time:	09:34:49
Start date:	14/07/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5nXX3v5zWn.exe'
Imagebase:	0x11b0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3876 Parent PID: 4116

General

Start time:	09:34:49
Start date:	14/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5796 Parent PID: 3440

General

Start time:	09:34:49
Start date:	14/07/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Imagebase:	0x11b0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 592 Parent PID: 5796

General

Start time:	09:34:50
Start date:	14/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4420 Parent PID: 3440

General

Start time:	09:34:50
Start date:	14/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\egGZqtIOrEmq' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9C5.tmp'
Imagebase:	0x1160000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5620 Parent PID: 4420

General

Start time:	09:34:51
Start date:	14/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 2396 Parent PID: 3440

General

Start time:	09:34:52
Start date:	14/07/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\egGZqtIOrEmq.exe'
Imagebase:	0x11b0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: 5nXX3v5zWn.exe PID: 5712 Parent PID: 3440

General

Start time:	09:34:53
Start date:	14/07/2021
Path:	C:\Users\user\Desktop\5nXX3v5zWn.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\5nXX3v5zWn.exe
Imagebase:	0x330000
File size:	1261056 bytes
MD5 hash:	E35A0BDB66B37B80C51A1559058E326B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 2428 Parent PID: 2396

General

Start time:	09:34:53
Start date:	14/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: 5nXX3v5zWn.exe PID: 3708 Parent PID: 3440

General

Start time:	09:34:54
Start date:	14/07/2021
Path:	C:\Users\user\Desktop\5nXX3v5zWn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\5nXX3v5zWn.exe
Imagebase:	0xb50000
File size:	1261056 bytes
MD5 hash:	E35A0BDB66B37B80C51A1559058E326B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: vbc.exe PID: 2440 Parent PID: 3708

General

Start time:	09:35:35
Start date:	14/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vbc.exe PID: 5356 Parent PID: 3708

General

Start time:	09:35:35
Start date:	14/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WindowsUpdate.exe PID: 5096 Parent PID: 3388

General

Start time:	09:35:41
Start date:	14/07/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Imagebase:	0xf90000
File size:	1261056 bytes
MD5 hash:	E35A0BDB66B37B80C51A1559058E326B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs

Chronological Activities

Analysis Process: WindowsUpdate.exe PID: 3412 Parent PID: 3388

General

Start time:	09:35:50
Start date:	14/07/2021
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Imagebase:	0x260000
File size:	1261056 bytes
MD5 hash:	E35A0BDB66B37B80C51A1559058E326B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 4116 Parent PID: 3440 powershell.exeCOMMON

Executed Functions

Function 00E4D005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.487641713.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d85b1168bc3586d6ac44931450a1929c63c715a177298a1923fbccaac8addc
Instruction ID: 8cb1dc7d90b2aeab4dbc32f786edd25b4318200c7fa6c845cfbd03093abf6729
Opcode Fuzzy Hash: f5d85b1168bc3586d6ac44931450a1929c63c715a177298a1923fbccaac8addc
Instruction Fuzzy Hash: 2F014C6140E3C05FE7128B259C94B62BFB4EF43228F0981DBE9849F2A3C2695849C772

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.487641713.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56d9aed9c944d58cdd66cbc3101061cee579cfec179c0e47f38d31ac33a0d8f
Instruction ID: df98a7bd5bc2e08666cdc60dc02fdbdf432d9692ddad2f789c3a53e0833997ab
Opcode Fuzzy Hash: d56d9aed9c944d58cdd66cbc3101061cee579cfec179c0e47f38d31ac33a0d8f
Instruction Fuzzy Hash: 6B012B7080C344AAEB204A15EC84BA3BFD9EF81378F18D51AED056B242C3799C05C6F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 5796 Parent PID: 3440 powershell.exeCOMMON

Executed Functions

Function 0038BC08, Relevance: 8.0, Strings: 6, Instructions: 543COMMON

Download Yara Rule

Strings

HJx, xrefs: 0038C218
HJx, xrefs: 0038C2DD
HJx, xrefs: 0038C201
HJx, xrefs: 0038C1EA
HJx, xrefs: 0038C2C6
HJx, xrefs: 0038C2F4

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx$HJx$HJx$HJx$HJx
API String ID: 0-1977039991
Opcode ID: 08719f50dcd353521bf9c19e8b5aa62c6feae3e6a45d42cdf1313c8ea7afd5d1
Instruction ID: 8569cda70b2fd801e8dca319b477130c658855772af116f8cba424269336e439
Opcode Fuzzy Hash: 08719f50dcd353521bf9c19e8b5aa62c6feae3e6a45d42cdf1313c8ea7afd5d1
Instruction Fuzzy Hash: DE227C307106058FCB15EF68D884AAEB7F6EF84704F168968E506DB761DB74ED06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00399BA0, Relevance: 6.7, Strings: 5, Instructions: 489COMMON

Download Yara Rule

Strings

HJx, xrefs: 0039A023
HJx, xrefs: 0039A005
HJx, xrefs: 00399BFD
HJx, xrefs: 00399C1B
HJx, xrefs: 00399FE7

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx$HJx$HJx$HJx
API String ID: 0-3699347436
Opcode ID: 98218bb986fcc7c1cc12f27b19ffc9558ef29701244e45e5856a00e68841fec1
Instruction ID: ca197cca82faa29defb1bf440b74d814cab6f47a774d51a476e8931e41b21722
Opcode Fuzzy Hash: 98218bb986fcc7c1cc12f27b19ffc9558ef29701244e45e5856a00e68841fec1
Instruction Fuzzy Hash: CD029D34B002149FCF19EBA8D854AAEB7F7AF84304F16C569E90A9B391DF34DC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0039EC28, Relevance: 4.4, Strings: 3, Instructions: 649COMMON

Download Yara Rule

Strings

HJx, xrefs: 0039F4BF
HJx, xrefs: 0039F3FA
HJx, xrefs: 0039F440

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx$HJx
API String ID: 0-2915553476
Opcode ID: 50765692ca4a931471a6d9c5e021666bead422da0523c069ae8bf15058f7cfe1
Instruction ID: dca44220a2d3e6ed49016be3333400018a815c80cd03279e1b6fa5f09a824adb
Opcode Fuzzy Hash: 50765692ca4a931471a6d9c5e021666bead422da0523c069ae8bf15058f7cfe1
Instruction Fuzzy Hash: 5D527A34A002199FCF25CF64C944BEEBBB6AF88304F1585A9E949AB351DB70ED85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0038D4B0, Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

HJx, xrefs: 0038D523

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HJx
API String ID: 0-3581959147
Opcode ID: 42a5c206c0f32e2d9f6fcfd1168f176907819d0c134d1be9f337275e00199ce1
Instruction ID: c92025e11f79718ba404c1f768b74409f2f6211ec641269b1daa31a506504a2a
Opcode Fuzzy Hash: 42a5c206c0f32e2d9f6fcfd1168f176907819d0c134d1be9f337275e00199ce1
Instruction Fuzzy Hash: F1A12134B003049FDB29AB748815B7B3BA79FC1704F2688A8D5068F782DF39DD4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0038F6A9, Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f18b1a7ec266c20e631f993e21182884eed01d27defb6ba781883ac39116de
Instruction ID: 8cc7fe304f6923c984228c0e125bf53658cbddcb74706eab90148ee5009846b2
Opcode Fuzzy Hash: 81f18b1a7ec266c20e631f993e21182884eed01d27defb6ba781883ac39116de
Instruction Fuzzy Hash: DA225C34B002089FDB15EBB5C594BAD77F6AF88344F218068E902DB395DB79ED49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00388280, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebc41f95a2f4f28addb55be68fc99c6612702c2eeb37d639a9708f9e09a6459
Instruction ID: 0e221e0c75bd02b721ffc147f650143bc3e6782f691765dbab2f46db0a47fa69
Opcode Fuzzy Hash: eebc41f95a2f4f28addb55be68fc99c6612702c2eeb37d639a9708f9e09a6459
Instruction Fuzzy Hash: BA028B35A00309CBDB1AEF75C8906AE77B2EF85304F6185A9E8019B395EF75EC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00398EB0, Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270660335dfb8cfa768ee70f344af6b9822f5aa8c28f425c93b9636e47e6e888
Instruction ID: 6db24595989cbca1a5b143f181f49959dfa447f70036ae9c4b5c87def8af6a82
Opcode Fuzzy Hash: 270660335dfb8cfa768ee70f344af6b9822f5aa8c28f425c93b9636e47e6e888
Instruction Fuzzy Hash: C4D1CF30F002099FCB15EBB8D8556AEB7B3AFC8700F15846AD506AB391DF349D01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00399678, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5f926200274577cbaca99ec7b27e7c3d43d653314dc45525d53f46f9085932
Instruction ID: ddf96ab8a938ad4e40bf3751cdbebcac0153345f1f8c9346ffea47980552408e
Opcode Fuzzy Hash: ee5f926200274577cbaca99ec7b27e7c3d43d653314dc45525d53f46f9085932
Instruction Fuzzy Hash: C6B1BD74B002059FDB29EBB9885577AB6E7AF85300F22882ED11ACB791DF35EC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0038B688, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cc2126faf45de2589693af1b34889f03c14e03c5ed09e762544d53b05e1d24
Instruction ID: 87bd561fc44ab868324c6058dc7bd4e03eccf5392d1476d77a7a2d53c03ea321
Opcode Fuzzy Hash: a6cc2126faf45de2589693af1b34889f03c14e03c5ed09e762544d53b05e1d24
Instruction Fuzzy Hash: 68C17E34A0071ACFCB15DF65C8407AEBBF6AF89304F2585A9D409AB751EB30AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00399C88, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cfa741d50da9708e96148ad0acfbc9c6367cf1ef6d46b6b81eac41b2a6dcb5
Instruction ID: a4d1844639a418d5402e5bf072b34f6bcb7b84feda64609250ff9a67219509d2
Opcode Fuzzy Hash: f2cfa741d50da9708e96148ad0acfbc9c6367cf1ef6d46b6b81eac41b2a6dcb5
Instruction Fuzzy Hash: 1AA17D34A10219DFDF15DBA8D884AAEB7F6AF88300F16C569E8099B351DB30EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00399C98, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6d75a47e92dcdb84427ccbd496f69d216b62cbc14c97463a7a479e05e2835b
Instruction ID: 048ac5a2d4eb3fe7a0e6a53593191b12b1f8b03afb2e9d41fbde051faf5290ee
Opcode Fuzzy Hash: cd6d75a47e92dcdb84427ccbd496f69d216b62cbc14c97463a7a479e05e2835b
Instruction Fuzzy Hash: 5F917C34B10218DFDF15DBA8D894A6EB7F6BF88300F168569E809AB351DB30EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003AD1D0, Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

t;, xrefs: 003AD60C
tu;, xrefs: 003AD59A
t;, xrefs: 003AD6A1

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: tu;$t;$t;
API String ID: 0-2058054817
Opcode ID: 139206a72d134c2d28214635b5cda01f78f6f8aa13f55fce44e8c58c74e55953
Instruction ID: 7ced59133b36646818c04e43c558d42eb2ce8a7635f292888664c18bf4b2ed13
Opcode Fuzzy Hash: 139206a72d134c2d28214635b5cda01f78f6f8aa13f55fce44e8c58c74e55953
Instruction Fuzzy Hash: ABB16974A00219CFDB14DF65C844B9EBBB2FF89304F1181A9E909AB751DB70AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003A64E2, Relevance: 3.1, Strings: 2, Instructions: 564COMMON

Download Yara Rule

Strings

HJx, xrefs: 003A6CF5
HJx, xrefs: 003A6D82

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx
API String ID: 0-2289622260
Opcode ID: c770a4aa0fe0b71ecfc630971cffc312b2de7939d5357a6f48c72a1f0d20a668
Instruction ID: ac1cea1a654e4605a157cc97f0cce6ce73d690648e10874a91451e47e1146dde
Opcode Fuzzy Hash: c770a4aa0fe0b71ecfc630971cffc312b2de7939d5357a6f48c72a1f0d20a668
Instruction Fuzzy Hash: 5A724EB4A016298FCB64DF28CD84B9ABBB1BB49305F1041EAD90DA7350EB356EC5CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003A597F, Relevance: 2.8, Strings: 2, Instructions: 336COMMON

Download Yara Rule

Strings

HJx, xrefs: 003A5FA8
HJx, xrefs: 003A6035

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx
API String ID: 0-2289622260
Opcode ID: 363830b632cc8693ee8776a32e2b307372b074bef760e3fc1d8a39aae1a46820
Instruction ID: ea06d5d399d6a6c0898042e679771cb07b612dcdbf79f0eeb369f8a703c8045c
Opcode Fuzzy Hash: 363830b632cc8693ee8776a32e2b307372b074bef760e3fc1d8a39aae1a46820
Instruction Fuzzy Hash: 9602BEB4A012298FDB65DF24C884B9DBBB5FB49304F5081EAE909A7251DB30AEC1CF44

Uniqueness

Uniqueness Score: -1.00%

Function 003A0D40, Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

HJx, xrefs: 003A0F1B
HJx, xrefs: 003A0ED0

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx
API String ID: 0-2289622260
Opcode ID: f35141818b41ec39f54c4ea04de6722a0dcc2c359d1b523f843717dbf7f28867
Instruction ID: 18a291526da51503cb16f78486c65a496914dd4707f18c2b6f277af4d6d15389
Opcode Fuzzy Hash: f35141818b41ec39f54c4ea04de6722a0dcc2c359d1b523f843717dbf7f28867
Instruction Fuzzy Hash: F671F0717002149FDB19EB74D950BAEB7AAEF89704F108439EA06EB381EF75DC068791

Uniqueness

Uniqueness Score: -1.00%

Function 0038E168, Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

HJx, xrefs: 0038E1E6
<, xrefs: 0038E1BE

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: <$HJx
API String ID: 0-790720821
Opcode ID: 50d8596b1c0579925cdbcac74eac405e3e273d04123fdac3a6ab1de17d6b6a81
Instruction ID: 76984d8f1b113dc8733ac23074efc8b07cc7b1670d70bf9214d233185764d4a1
Opcode Fuzzy Hash: 50d8596b1c0579925cdbcac74eac405e3e273d04123fdac3a6ab1de17d6b6a81
Instruction Fuzzy Hash: F13100303042118FCB14EF68D854B9ABBE6EF81314F128D69E419CB3A0DB74AD058BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00389128, Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

HJx, xrefs: 0038A128

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HJx
API String ID: 0-3581959147
Opcode ID: a28bfb4ed674109378299c27b7d956b0aea5ae214c259ce0653d0dac7ca7e6f7
Instruction ID: 2d0eab66b277cb76f1e3a903983c44e7e27525ce4a81256e5caa9878ae38dc93
Opcode Fuzzy Hash: a28bfb4ed674109378299c27b7d956b0aea5ae214c259ce0653d0dac7ca7e6f7
Instruction Fuzzy Hash: 53123934A01219DFDB65DF65C894BADBBB1BF48304F5581EAE80AA73A0DB309D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003AFBA8, Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

HJx, xrefs: 003AFF6F

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: HJx
API String ID: 0-3581959147
Opcode ID: 79894d7bb96ba5b447418bd0007677d5e15f0cb4ffd9bdf07b98bbf9855aaa0c
Instruction ID: 7e53be1f2bfba9ee7a6893a13683e5ffb37a277b5a2b0163718ed828a79a1bad
Opcode Fuzzy Hash: 79894d7bb96ba5b447418bd0007677d5e15f0cb4ffd9bdf07b98bbf9855aaa0c
Instruction Fuzzy Hash: 6DA1DE30A006048FCB25DBA9D484A9EFBF2FF85314F15C56ED40A9B651DB74AC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0039723D, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,00397BA2), ref: 003993A7

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: fcdb08646fb6aaa3833e8e92cabe435c3d5493aca102f5cd8d6bac482ff1cf3a
Instruction ID: 3ba7255a8734d73ac5f51c99f9baa8b7bbbc0242c12c57c18a27c9f097d93522
Opcode Fuzzy Hash: fcdb08646fb6aaa3833e8e92cabe435c3d5493aca102f5cd8d6bac482ff1cf3a
Instruction Fuzzy Hash: 021155B58042488FCB10DF9AD488BDEBBF4EF88314F21801AE558A7650C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00399340, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,00397BA2), ref: 003993A7

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4637172343c220e72e36016471f97e005ad5da0bc987f91cbaa251492ed2959e
Instruction ID: fc7c769bddad294ecb11fc9949d913cff77ca5a06ff1073728a2ea29b3e82603
Opcode Fuzzy Hash: 4637172343c220e72e36016471f97e005ad5da0bc987f91cbaa251492ed2959e
Instruction Fuzzy Hash: 5E1100B5C002498FCF50CF9AD484BEEBBF4EF88324F21851AD559A7650C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00397244, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,00397BA2), ref: 003993A7

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 835ce5c709b322108c3dbf77318f0c3b21874482b9702da3602eef5f39f635f9
Instruction ID: 9d61be14980f1993140f36eb5b22630f7ebe2a36e4e10c4c9690e0762db1cb49
Opcode Fuzzy Hash: 835ce5c709b322108c3dbf77318f0c3b21874482b9702da3602eef5f39f635f9
Instruction Fuzzy Hash: AB1100B4904649CFDB10CF9AD488BEEBBF4EB88324F21841AE519A7650C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003A8FE8, Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

HJx, xrefs: 003A90DF

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: HJx
API String ID: 0-3581959147
Opcode ID: efa4e914c9b8e4f8da7534b719e249c67b35b49976d91f9acb6796f1f24e5ba1
Instruction ID: a7b6faed68779a791f91def6640e18ca32764deca1ed4a277a89c8efe2f22bac
Opcode Fuzzy Hash: efa4e914c9b8e4f8da7534b719e249c67b35b49976d91f9acb6796f1f24e5ba1
Instruction Fuzzy Hash: E5711131B002049FDB159BA4D8587AE7BA6EF86314F16847AE40AEB792DF34DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003A0006, Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

:, xrefs: 003A0014

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 2fe0eb735e0a662ed39bcff1e881a9b71abca2b0379c7b280ff7864bdb2fd159
Instruction ID: 044b02bcef1371e172f58387e487354ab20ebe166c90e0f3834c924d8c40cbd6
Opcode Fuzzy Hash: 2fe0eb735e0a662ed39bcff1e881a9b71abca2b0379c7b280ff7864bdb2fd159
Instruction Fuzzy Hash: B141E470A053448FC71ADB78C8506DE7BF2EF8A320F1585B9C455EB292DB35AC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003869D8, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b52b6ee4267f2de8490d92141d7f90ed91af7c5b2b4165a5ecf17238b20bbca
Instruction ID: f9c316e9cdd280c34fc7290780232c2a98d2b9184ac9b29b2f61973f4b3ce227
Opcode Fuzzy Hash: 2b52b6ee4267f2de8490d92141d7f90ed91af7c5b2b4165a5ecf17238b20bbca
Instruction Fuzzy Hash: BCD1C170B00309DFCB15EFA8C855BAEB7F6EF88300F118569E516AB290DB34AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00388250, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fff1d2a94173d656308af24fb037b803a8059c965e7b52fd5d3b1589bf994e5
Instruction ID: 2a07d90a85028129ab6c17f190075f1f481f18975ca8d3bd15935ab937380f8a
Opcode Fuzzy Hash: 8fff1d2a94173d656308af24fb037b803a8059c965e7b52fd5d3b1589bf994e5
Instruction Fuzzy Hash: 19C16B35A04306CBDF1AEF65C4906AE77B6AF45304F6185A9E8029B396EF35EC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0038A560, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c0773e59665352d479700131537abd3de715fc0b0ee93cef2e7a756a0e001a
Instruction ID: 4f24258086efab2d913522c8dfcd6be26ca4f940a60293a8d8a847cc4a27f1ac
Opcode Fuzzy Hash: 35c0773e59665352d479700131537abd3de715fc0b0ee93cef2e7a756a0e001a
Instruction Fuzzy Hash: 28D14934A00618CFDB25DF64C984BA9BBB2BF89314F2581EAD4099B395DB30DD86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003A01F8, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7dea2287875f21983d87305904197eb90e1bfa086aea63da8e469b59e06f0b
Instruction ID: 25dd90db9cc3a6b776de3c03c969dbb2b33982a85c1e4cd7887960fa7dc8067c
Opcode Fuzzy Hash: ac7dea2287875f21983d87305904197eb90e1bfa086aea63da8e469b59e06f0b
Instruction Fuzzy Hash: 36A16130214616CBC744EF6CD491A9EB7A3EF81208B13CE28D2199F265DB75FD1A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 003A01F0, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a3d8323b19de1006994f4ae5b5afdc16b0efd33461c00932505c13b7f5c089
Instruction ID: 4c8ad501a61c39044e7481970cb239485fdb78577dc0620f1298ad164ecb91d8
Opcode Fuzzy Hash: f1a3d8323b19de1006994f4ae5b5afdc16b0efd33461c00932505c13b7f5c089
Instruction Fuzzy Hash: 95A161302146158BC744EF6CD491A9EB7A3AF81208B138E28D2199F265DF75FE1A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 003829E8, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf29f741fea937f7efe11b1f48eb19df80875120945a1c3f7d8c58475692f33a
Instruction ID: a3db93121492e53f7c4984f48ab6eb56902571890fd3dde37f1317a04aff1407
Opcode Fuzzy Hash: cf29f741fea937f7efe11b1f48eb19df80875120945a1c3f7d8c58475692f33a
Instruction Fuzzy Hash: EA81AD35B002188FCB15EF68C8446AE77F7EF88310B6685A8D40AEB355DB35ED428B91

Uniqueness

Uniqueness Score: -1.00%

Function 003A9263, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700f61fd21168d8d489449cf024149051064562c5451a8051b49c2f15352b926
Instruction ID: ff711975b6dd8ee311662723a4bc2d684776518deec17d33e357ddee5fb95154
Opcode Fuzzy Hash: 700f61fd21168d8d489449cf024149051064562c5451a8051b49c2f15352b926
Instruction Fuzzy Hash: 9581DD307002189FCB15AB78C8146AEBBB7EF89714F25842EE9069B391DF35ED06C791

Uniqueness

Uniqueness Score: -1.00%

Function 0038BBF9, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035eb2a8d0a0655dd4eb56f9adc55d093c083676cc905d31e05f892ebe18444f
Instruction ID: d1dbeb23e8c58533cfd695d2983c4873ec1ef55a4bfc9c8fd0f9bc9c87097229
Opcode Fuzzy Hash: 035eb2a8d0a0655dd4eb56f9adc55d093c083676cc905d31e05f892ebe18444f
Instruction Fuzzy Hash: 89916E30600605CFCB15EF28D894AAEBBF6FF85304F168969E506DB661DB74EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00389CBF, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1a77bd7e00b1fdc4de457261d5088403314040b249007c73391abf9f3f8e6a
Instruction ID: 9069f1b04d644a9d8c9b0bd85439fa784d3a787ed3ec72ba09187d0489b821f3
Opcode Fuzzy Hash: 0c1a77bd7e00b1fdc4de457261d5088403314040b249007c73391abf9f3f8e6a
Instruction Fuzzy Hash: 76B12A74A00258CFDB65DF24C858BAD7BB6AF48301F1585EAE50AAB3A1DB359D85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00383010, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d797f81089c8b9a8f670ca71f6a4b7127ab44fe332903ba2226b3030ccec4b4e
Instruction ID: 501da9490f42f9e331c2ae1c599eefa908f803e600a144358d2d78a107781143
Opcode Fuzzy Hash: d797f81089c8b9a8f670ca71f6a4b7127ab44fe332903ba2226b3030ccec4b4e
Instruction Fuzzy Hash: 8971AC347002058FCB15FB68C890A7EB7A7AFC9754B158478D51ADB382DF38AD028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0038AB93, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ab0001ee8578c745b5670d876c4f7db201fd7f409200d7bbe0c492abd9574e
Instruction ID: bc4b0771683653e8fe593d4a4b0a30cfffddfe916f64a45cb9affbc8575b9a44
Opcode Fuzzy Hash: f4ab0001ee8578c745b5670d876c4f7db201fd7f409200d7bbe0c492abd9574e
Instruction Fuzzy Hash: F3817634B006049FDB04EF68C495AADBBB2BF88314F1685A9E905DB361DB71ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003A0628, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08f3ce13ba248e591280d081a8d2b6ec6b74301cdcd67c6aeaba4bdde5e1280
Instruction ID: b94a6c3732170073d4573a13609bf3dbefe8f555aed450e17dc800cf71831cc2
Opcode Fuzzy Hash: d08f3ce13ba248e591280d081a8d2b6ec6b74301cdcd67c6aeaba4bdde5e1280
Instruction Fuzzy Hash: BE819070A00209DFDB19DFA4D854AEE7BB6FF89304F118529E806AB354DB75ED46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0038B678, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abedf6cf7d8a4ad99475a550190cefaa893ad9f4c0d5d054e8f7d24404b35d6
Instruction ID: 2c26dc1d2a8b672a7fac7cc61edebb774cebe8427625dbea068a4371f5456632
Opcode Fuzzy Hash: 5abedf6cf7d8a4ad99475a550190cefaa893ad9f4c0d5d054e8f7d24404b35d6
Instruction Fuzzy Hash: 0561B134A00719CFDB15EF65C8407AEBBF6AF89304F1585A9D409AB351EB30AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00388800, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6679a57fa1f3397af7807f79e3ae6956d6550f8b743d74ed154d9c0ae52d1285
Instruction ID: 05a5a2c4fcef997a7da874a58b867bde8f1a9ebbe0f24b3de4614b0823934738
Opcode Fuzzy Hash: 6679a57fa1f3397af7807f79e3ae6956d6550f8b743d74ed154d9c0ae52d1285
Instruction Fuzzy Hash: 26519B30A003589FCF15DFA5C840BEEBBB6AF89304F548169E845A7391DB38DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0038A550, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c02e2fdcc44d2e142b91f858e8f3a74e8b5a7e443f210f60739d81368d6533
Instruction ID: 3384774ee1b8c800b29e99e99bbfe21438623009f7ad41b91234fca62d9991aa
Opcode Fuzzy Hash: 93c02e2fdcc44d2e142b91f858e8f3a74e8b5a7e443f210f60739d81368d6533
Instruction Fuzzy Hash: 23514A34A007188FDB25DF64C940B9DBBB2BF88300F2985AAD409AB355EB349D46DF52

Uniqueness

Uniqueness Score: -1.00%

Function 0038AEA7, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad3fc00a42736990a3981bf915e06e8cd37e7865913ad21c4e53c30e90ea810
Instruction ID: 509b94cb0dcaa1413b909c3f3ce3be3016dcdc9fd857061f17b7385d3011ec98
Opcode Fuzzy Hash: 4ad3fc00a42736990a3981bf915e06e8cd37e7865913ad21c4e53c30e90ea810
Instruction Fuzzy Hash: CD41A371A097849FD712DB69C804A5ABFF5EF8A710F1AC0EBE548CB262C6349C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003A0040, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eae78efc46dc19588686eb21aab505eb6882b162ec9c6678c5d87b4932ceed
Instruction ID: bfe9e83db7939fb0d3192c8899eb72f191d4ac0005023f621a3cf06649d0ed40
Opcode Fuzzy Hash: a7eae78efc46dc19588686eb21aab505eb6882b162ec9c6678c5d87b4932ceed
Instruction Fuzzy Hash: A6418931B016048FCB18EB78D8906EEB7F6EF89314B568579D50AEB751DB31EC068B90

Uniqueness

Uniqueness Score: -1.00%

Function 0038D92F, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e3045f46c27859d78856f48f1c7bd6f8e0f2b5d191aeada2c7e63d2fc51dc0
Instruction ID: 7673131bd0b6754dc361637d0e0e492942420706c58cf583806a33f7a320e7e3
Opcode Fuzzy Hash: e9e3045f46c27859d78856f48f1c7bd6f8e0f2b5d191aeada2c7e63d2fc51dc0
Instruction Fuzzy Hash: 7F517070601204DFCB94EF78D955A5EBBF7EF8A315F608468E509AB390DB399C02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003887FD, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c284dba9952987d3c4dc40c3019098691fc219f74506594149e66d3568fbfb7
Instruction ID: c0698f5fa125c9f7107fa168f13f210dde51cc88cfabe1079b3d8988ffb38b65
Opcode Fuzzy Hash: 9c284dba9952987d3c4dc40c3019098691fc219f74506594149e66d3568fbfb7
Instruction Fuzzy Hash: 6C517D30A04358DFCF16DFA5C844AEEBFB6AF89300F548169E855A7391DB349D05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0038D940, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb7a6a9779389ae309f7afd734d8c4f4e7e55695ecc628f13242a48d5c4339f
Instruction ID: 88931febd0cc4f88569629a5797e2934cdce69bfa07095327d57eb5428eed657
Opcode Fuzzy Hash: 9bb7a6a9779389ae309f7afd734d8c4f4e7e55695ecc628f13242a48d5c4339f
Instruction Fuzzy Hash: 00414C70601204DFCB98EF78D955A5EBBF7EF8A315F608468E509AB350DB3A9D02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003A1008, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60878f3122a8f506d2f84ceb5c991bef720a061ee3b83f6060ec920aeb178cd0
Instruction ID: 012773b41b9a1d6f4b351e750f690095eadfbde38a84c9c4f2b1b19dcbdb2dc6
Opcode Fuzzy Hash: 60878f3122a8f506d2f84ceb5c991bef720a061ee3b83f6060ec920aeb178cd0
Instruction Fuzzy Hash: 4B419835B046058FDB25CA24C8547BBBBE6EB85380F25853DD806CB395EB39CD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00387A78, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9298b4c5efa170d91d004fff81c699b18aa04473a51bb593c6bfeaf68d424c00
Instruction ID: a016e0e8a097f34b31dff8eace383c442bee092a905f9abfc9565bc537c137c4
Opcode Fuzzy Hash: 9298b4c5efa170d91d004fff81c699b18aa04473a51bb593c6bfeaf68d424c00
Instruction Fuzzy Hash: 5731E5767087508FC716EB68D884D6A77B7EF85320B2644A9E44A8B362CB34DC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003A0AD0, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc96e727b7e53fe673399ed0e5d38168ea8176e87f75ba70149875f082c0f94
Instruction ID: 8dccf6458bd0e116116552ea5728f78013691bac06578f8d2354ec306161a538
Opcode Fuzzy Hash: 6bc96e727b7e53fe673399ed0e5d38168ea8176e87f75ba70149875f082c0f94
Instruction Fuzzy Hash: 9C31E231E00219DBCF19CFA4D5407EEBBB2EF89314F21852AE406AB740DB71AD56CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003AD1C0, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582374a94cee372498aa4245217c9c36063b59c3f7e7cd275f1f3c0cbf44d7d5
Instruction ID: 87009547b63aaaeeacf6c6b466bcd061d3cbb29e4ff7f997ed250deeb3a5f7f7
Opcode Fuzzy Hash: 582374a94cee372498aa4245217c9c36063b59c3f7e7cd275f1f3c0cbf44d7d5
Instruction Fuzzy Hash: 6B415674E00319CFCB25CF65C844BDABBB1FF8A300F1582A9D449AB650DB70A986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003A94F0, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a929281673d00e2b50a5af4d182e0d9d407d6e8957e0af0593d0d9851361e479
Instruction ID: 605181ca3bd14979510c6cebcf6ed80fa2050ea2e5e2700afb10f199be008fcf
Opcode Fuzzy Hash: a929281673d00e2b50a5af4d182e0d9d407d6e8957e0af0593d0d9851361e479
Instruction Fuzzy Hash: 9131CD31B005248FCB1AEB39C45566E77F6EF8A714B21456AE806EB3A0EF30DD06C790

Uniqueness

Uniqueness Score: -1.00%

Function 003AFB98, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d308c60581b53ae6c229905a5bef58b9707630e07b3aaca99c520a6aec11b9
Instruction ID: bf5d82e789c5752bec1eebfdc44fd289bad86e896ef9dc7cbc9af097fb829c3e
Opcode Fuzzy Hash: d8d308c60581b53ae6c229905a5bef58b9707630e07b3aaca99c520a6aec11b9
Instruction Fuzzy Hash: 72418B30E01B558FCB2ACFA5C58469AFBF1BF8A304F25856ED84AAB755D730B845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0038B791, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9f5700e9e340d93a975bacac5bea67ba805e1cd3f7e203bc4b4c024d2859d7
Instruction ID: f1be35f2baaf79e251906af3ec40383c64f4f4ce9c8911fb5ee9c8314f4af921
Opcode Fuzzy Hash: 1d9f5700e9e340d93a975bacac5bea67ba805e1cd3f7e203bc4b4c024d2859d7
Instruction Fuzzy Hash: E041B030A0030ACFCB14EFA4C8407EEB7B6AF84304F258569D409AB354DB70AD45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0038E068, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec21ee5a3e58b79de6f09d1c4fafd159abf6a1f3d17864c0e0dfcec1e69044c5
Instruction ID: a2098a0dc72823b4bfab5f4d5613c2e5b0326c62a14ee23c737a2d7f95bfbc28
Opcode Fuzzy Hash: ec21ee5a3e58b79de6f09d1c4fafd159abf6a1f3d17864c0e0dfcec1e69044c5
Instruction Fuzzy Hash: B5212876B093901FD3069628DCA0B977F66DF5B350F0B44E7D549CB693E9184C06C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 003A11C0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1ae3517e83d059edb5c2d65ca3ae4feb4ab7b6d70c7048509a0e8ef1e1d47e
Instruction ID: 98599126d8e4acf9cf750fe1e66ecc490dc82a60ae5c64c21f80c2ed504e6c89
Opcode Fuzzy Hash: ac1ae3517e83d059edb5c2d65ca3ae4feb4ab7b6d70c7048509a0e8ef1e1d47e
Instruction Fuzzy Hash: E2318D35B042098FDB15DF68C440BAEBBA6EF89710F158579E909DB351D731ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003A97F0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b66c180ca2f8c654be21954d059526f0e821688424793d17ef67ad0a74bba6
Instruction ID: 9cd1a285a4e3093f08fa609ba927ead8ffd5d3d12af99a460b9558b43e46f161
Opcode Fuzzy Hash: a1b66c180ca2f8c654be21954d059526f0e821688424793d17ef67ad0a74bba6
Instruction Fuzzy Hash: 1621E171B00215CFDB119F28C8417AABBE9EF8A750F11843AE909EB391D634DD40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 003A0990, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4b4da5f24a72a18d093adf5bd6a64b55acc166fb6720a5e359d3fb4046b2bc
Instruction ID: b7632260545c25d1813aeb38b8f2a06a34cc65db8f1de3727e8f514f13f21f2a
Opcode Fuzzy Hash: 4a4b4da5f24a72a18d093adf5bd6a64b55acc166fb6720a5e359d3fb4046b2bc
Instruction Fuzzy Hash: 9E218D70B042549FDB44DF7CC841AAE7BE6EF89700F1581A9E508DB3A1DB31DC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 003A08F8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4403208141495a7e0a5aa4f913a6b494c890722aa7fda987a0078fe6b442145c
Instruction ID: 51f48b68800b29ee7173ff3ce0109b63a60aeac0922f170743f8375bb68ed356
Opcode Fuzzy Hash: 4403208141495a7e0a5aa4f913a6b494c890722aa7fda987a0078fe6b442145c
Instruction Fuzzy Hash: 9B016D317001145FDB19AAB98C50BAF76EAEBC9658B21443AE509CB3A1DFB18C028780

Uniqueness

Uniqueness Score: -1.00%

Function 00389000, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44dfc727075cee472fba15a9622d60502da62ff64a65ae9be6abc16fbb945e8c
Instruction ID: b4ca584d81c6697f8a7949ad532359a32576b5bb30eaac80b4da34b6077f9e7d
Opcode Fuzzy Hash: 44dfc727075cee472fba15a9622d60502da62ff64a65ae9be6abc16fbb945e8c
Instruction Fuzzy Hash: 97112B72E087819BC7025AB9CC003F5B7B19FDA310F2DC6E7D051A7590EB748995C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00382FFF, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d056eeede46479e6da05d3f6ad269a28d67d75cba90715851cc4a63a94bb49
Instruction ID: bb3c480a203682f08c5426941decc985720f6501e020baec6457777bd890dbc3
Opcode Fuzzy Hash: 72d056eeede46479e6da05d3f6ad269a28d67d75cba90715851cc4a63a94bb49
Instruction Fuzzy Hash: 03118C746042059FC705DF58C8D0DAABBB5FF8D314B1581A9D9099B322C732FD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00389010, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6e7e59446adf33b4cc78879e61f187dc650064962801ccc184e4661e8d0454
Instruction ID: 880ad57ce51945818a0972c54ce217e47cec205b45bb47b93b0c4b7ea9a64791
Opcode Fuzzy Hash: fd6e7e59446adf33b4cc78879e61f187dc650064962801ccc184e4661e8d0454
Instruction Fuzzy Hash: 9001D872F04741D2D7115ABADC003F5B3A6DFD9310F28C6A7D56163640EB7194D48391

Uniqueness

Uniqueness Score: -1.00%

Function 0038D4A1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4207e7d4827611dc030c75f202fba81ebb4f34932f9b7a7311f38ccdae63f9c4
Instruction ID: 068cee0955bd65f064d677d75462994bec2e785c58450375b80fe14f26a4ae07
Opcode Fuzzy Hash: 4207e7d4827611dc030c75f202fba81ebb4f34932f9b7a7311f38ccdae63f9c4
Instruction Fuzzy Hash: 1CF04C313083505FEB11961998507AB7BEAAFD0315F66846BE645CB3D1DFB4ED0583E0

Uniqueness

Uniqueness Score: -1.00%

Function 0038E0F0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79527a85f42deb1e39f5c159e723680a2943df21ebfb143b6e65e3d589a2ebb0
Instruction ID: 5726fc797b5f785a0bf98b349137d903e819ad818476920e56b6fd0c5b0f58cd
Opcode Fuzzy Hash: 79527a85f42deb1e39f5c159e723680a2943df21ebfb143b6e65e3d589a2ebb0
Instruction Fuzzy Hash: 32F06D397042145B9718AAAAA858E6BE6DFEFC8764B15C43AE509C7740EA70DC0183A0

Uniqueness

Uniqueness Score: -1.00%

Function 003829D8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b31040c5b8369602ff8e2e2bf7411ba43c6542703e7a47d7abc918d771278a2
Instruction ID: d6bbe4731bd7819c2c8ff0182960a28c365d30cba95eef65512b3351984bb495
Opcode Fuzzy Hash: 4b31040c5b8369602ff8e2e2bf7411ba43c6542703e7a47d7abc918d771278a2
Instruction Fuzzy Hash: 56F0F670B093885FCB51EF78EC5569E7FB9EB49310F00056AF548E7382DB74894487A1

Uniqueness

Uniqueness Score: -1.00%

Function 0038AEB8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dcf6e9ef757e7de26f19cae59bd30005e015189ae70dc63e18e4854840b3d6
Instruction ID: d00a556f70c1e820d4a12abe6add5c4dd4d4d051eafdc4c8688ce709fc537b10
Opcode Fuzzy Hash: 54dcf6e9ef757e7de26f19cae59bd30005e015189ae70dc63e18e4854840b3d6
Instruction Fuzzy Hash: D9F03071E04604AFEB14DF5AC404A5AB7E5EFC9720F11C0AAE919C7350DA349C01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0038F2D7, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cad598ae8325554b08e21c64a01cec4db3702515ffdfd042942f58c5e63eea2
Instruction ID: 8fb237839f916d4392b21fd54eae4de30e0fc93e87d4bf741803ddde5bdf0a38
Opcode Fuzzy Hash: 9cad598ae8325554b08e21c64a01cec4db3702515ffdfd042942f58c5e63eea2
Instruction Fuzzy Hash: 69F0CD39600308CFCB22EF58E8C489ABBF6FF443007114AE9E9969B212C731E815CF01

Uniqueness

Uniqueness Score: -1.00%

Function 003894D7, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6a503bd9c74401ad06504943caac35f5c73ca96b0bf8bc1d4239af280ada9b
Instruction ID: 49b5fa75e16cf9e480bc3eeffb8db511c67c8424dbece79cfee6d5e574b558b6
Opcode Fuzzy Hash: ed6a503bd9c74401ad06504943caac35f5c73ca96b0bf8bc1d4239af280ada9b
Instruction Fuzzy Hash: BAF03771A00318DFEFA6DF65D880BAEB7B6BB85354F1580AAE40893250DB308989CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003894CE, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6a503bd9c74401ad06504943caac35f5c73ca96b0bf8bc1d4239af280ada9b
Instruction ID: 49b5fa75e16cf9e480bc3eeffb8db511c67c8424dbece79cfee6d5e574b558b6
Opcode Fuzzy Hash: ed6a503bd9c74401ad06504943caac35f5c73ca96b0bf8bc1d4239af280ada9b
Instruction Fuzzy Hash: BAF03771A00318DFEFA6DF65D880BAEB7B6BB85354F1580AAE40893250DB308989CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003890D0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da6ab9cdbd60fd4bf07e3f1b2c1af9b83e59bb7de895926aaf7cbbdb8934c73
Instruction ID: d803100433cec1819f79926d4ab751aa9faba204499cd21a09e4befaf0a044f8
Opcode Fuzzy Hash: 4da6ab9cdbd60fd4bf07e3f1b2c1af9b83e59bb7de895926aaf7cbbdb8934c73
Instruction Fuzzy Hash: D1F03032148289BFDF034FA08C11FE93F76EF4A205F098196FA54960A2C636C521EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0038FF28, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f54cfd6742c153be44bf1abee01e9f649f1ab97d1f840fd1d19220b41ab61d
Instruction ID: 023e3948f9a29ca5c4eabca75d70c31afbd8717d23093df8b772b4c2263a9d30
Opcode Fuzzy Hash: f1f54cfd6742c153be44bf1abee01e9f649f1ab97d1f840fd1d19220b41ab61d
Instruction Fuzzy Hash: CAF0307240528DBFDF02CFB48C00CAA7F7AEF4A200B048495F940C6022D6329A35AB90

Uniqueness

Uniqueness Score: -1.00%

Function 003A8F02, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25223495515775d6393ad150c9eafd76a78ce8bb69097bf18b4334427eb27557
Instruction ID: 883fabcf0aa0c8ed827c9daebc7ba62e2ff1cdf6355feed1f9b36e058ef9b6ee
Opcode Fuzzy Hash: 25223495515775d6393ad150c9eafd76a78ce8bb69097bf18b4334427eb27557
Instruction Fuzzy Hash: F5F0AA39A21119CFCB05CF88D5849CCB7F2FF89315B6680A1EA04AB261D736ED51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 003890E0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd6c945ebd66e66710b97a79010f5d415b9842d8f5844a8cca5f831cc4cd239
Instruction ID: 622795e89006a925a2117e040828ece9e6741e35d84474cce9469f5ccf555e0f
Opcode Fuzzy Hash: 2fd6c945ebd66e66710b97a79010f5d415b9842d8f5844a8cca5f831cc4cd239
Instruction Fuzzy Hash: 6EF0C27200018EBFDF128F90CC01FEA3F6AEB8C315F048165FA5454060C636D570AB60

Uniqueness

Uniqueness Score: -1.00%

Function 0038A0B1, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b2ca19762b8e5cc9027f532e3bd569e76f5fca5b482a6f686cd518b2e94c3c
Instruction ID: b79be7f3f1551313321f5c2a4d9397ffa59b9333dfb48a2ce246f73c8bb7e5c9
Opcode Fuzzy Hash: 46b2ca19762b8e5cc9027f532e3bd569e76f5fca5b482a6f686cd518b2e94c3c
Instruction Fuzzy Hash: 7FF0A575A05228CFDB299B68E848B9CBBB2FB88311F0081E6D919A3351DB315E95CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0038FF38, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1fbc77b060cc196c301131ce490a254329a2574cfea231620a0ede67ca77e1
Instruction ID: 79d602a040a21d3ed24a0b53e219f00863dcbbbcb851a16658be98700a63f03b
Opcode Fuzzy Hash: 4a1fbc77b060cc196c301131ce490a254329a2574cfea231620a0ede67ca77e1
Instruction Fuzzy Hash: 8FE092B290010DFF9F02DEA48D01CAF7BBAEB48240B00C465BA0496120E6329A31ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0038BB80, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59329967f36b5b8ef496689b2a07419d13ab8ccdd25b89e42bda1a5d0d4ed962
Instruction ID: d72fefa3598701ea855249ff48aa641411fd47fefaa8b22c0df4a240efd5005e
Opcode Fuzzy Hash: 59329967f36b5b8ef496689b2a07419d13ab8ccdd25b89e42bda1a5d0d4ed962
Instruction Fuzzy Hash: 25C02B223063C15FD713736CA0880E9BF20C8C21B230E00EBD546CF0235D0448039377

Uniqueness

Uniqueness Score: -1.00%

Function 003A05C0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481704765.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f51257e78b8118b4768041ffc6b374fba802d475537d88e853076b8714b575e
Instruction ID: 6c24682d33222a2f520b5ebe44d20d701897d40c2022094a5671290f23f7b4b5
Opcode Fuzzy Hash: 9f51257e78b8118b4768041ffc6b374fba802d475537d88e853076b8714b575e
Instruction Fuzzy Hash: E3B0127A504200BFDB169F218E04C2FFFB3FFD8310F41C818B1A800018C6318421EB12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00394640, Relevance: 5.3, Strings: 4, Instructions: 342COMMON

Download Yara Rule

Strings

HJx, xrefs: 003949CC
HJx, xrefs: 00394940
HJx, xrefs: 00394986
HJx, xrefs: 00394A12

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx$HJx$HJx
API String ID: 0-2091890481
Opcode ID: bd216b659438ee9d6f45ec7a50743bdd152f162063639c80e9ae28d738ce6949
Instruction ID: 395b11bdfcaaa7d43171001069f72df421f602dfcbcf88d088788c1ae36d29e3
Opcode Fuzzy Hash: bd216b659438ee9d6f45ec7a50743bdd152f162063639c80e9ae28d738ce6949
Instruction Fuzzy Hash: 1DC1CF30700B148BCB29AB79C858A6E76E6AFC5708B06893DD50AC7754EF38DC06C795

Uniqueness

Uniqueness Score: -1.00%

Function 00394E00, Relevance: 3.4, Strings: 2, Instructions: 940COMMON

Download Yara Rule

Strings

HJx, xrefs: 003964DD
HJx, xrefs: 00396474

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx
API String ID: 0-2289622260
Opcode ID: 63fab01d192b70b97dbaee945be465e1d0f248ba8187d83994adbf3a1ad28efa
Instruction ID: 1a22c41f560447e35a499ba431af441f61c209a46d856072db26bbb95ec39151
Opcode Fuzzy Hash: 63fab01d192b70b97dbaee945be465e1d0f248ba8187d83994adbf3a1ad28efa
Instruction Fuzzy Hash: 84A2A374A01619CFDB65DF69C898B9DBBF2BB48300F1185EAE409A7361DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00385468, Relevance: 2.2, Strings: 1, Instructions: 924COMMON

Download Yara Rule

Strings

, xrefs: 003856A2

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2b97143d80e23d23841e4266c8f269b8851a41bc4c1e8707c614b5ec96461e85
Instruction ID: 0de06f6ce239b60d8aa82d25279feabe990cb62c6403eec2f265a70048148dfd
Opcode Fuzzy Hash: 2b97143d80e23d23841e4266c8f269b8851a41bc4c1e8707c614b5ec96461e85
Instruction Fuzzy Hash: FD825974F00218CFDB25EF74C8556AEBBB2AF88304F1185A9D50AAB351DB359E85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00398958, Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.481421412.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6cec72cc3c6b20287b562e7fee7a67e7b96a5d481ba7a9090d3c363c01a0f0
Instruction ID: 8bd9d1c709b9b20de59aa794ed2965429563943238c5951cd72af22066fdba00
Opcode Fuzzy Hash: eb6cec72cc3c6b20287b562e7fee7a67e7b96a5d481ba7a9090d3c363c01a0f0
Instruction Fuzzy Hash: 82E18C74B002089FDF15EBB4C858ABEB7B3AFC5700F268469D506AB395CF359D428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00385457, Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e12fec9674bb8a03a6aa3d084de0c2da40b57dbbc4b2143e2034d1663708f4
Instruction ID: 9e884cb579b154414a5e1531114711c1cb8f25beec374103e93fae915c07f5e9
Opcode Fuzzy Hash: 08e12fec9674bb8a03a6aa3d084de0c2da40b57dbbc4b2143e2034d1663708f4
Instruction Fuzzy Hash: 3AE15F70E00218CFDB15EF79C8557AEBBF2AF89300F1185A9D50AAB351DB359E858F81

Uniqueness

Uniqueness Score: -1.00%

Function 00386ED0, Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3c7eebd84c80a3e57221b522266dff28f13d03d25fe2ab958797ced813f990
Instruction ID: 482ce15d052aea189d65011a36d9b8f72a4009801f9bff79fd5b55311207f248
Opcode Fuzzy Hash: fc3c7eebd84c80a3e57221b522266dff28f13d03d25fe2ab958797ced813f990
Instruction Fuzzy Hash: DEC1A074B002099FDB15EFA8C8549AEB7B7AFC4710F268568D906AB351DF34ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00387340, Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77f8dddb42d0ef121c871e2b20833660c49e03b6418dc81cc0cd14816de0ab0
Instruction ID: c88c9e7cd5cfeeb511fb567d67303e0db710fd3c7d3b0f4b6df5d99c04a178a0
Opcode Fuzzy Hash: e77f8dddb42d0ef121c871e2b20833660c49e03b6418dc81cc0cd14816de0ab0
Instruction Fuzzy Hash: C1B1BC74B042059FDB19EB79C85467EB7A7AFC8300B61C868D5069B791DF35EC028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00388AAC, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb1ea4196b65308d62d0a499510a9df9e44301fad87ecfd16e5e7433f37bf38
Instruction ID: 38b94c0d629aa093d7946e6b507cf45586853b0a2b338b3630655a63cd3e4c35
Opcode Fuzzy Hash: 0bb1ea4196b65308d62d0a499510a9df9e44301fad87ecfd16e5e7433f37bf38
Instruction Fuzzy Hash: 40818070A003499FDB1ADFA5C4506AEBBB6AFC5304F648469E8059B385EF74DD49CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00380539, Relevance: 6.4, Strings: 5, Instructions: 164COMMON

Download Yara Rule

Strings

`ol, xrefs: 0038067F
`ol, xrefs: 003805C3
`ol, xrefs: 003806E1
`ol, xrefs: 00380621
`ol, xrefs: 00380568

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: `ol$`ol$`ol$`ol$`ol
API String ID: 0-1632316405
Opcode ID: 92c06a5ede622ff9aba9763a83308cb094dc9218162cd84b6b353f059ccf00a1
Instruction ID: 0a3c7d0c4857608ad7726c5995e8d7c49026bdc5dafeced10d4bd65e94e94af0
Opcode Fuzzy Hash: 92c06a5ede622ff9aba9763a83308cb094dc9218162cd84b6b353f059ccf00a1
Instruction Fuzzy Hash: 08619A30204B10CFC355EF28C45475AB7A2FF89348F424A6CD14A8B6A5EB79FD5ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00380548, Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

`ol, xrefs: 0038067F
`ol, xrefs: 003805C3
`ol, xrefs: 003806E1
`ol, xrefs: 00380621
`ol, xrefs: 00380568

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: `ol$`ol$`ol$`ol$`ol
API String ID: 0-1632316405
Opcode ID: ca3590a1a90f3b5813479359264506798ea3da33b97a01296b89e4f7b974db90
Instruction ID: 0844d0d815cfa2902ea48e6bd2420a8bd61eb472722182e03466957e41322fbc
Opcode Fuzzy Hash: ca3590a1a90f3b5813479359264506798ea3da33b97a01296b89e4f7b974db90
Instruction Fuzzy Hash: A5516B30200B14CFC354EB28C45575AB3A3FF88348F524A6CD14A8B6A5EB79FD5ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00383C30, Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

HJx, xrefs: 00383DD1
HJx, xrefs: 00383C5C
HJx, xrefs: 00383D3A
HJx, xrefs: 00383CEF

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx$HJx$HJx
API String ID: 0-2091890481
Opcode ID: 7a6aed0798a57c1a9a2e1c479c6d9f0dcbe70ec950c274f069ee27a475b9b839
Instruction ID: 86a956c502d525d79ea1734591b10ab3c3cdc0e23b592890e49f3c6dfaf526dd
Opcode Fuzzy Hash: 7a6aed0798a57c1a9a2e1c479c6d9f0dcbe70ec950c274f069ee27a475b9b839
Instruction Fuzzy Hash: FC51F875A41118DFCB04EFA8D854AAE77B6FF8D704F2184A8E506EB361CB359C42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003878F0, Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

HJx, xrefs: 0038799E
HJx, xrefs: 00387980
u, xrefs: 0038797B
u, xrefs: 00387999

Memory Dump Source

Source File: 00000009.00000002.480997445.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HJx$HJx$u$u
API String ID: 0-2360771914
Opcode ID: eea5021b6f3d52954c2638bfcc49ec4f86e13ae50d2c6a371f63f71e41805246
Instruction ID: eed158e626a82fd6248370d00cfb99dfb91b942c981b4c9a4a88776a7cc1a6da
Opcode Fuzzy Hash: eea5021b6f3d52954c2638bfcc49ec4f86e13ae50d2c6a371f63f71e41805246
Instruction Fuzzy Hash: 7421B3343093404FCF16AB79E86456E7BA7EF8124532649BAD40BCB792DF24DC09C7A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 2396 Parent PID: 3440 powershell.exeCOMMON

Executed Functions

Function 00DCAF40, Relevance: 8.0, Strings: 6, Instructions: 546COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DCB522
HJ, xrefs: 00DCB550
HJ, xrefs: 00DCB539
HJ, xrefs: 00DCB615
HJ, xrefs: 00DCB5FE
HJ, xrefs: 00DCB62C

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ$HJ$HJ
API String ID: 0-2282386358
Opcode ID: 0df69fc109b4c17f815153b23c4fb723217224ad819039d70df092fdb28b1cd1
Instruction ID: 3132df09770f6053302871a1957b3bd3f1a5205c4402ab7c9891914270a3d412
Opcode Fuzzy Hash: 0df69fc109b4c17f815153b23c4fb723217224ad819039d70df092fdb28b1cd1
Instruction Fuzzy Hash: 49228A306046059FCB14DF78D845BAEB7F6EF84304F168969E9069B3A1DB74ED06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6348, Relevance: 5.6, Strings: 4, Instructions: 578COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DF6923
HJ, xrefs: 00DF680D
HJ, xrefs: 00DF684B
HJ, xrefs: 00DF6E55

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ
API String ID: 0-2451104629
Opcode ID: e6571c95aa1847b79dc9b0c29eba8c95d48b3c73f0c0c3d931f7490e9564c1ca
Instruction ID: 7a1bf6221d70e5909f1ceb123e449e9aaab54cc94389288b7518517ec202dafd
Opcode Fuzzy Hash: e6571c95aa1847b79dc9b0c29eba8c95d48b3c73f0c0c3d931f7490e9564c1ca
Instruction Fuzzy Hash: E1424934A01219CFDB24DF24C854BADB7B2FF84304F1586A9D90AAB790DB35AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF708, Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DCFACA

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: 20964a8d3a1ad8286d0afaa1813213d659b811885c56e4e0d67e772e842001be
Instruction ID: 365666fa973bb1669dc79b914397f19d7807372d54ac2d2b19c5ddb24ce1adad
Opcode Fuzzy Hash: 20964a8d3a1ad8286d0afaa1813213d659b811885c56e4e0d67e772e842001be
Instruction Fuzzy Hash: D4B15C71E007199FDB14CF65C840BDEF7B2AF89304F2586A9D409AB251DB70AD49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE9F0, Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df8453d505f8e0c823193b89f7a8e2162402cfec91452d804fb0cee102cc2b1
Instruction ID: e0002e5be7abf90eae600429c5550b39ff28ea56390702cb2eccb9c2f41f09fa
Opcode Fuzzy Hash: 9df8453d505f8e0c823193b89f7a8e2162402cfec91452d804fb0cee102cc2b1
Instruction Fuzzy Hash: 38222674B002099FDB14DBB5C594BADB7F6AF88304F25806CE9029B395DB39ED49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC85C8, Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbcc4ab2eebe3ada091528e8337839103b1ee201db89cacfe57816ee3fa5bfd
Instruction ID: 8ac4bd43d65373e3182866286c86e7007d546ceb0d67165f90d2d376ce655c7b
Opcode Fuzzy Hash: 9cbcc4ab2eebe3ada091528e8337839103b1ee201db89cacfe57816ee3fa5bfd
Instruction Fuzzy Hash: DE025834A0020A8BDF15DF65C890BAE77B2BF84304F28856DE905AB395EF35EC45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA9B8, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30de44caa8023d296de0728df44f914ab3c74f98a6a54965f1d58b8c27cb21d3
Instruction ID: 1dfe592728d91570befc772d747bc7b7aea3a86d3f267587b8ca587945d9490f
Opcode Fuzzy Hash: 30de44caa8023d296de0728df44f914ab3c74f98a6a54965f1d58b8c27cb21d3
Instruction Fuzzy Hash: D8C1A274E00619CFDB14DF64C940B9EBBF2AF89304F2585A9D509AB750EB30AD89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DFAE60, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971bbd8853509e53e5dee516d9a87e1dd84242dd123093a5b73eb1eb306896d8
Instruction ID: d990ac7458f44515760a6ecd25575fbedaca4dd07256721af980cfd97b49e604
Opcode Fuzzy Hash: 971bbd8853509e53e5dee516d9a87e1dd84242dd123093a5b73eb1eb306896d8
Instruction Fuzzy Hash: CA911171E0075A8FDB14CFA5C85079AF7B2BFC9314F258696D508BB640EB706989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF7B98, Relevance: 3.0, Strings: 2, Instructions: 507COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DF7D01
HJ, xrefs: 00DF7D8B

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ
API String ID: 0-1363901524
Opcode ID: 28bf7a626c6cb25b5ae90331ccae25dee68a02684602d74c94c19b7e0ea01e52
Instruction ID: 287214ab8400cedcf23d6e7d5a09cf7a81593e03be9314fd48d12dce023fe129
Opcode Fuzzy Hash: 28bf7a626c6cb25b5ae90331ccae25dee68a02684602d74c94c19b7e0ea01e52
Instruction Fuzzy Hash: 0512D330E046099FC7119F28C8949BDFBB2FF45300B1AC6A9E659AB761C731EC51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFEF68, Relevance: 2.6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DFEFA7
HJ, xrefs: 00DFF031

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ
API String ID: 0-1363901524
Opcode ID: bfc8b2bf4e9995c53cdcc2b4146fb3ece4ce9cb8c31eaba33dc7f8c63abcf8df
Instruction ID: 46d6a04ff697c28ff2fe0487a5153976df8b9aa45a1082b3ef60267db4109dde
Opcode Fuzzy Hash: bfc8b2bf4e9995c53cdcc2b4146fb3ece4ce9cb8c31eaba33dc7f8c63abcf8df
Instruction Fuzzy Hash: C021F4353042088FDB185B6598297BE7BBAEFC5705F068479E606EB392DF388D05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9478, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DCA468

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: 7ceeb25ecf8dcfff0aca25bff5c3259cbd0bf296e7f5fee80226cec25c3b0b45
Instruction ID: db14c10b3a78d771ddfdf32a3cc2e87a139029942dc3e91607f716cb9c833e37
Opcode Fuzzy Hash: 7ceeb25ecf8dcfff0aca25bff5c3259cbd0bf296e7f5fee80226cec25c3b0b45
Instruction Fuzzy Hash: 97122974A01219DFDB64DF65C8A8B9DBBB1FF48304F1485A9E809A73A0DB349D85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4248, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

", xrefs: 00DF42E7

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b8d1701c9a04ad0ed06dcdb0c8db037dcb624cfc3ecb8e0967da3dd3801338f9
Instruction ID: 4b2ea97d372de738e6be57cf40ea61054d3357d31a91ed24418db423d4e7ed3c
Opcode Fuzzy Hash: b8d1701c9a04ad0ed06dcdb0c8db037dcb624cfc3ecb8e0967da3dd3801338f9
Instruction Fuzzy Hash: CFE1D834A102098FDB14DFA4C984BEEB7F6BF88304F258569E605AB391DB71AD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8DE68, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,00B8DC42), ref: 00B8DECF

Memory Dump Source

Source File: 0000000E.00000002.482105813.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: af1d070e10e7fcee3878eee0deb0cee70a4d880594e5c4816f4e35d38facb057
Instruction ID: 1a39cb5e0183466a2ab12c05e4eaabe4004c0bc9032bd28d48ae35718267176f
Opcode Fuzzy Hash: af1d070e10e7fcee3878eee0deb0cee70a4d880594e5c4816f4e35d38facb057
Instruction Fuzzy Hash: DE1130B08002488FCB10CF99C488BDFFBF4EB48324F20841AD558AB250C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B888E4, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,00B8DC42), ref: 00B8DECF

Memory Dump Source

Source File: 0000000E.00000002.482105813.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 965dbfadee29b30b1c3bfbadae280ddcccc0c5a4247f8ef994e2f4d0842ef2a0
Instruction ID: 8fbbc6c8bf5bf6d6dd387704351bad83d118027ac53150e263cd4a5d3874fb7f
Opcode Fuzzy Hash: 965dbfadee29b30b1c3bfbadae280ddcccc0c5a4247f8ef994e2f4d0842ef2a0
Instruction Fuzzy Hash: DE1142B0804349CFCB10DF9AC488BEEFBF4EB88324F10845AE559AB250C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF26E0, Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

`ol, xrefs: 00DF283B

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: `ol
API String ID: 0-3425645112
Opcode ID: 6a0fca893ca8009a6181747467b340790f96327ff14d86b1222573a3b91e22e0
Instruction ID: 6330bd68f57072abe3558556d296cf473fb53b11b77b3880d459c5aabd7335d8
Opcode Fuzzy Hash: 6a0fca893ca8009a6181747467b340790f96327ff14d86b1222573a3b91e22e0
Instruction Fuzzy Hash: DBB1F374A00609DFCB14DFA8C584AADB7F2BF48314F268599EA05AB361C770FD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3D50, Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DC3D78

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: 8cbc4d6a39e34f45bce76996760865012c9afd8548925b852d30bc304910b3a3
Instruction ID: 7854b2c77a45af8ca70b798e0376d01f81fb9ac0fd02c616845966cb804a16f1
Opcode Fuzzy Hash: 8cbc4d6a39e34f45bce76996760865012c9afd8548925b852d30bc304910b3a3
Instruction Fuzzy Hash: 59919D34B002068FDB04DB68C854A6E77B6EF85305B25896DE506DF3A1EF71ED46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF1E0, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

`ol, xrefs: 00DFF251

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: `ol
API String ID: 0-3425645112
Opcode ID: 59833de6f1f8bf9289f3fc110ecee7b00eedc6315aba00e8ed23d990389311bb
Instruction ID: 8c4acb7241b2771660c167eb8976d9fb52d2a39d70d09a2486a90561daec8c10
Opcode Fuzzy Hash: 59833de6f1f8bf9289f3fc110ecee7b00eedc6315aba00e8ed23d990389311bb
Instruction Fuzzy Hash: B3314C30A047088FC706EB74D80056E7BB2EFC5315F0689B9D645DB691EB309D09C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD4A8, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DCD526

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: bcc8ef9189f500ca9c35462f76765b3182a95d2feec51192a289510e00d8c66d
Instruction ID: 4d0c06ff9b44e24e3c31be5aca0d903738f185120e3093c2fdc9794a211dae05
Opcode Fuzzy Hash: bcc8ef9189f500ca9c35462f76765b3182a95d2feec51192a289510e00d8c66d
Instruction Fuzzy Hash: B41124347001155BCB04AFA8D854AAEBBEAEFC5350710886AF905CB380DB30DC05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF8A80, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa240bbb5e9182165445ba7e7b11164bc2f82f810c85423aade8f37200d5ad5
Instruction ID: f38d53b4116460b1486a69df0aa6d48cbeebc1c0eb9679e2d739de98491e52b4
Opcode Fuzzy Hash: 8aa240bbb5e9182165445ba7e7b11164bc2f82f810c85423aade8f37200d5ad5
Instruction Fuzzy Hash: 6EE1A574B002198FCB14DB78D59167EB7E2AF88345B168938EA06EF341DF34DD059BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6918, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018eb60c54a0b81623c9bfb714bfef0be0ceed42ea510876f5df1b27fb2762d3
Instruction ID: 4d46fb738f8192aa808253334f31d383e8c465f35a7fac25fc6098c0b126167e
Opcode Fuzzy Hash: 018eb60c54a0b81623c9bfb714bfef0be0ceed42ea510876f5df1b27fb2762d3
Instruction Fuzzy Hash: 8AD18174B002199FDB24DF65C850BAEB7F2EF88304F15852DE506AB291DB34ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3BC8, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e61c14527f0120595fe187cecca5a343b41213252abe113a88534ab612b0f54
Instruction ID: 8f4d83b9923706f79992205f86ae7ff41de63a8fd502296765b8f5b55fa84a2c
Opcode Fuzzy Hash: 4e61c14527f0120595fe187cecca5a343b41213252abe113a88534ab612b0f54
Instruction Fuzzy Hash: B3E1DD74A002098FCB14DF65D584D9DBBF2BF88324F5A9694D905AB3A6DB30EC85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4D48, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba8b9563ddcbd097712aceb400cdd723341ccb375e2ed722ab7aba99c5d76c1
Instruction ID: 98edf668abf3956590b954083ca379753b05d56052a37c44bff3f5d9e9b3e728
Opcode Fuzzy Hash: 0ba8b9563ddcbd097712aceb400cdd723341ccb375e2ed722ab7aba99c5d76c1
Instruction Fuzzy Hash: 3AC17E38A0510D9BDB05DFB4D851BAEBB73EB88308F118865ED022B796CF356D02DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3358, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d65e189f0069d3f114ee6c7db96af75313a071b04437a9cf3dd5c7ca66f183
Instruction ID: e8a72cffc51a9210924d800756786fcbba7c7af4f5f15b606fad943596226231
Opcode Fuzzy Hash: a1d65e189f0069d3f114ee6c7db96af75313a071b04437a9cf3dd5c7ca66f183
Instruction Fuzzy Hash: 5FB15A70B006099FCB05DBB4D855ABEBBF2AF88301F168569E906DB391DF349D068B61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0040, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a8ef88def3fd2527ba62b2c3badcc26cb4a3e09dcedf9a180d9ccfb6551a4d
Instruction ID: f11b074c728852fd32b13702714350c466781d2cb602639aec9b5bda18086ae2
Opcode Fuzzy Hash: 81a8ef88def3fd2527ba62b2c3badcc26cb4a3e09dcedf9a180d9ccfb6551a4d
Instruction Fuzzy Hash: A6B16831A0461ACFCB15CF99D448B9EFBF2BF88314F19856ED809AB651D770AC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5400, Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b044d86ced88fb99180a553bef13176328e8316598c619297cc70a6506ec075
Instruction ID: 89771b5dd43f3b2908fa83102c3f46b7e26fcd35c2f5dad0c2012447bbd7252c
Opcode Fuzzy Hash: 4b044d86ced88fb99180a553bef13176328e8316598c619297cc70a6506ec075
Instruction Fuzzy Hash: 4EB17271A00208DFDB15DFB4D840AEDBBB6FF88314F118569E605AB391DB71AD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DF86D8, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b877ab02f392071c200c8f62fd0873b98dca0702b77c2b18db9450a5a55f7a5
Instruction ID: 38bca0718ecdc933e49527cfa2cf15836de1119017857948cb7956f5347deabd
Opcode Fuzzy Hash: 2b877ab02f392071c200c8f62fd0873b98dca0702b77c2b18db9450a5a55f7a5
Instruction Fuzzy Hash: 5E81C235B001049FDB14AB78D440AAEB7E2EFC8351F158479E919EB352CF38ED458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD3C8, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8695b8a0a22ea48db87c036fd5f9b7654dc64e5315027aeb4d2a016783d96043
Instruction ID: b97404715ca2af8142f9628417719ee6bfc1e41145a49eadb4e097a050752519
Opcode Fuzzy Hash: 8695b8a0a22ea48db87c036fd5f9b7654dc64e5315027aeb4d2a016783d96043
Instruction Fuzzy Hash: 41A16034A042198FCB04CF68C5849AABBF3FF89314B16C599D955EB356D731EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA790, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbce5e3f30c35b67d2b66544afeda432a6740b48ed6839a66ce17fb8209d45e4
Instruction ID: 458c5b1388512fa5736829a7f42a4c08b13144e7b3f67b55972faef9a68438aa
Opcode Fuzzy Hash: cbce5e3f30c35b67d2b66544afeda432a6740b48ed6839a66ce17fb8209d45e4
Instruction Fuzzy Hash: ABB10C74A00219CFDB14DF64C844B99BBB2FF89304F1585A9E908AB351DB70AE85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA3D3, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce60778468a96bb561096fce960d397d58c8bda1fa3c8eaa6073a79f3d33fea
Instruction ID: a260e2737a9ce03c913fdda474967b75ed75cbad4d7326b71297e24118479f7e
Opcode Fuzzy Hash: fce60778468a96bb561096fce960d397d58c8bda1fa3c8eaa6073a79f3d33fea
Instruction Fuzzy Hash: 4781D2347002189FCB159B78D414AAEB7F2EF84314F2A8869E90ADB391DF34DD45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAF30, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1265dcdc30d6080ed5f0db870b99866ab6608885873d44856e4bfc6521fb0c96
Instruction ID: a102fb1bd96471de1ed80e46ea368a7a8dc85c0bf90a10fea49bec4101271b8e
Opcode Fuzzy Hash: 1265dcdc30d6080ed5f0db870b99866ab6608885873d44856e4bfc6521fb0c96
Instruction Fuzzy Hash: 4D916B3060060A8FCB14DF69D885B9EB7F6BF84314F09896DE501DB2A1DB70EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9FFF, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70135c450d4037bafb87ad3d4ae61bc39921be6a0bb5bc3e7e918f7c22e65085
Instruction ID: d0f45aed77ce613efb4f1116b21a50fdfd17d1d2ccbec89f62873faf265ccb57
Opcode Fuzzy Hash: 70135c450d4037bafb87ad3d4ae61bc39921be6a0bb5bc3e7e918f7c22e65085
Instruction Fuzzy Hash: B9B10634A00259CFDB64DF68C858FADB7B6AF48305F1485E9E40AAB3A1CB359D85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3BB9, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b95afb801d9f2ba0aca03dfb17de1dfd07e0d2d91757dc5472f822c6bb9e68c
Instruction ID: 2707c2646db015b42e3f1eba761f81630b425e6c179b8dea6864334e1dd95e23
Opcode Fuzzy Hash: 5b95afb801d9f2ba0aca03dfb17de1dfd07e0d2d91757dc5472f822c6bb9e68c
Instruction Fuzzy Hash: 6FA1DC74A002098FCB14DF69D584D9DBBF1BF88324F5A9294D905AB3A6D730EC85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3358, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c666168ab22016e83da7041a28cd18a4253ec1e1c2cb829bc2187e34c772a0a
Instruction ID: d4e2335c48425c9764fcde94f6bcdd9fad9e99f36960c5b0e75de407d1fe9616
Opcode Fuzzy Hash: 0c666168ab22016e83da7041a28cd18a4253ec1e1c2cb829bc2187e34c772a0a
Instruction Fuzzy Hash: CE71AF70B002059FCB15EB78C491A7EB7E2ABC8354B15847CE51ADB382DF34ED468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA55B, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270346635565aad332cb3152ce863c88e4674eae70b6d94a492e797ad5cb90c6
Instruction ID: 3ba4a89b23c983f8ad49b721d76648e815f80a65b9496842c5d33bba62b0fe18
Opcode Fuzzy Hash: 270346635565aad332cb3152ce863c88e4674eae70b6d94a492e797ad5cb90c6
Instruction Fuzzy Hash: 44817C347142099FCB04DB68D455EA9BBF2FF88308F1A81A9E9059B3A1DB31ED45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DF58E8, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033f0eb9d998eb6a81561a606c108a23786ba8a1735a50d20162b48b7936160b
Instruction ID: b431b5f6be67bf5497683c493c8fc2de2fe2f2722b2608b218f420bf4089dbec
Opcode Fuzzy Hash: 033f0eb9d998eb6a81561a606c108a23786ba8a1735a50d20162b48b7936160b
Instruction Fuzzy Hash: 856120303006059FCB18AB75E850A7E77E6AFC4304B1A8929DA46DB395DF30ED068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5F48, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2580e073cddae1c89e033bb1ca8177579a9276158449a5bf26b1a0bde5b50fa3
Instruction ID: adb622f91877ca17fda8a6926b4fc0ad3f91086272d5c45541a2daf52513437c
Opcode Fuzzy Hash: 2580e073cddae1c89e033bb1ca8177579a9276158449a5bf26b1a0bde5b50fa3
Instruction Fuzzy Hash: D8814D356002189FCB14CF68D584FAEBBF2EF48304F168969E605AB361DB71ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA9A8, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6331153c43d4a69b47e4ae73b2ac020d971cfaf4465466bff5cf0d399b3b06ba
Instruction ID: 2d9024ec11051382b8b25864d818d15ffc640c2e24e27c13f4081b2cc884aaf3
Opcode Fuzzy Hash: 6331153c43d4a69b47e4ae73b2ac020d971cfaf4465466bff5cf0d399b3b06ba
Instruction Fuzzy Hash: FF61B270A006198FDB14DF64C940BAEBBF6AF88304F2585ADD509EB351EB30AD45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B48, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79488e99f7c2330ba18e18666f618cee747a6da8cc4f4b9250aac1b2c00fce7
Instruction ID: e3dc56a830b0ded481560227bcaf5f97cf2aae3b75a02bd02ce429925b76c23c
Opcode Fuzzy Hash: e79488e99f7c2330ba18e18666f618cee747a6da8cc4f4b9250aac1b2c00fce7
Instruction Fuzzy Hash: 3B515D70A002599FDB14CFA5C850FEEBBB6AF88300F188169E845A7391DB34DD05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF92B8, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab09ce5d191ed06472bf2fe4cdd6ad559eedf5f23d35ce4f21d153ba90e4e6fb
Instruction ID: 48edbbe7da812cff53840293d764f23201a79863fb1bdcfa8dfe7377d0a5bd9e
Opcode Fuzzy Hash: ab09ce5d191ed06472bf2fe4cdd6ad559eedf5f23d35ce4f21d153ba90e4e6fb
Instruction Fuzzy Hash: 3541BD317002009BDB24A775E960B6FB7D6DBC4329F29887ED21A9B790DF25EC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B44, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e10f8775acd7a6280e9e7938ab3951d7a246082396592c01f2130ba70e5032
Instruction ID: 40d6beeb5993f77d464b3c7a3ad91a47eb310dabb45ad1893414471e4c506ef4
Opcode Fuzzy Hash: 01e10f8775acd7a6280e9e7938ab3951d7a246082396592c01f2130ba70e5032
Instruction Fuzzy Hash: 03518C70A042599FCB15CFA5D840FEEBBF6AF89300F188069E851A7391DB34DD46DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCC7A, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba1912bb088466eadf05a680eabfecac622d0867776840799ebe21fe1dbe2cf
Instruction ID: 1d818e5b8f79f0b03aec0a5292fd98b1ca44d4266e66eb2d69ba6dbeb4402eba
Opcode Fuzzy Hash: 8ba1912bb088466eadf05a680eabfecac622d0867776840799ebe21fe1dbe2cf
Instruction Fuzzy Hash: FD5160746122049FCB15EB78D441A6EBBE6EF8A305F60846DE509EB391DB35DC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCC80, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800f1e87aeea3499d1366c73e2dccbbaefebd06943c08c67cb739c779692d080
Instruction ID: 3bff3901dcff68cb6a1282ce4f1fa89a8b4c69f424e91944dbfede0d535dc216
Opcode Fuzzy Hash: 800f1e87aeea3499d1366c73e2dccbbaefebd06943c08c67cb739c779692d080
Instruction Fuzzy Hash: 5C416E746122049FCB15EB78D441AAEBBF6EF8A305F60846DE509EB3A1DB35DC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF6F7, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d41892c185519c28bcc66524edee80dc7abfa9dd618b0ce05b49bf92809c28
Instruction ID: 2e6964ab2b44c5ee812859ef702481cefead6fb870f60699492dd89285b56fde
Opcode Fuzzy Hash: 93d41892c185519c28bcc66524edee80dc7abfa9dd618b0ce05b49bf92809c28
Instruction Fuzzy Hash: FF415B71A006199FDB14CF69C840ADEB7F6AF88304F158579D905EB361EB70AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF37B9, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42070f633e27e6bb47b635afae8793e385ada0b7a242849e3d022af1fe4ee1b9
Instruction ID: 24cc4c6f4704d544b2d4c1cdca41e4173def4390eef0f336a19668b9d14ff7da
Opcode Fuzzy Hash: 42070f633e27e6bb47b635afae8793e385ada0b7a242849e3d022af1fe4ee1b9
Instruction Fuzzy Hash: C641A030B002089FCB04DB79D8546EEBBF2EF88350F168969E506EB350DF749D468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6994, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea01b66f9a0e8cf6070671990f3df7bbf8ba9177b2943b7cc86a0d194009c5f
Instruction ID: 6bfb2ef175b25bddfd391ab25ed63f9f6c1f9a110ee4332cbb36cb5508808331
Opcode Fuzzy Hash: 8ea01b66f9a0e8cf6070671990f3df7bbf8ba9177b2943b7cc86a0d194009c5f
Instruction Fuzzy Hash: 2B510C30901219CFDB25DF34C954BA9B7B2FF84305F118AE9D5499B6A1DB35AE81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00DF96E0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f29069ef54359dc39db05659865ce8c08a498027a53d829f8c0903a00d146bd
Instruction ID: 659b769f9ec4fa1796b466a74b83f7829b404369d92311b116997882bbb6ce01
Opcode Fuzzy Hash: 3f29069ef54359dc39db05659865ce8c08a498027a53d829f8c0903a00d146bd
Instruction Fuzzy Hash: 8A41D2347113448BC329AF29C4A4AB6F7E6AF8135532AC46DD6968B711CB31EC02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3970, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968a5bcb2bb92826749769812b16105f49206b0e73de001ddfb8a74506609248
Instruction ID: 2da8da707b22113a2589de04643720372d1bfe8397ad267a0c3115f677b2322c
Opcode Fuzzy Hash: 968a5bcb2bb92826749769812b16105f49206b0e73de001ddfb8a74506609248
Instruction Fuzzy Hash: F541E870A002099FCB40DBA8C851BBEBBF1EF88314F168569E654EB391D734DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF58D8, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55c528584fd820204376a58536db013ebe53702fff74532834511586da68e98
Instruction ID: 6da3e9a891d8a85fbe74b618fc2fe48d0b9dd06a5135f29fba2ce8b857697a46
Opcode Fuzzy Hash: c55c528584fd820204376a58536db013ebe53702fff74532834511586da68e98
Instruction Fuzzy Hash: 5B4141347002099FCF18AB35A85563E7BE6AFC9310B198069DA42DB392EF30DD05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF37D0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95bb11b59c4c711dc987a1f8f7e3eea108e8893c4b87db5cf8acf6ff8e07b364
Instruction ID: 0b818ee358c2bd9113ce4a043d106da117fc9f2e117918a6f8965119c5baba39
Opcode Fuzzy Hash: 95bb11b59c4c711dc987a1f8f7e3eea108e8893c4b87db5cf8acf6ff8e07b364
Instruction Fuzzy Hash: 76417D30B002099FCB04DB79D8546EEBBF2AF88354F168979E50AEB350DF749D458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF3988, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928fc370507330d8feeba61f4fd67409ebf9a59f3a55baea6eba703b3eb63582
Instruction ID: 599b7985d2d7d78d985668408484fd3d724fece16f6186d01e61ee03e259c49b
Opcode Fuzzy Hash: 928fc370507330d8feeba61f4fd67409ebf9a59f3a55baea6eba703b3eb63582
Instruction Fuzzy Hash: 8441A470A001099FCB40DBA8C841ABEB7F5EF88314F268629E654A7395DB34ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0021, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbeaf1550da2d8271b629e85edab12327fbfa22d8f91878a9d25e81f656d281b
Instruction ID: ab43e28c676a227df55948d2775f1b4a5a142f3215851a4641b830892b000069
Opcode Fuzzy Hash: cbeaf1550da2d8271b629e85edab12327fbfa22d8f91878a9d25e81f656d281b
Instruction Fuzzy Hash: 81418930D05755CFCB26CF65C854A8EFBF1BF8A300F19855ED885AB651D730A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF080, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04918e74a23ab9d58e34dad8dd71190d686aaf7a99d20b07c2ed99c5da873e7
Instruction ID: feb817e82c203d6777b184fe305d02083937d75057f08b7e64b97d6d56b7088d
Opcode Fuzzy Hash: a04918e74a23ab9d58e34dad8dd71190d686aaf7a99d20b07c2ed99c5da873e7
Instruction Fuzzy Hash: 333147707083089FCB159B78A8192BE7BEADF85305B1645BEE50AC7392DF388D0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA660, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c99d46775978fc498c7d15e21b3cd6af708df7acbfe1a3534d59a7d2fa5a00b
Instruction ID: 85176bd64f92db4a998b30c6ba603d2640621d5717aa351d8fe1842bb8d79ff0
Opcode Fuzzy Hash: 4c99d46775978fc498c7d15e21b3cd6af708df7acbfe1a3534d59a7d2fa5a00b
Instruction Fuzzy Hash: 3031A1757005258FCB14AB38C450A7EB7F69FC8714B298469DA0ADB3A0EF70DD05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA780, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e786096945cb77a1820df1f5eb436d3ba5f3a356fd2c3f1952892d79e24695
Instruction ID: a0ca8a5bed3d4a1aa60d7eff1ba4f2954ca3e9396af1698d9a887697e71baf55
Opcode Fuzzy Hash: 86e786096945cb77a1820df1f5eb436d3ba5f3a356fd2c3f1952892d79e24695
Instruction Fuzzy Hash: E4414B71E00319CFDB24DF68C884BD9BBB1BF89300F15C6A9D548AB250DB70A989CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6BDA, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5bf4c00bccbb3a051f68dcd18d1374a971ac8f252f5f482791e0d35758b8e2
Instruction ID: fccca637717a7a50ea47b16814ad1d4ac014b3e58a268db6bafb10e95942ddee
Opcode Fuzzy Hash: 0a5bf4c00bccbb3a051f68dcd18d1374a971ac8f252f5f482791e0d35758b8e2
Instruction Fuzzy Hash: 7A411930A01219CFDB64DF34C954BA9B7B2BF44308F2185E9DA45AB690CB75ED85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD3C7, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183701d77be5832292971bc2f38ed437d9de35d9ee6aaf2b2dca7d9371296b88
Instruction ID: a2e096385dd700cb94d5c33afd7f4787d05c5a125a28471f719f1c39550256bd
Opcode Fuzzy Hash: 183701d77be5832292971bc2f38ed437d9de35d9ee6aaf2b2dca7d9371296b88
Instruction Fuzzy Hash: B5411174A002198FCB04CFA8D584AAEBBF2BF49324F268569D919E7355D730ED408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAAC1, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ff46aec2aea80c0c94dfeb35cda97b8b5594dc350aca80195c45f959fa35d
Instruction ID: 533d8d0cb1787fc8e0b932366315be41f662bed478935d901a428263ffa59a7a
Opcode Fuzzy Hash: 889ff46aec2aea80c0c94dfeb35cda97b8b5594dc350aca80195c45f959fa35d
Instruction Fuzzy Hash: 72419070A0020A9FDB14DFA4C980BDEB7B2AF88304F25866DD505AB654DB70AD89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DFDD68, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85029c86d5d7dd0a09da8fcc2c3aa79a8fbfe2c2750be30524847662309e2354
Instruction ID: 7465e1d73cd29b8596b7d0ec5c71db4ba1834ea501e5e9d4c2fa67b913519d81
Opcode Fuzzy Hash: 85029c86d5d7dd0a09da8fcc2c3aa79a8fbfe2c2750be30524847662309e2354
Instruction Fuzzy Hash: BA31A131A002088BDB14DF69D4946EEBBF7AF89304F168469E655FB390DF709D05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFDD58, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda32c90b0c409da9c9e248c6ec7c640f2f8e211cedd3e39c81b9d261ed0593f
Instruction ID: a87f1534541c97b6780facb0522339695681b87c2ab43bff1f8d98b2c28296d4
Opcode Fuzzy Hash: cda32c90b0c409da9c9e248c6ec7c640f2f8e211cedd3e39c81b9d261ed0593f
Instruction Fuzzy Hash: 8631B131A002088BCB14EF65D4546AEBBB7AF89344F168869DA56FB390DF309D05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6EF0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ecd1f2d54b368faafab96c58ccb1b8e90caeccb48b2750569e37801d850592
Instruction ID: 5901b9c62d787cc61619166fa8e7577d680cca54d750b8f62d91387b9c742cba
Opcode Fuzzy Hash: 48ecd1f2d54b368faafab96c58ccb1b8e90caeccb48b2750569e37801d850592
Instruction Fuzzy Hash: FC314B38304A168F8B15DB2AE4C093AB7E4BF453117568459FA9ACBF21CB30ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF57B7, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683fa7584ace1b6add629d662c78c519788de3a01389ccc111de693dbfd12ffc
Instruction ID: 9a35ce206020181f5ed411853cca9b990bbda8b87965ab11ae2c858603a9f2e4
Opcode Fuzzy Hash: 683fa7584ace1b6add629d662c78c519788de3a01389ccc111de693dbfd12ffc
Instruction Fuzzy Hash: 08214632B00208EFCF119BA4E8557EDB7B2EFC4320F158529EA02AB381CB759D15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4B17, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1843026dccc43115770b3fb177890ff42db55f54b79717a1ce624a7df73e6191
Instruction ID: c11c0a96c41be992036ba086ab8461f5efd5f96a4c01edc647540281f188d282
Opcode Fuzzy Hash: 1843026dccc43115770b3fb177890ff42db55f54b79717a1ce624a7df73e6191
Instruction Fuzzy Hash: BA21B3343093599FC704DF64D890BAB77A2FFC9315B1581AAEA058B792DB71DC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFDEB9, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad3121071910f5b1b87cc361600995e6efe40acbe29670144399eb9190860a1
Instruction ID: 839a34c385ea1a897a5766cf18045fac47870f193777de175ec529c5305019e2
Opcode Fuzzy Hash: 7ad3121071910f5b1b87cc361600995e6efe40acbe29670144399eb9190860a1
Instruction Fuzzy Hash: 1C212B30A001598FDB05DF65C954BEDBBF2EF89304F2A95A8D901BB350DB359D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFDEC8, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07da526e5a72e4bc364d60f8ee2557a4bb19ff5fec541e3f7601d9d7716e6c8
Instruction ID: 603b3efec483fa902e9e874a78dc825291eacedcfad3be9acc5c210bd305a602
Opcode Fuzzy Hash: d07da526e5a72e4bc364d60f8ee2557a4bb19ff5fec541e3f7601d9d7716e6c8
Instruction Fuzzy Hash: 6A215730A002588FDB04DFA5C954AEDB7F2EF88314F2A94A9D905BB350DB35AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4B38, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffac2afbe05f4f6b451548b762a4a508a90ac6c573630ba7c95d7b8554bdc1e1
Instruction ID: 7ad3323875a93675a1284d2d97b9f43db13041ab197d284037091da8574b59f4
Opcode Fuzzy Hash: ffac2afbe05f4f6b451548b762a4a508a90ac6c573630ba7c95d7b8554bdc1e1
Instruction Fuzzy Hash: C5215834305719EBC718DF64D880A6BB7A6FFC9715B218269EA058B791DB71EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5E69, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd14aff05815abc06da7bdd82baa5c125150fb96e9c0fe634798f53253ea590
Instruction ID: 7b98c6ba940bef8e4b35322e6cb667a9da54caead8ffcab99d2fbf0aee6bc4a5
Opcode Fuzzy Hash: 4dd14aff05815abc06da7bdd82baa5c125150fb96e9c0fe634798f53253ea590
Instruction Fuzzy Hash: 99113432204200AFE7025B28EC01FAF7BA6EFC5310F01856AF704EB2E1CA765D1587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF070, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbef9f0df32d25c6fd1749a64660283f3e8f5901bd84138c57386b0eedaeaef
Instruction ID: 117244da11b10268a43cd558da2f3e55b9ba672de7b54c9c5feb1f80a7227e04
Opcode Fuzzy Hash: abbef9f0df32d25c6fd1749a64660283f3e8f5901bd84138c57386b0eedaeaef
Instruction Fuzzy Hash: F711B2303042289FDB295B28D8287AE7BAAEF89715F1645BDE10AD7291CF784C05C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD402, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e59082cf7e333f0cefbd0dbd0ea36eb985198e6308f828c97384e8cd8315b4
Instruction ID: 9cfed7e514f8dd013d028a71b5799a952773c00d179ea666eeea96ea1f42db13
Opcode Fuzzy Hash: 95e59082cf7e333f0cefbd0dbd0ea36eb985198e6308f828c97384e8cd8315b4
Instruction Fuzzy Hash: 8511253130D3925FC71697B96C60A96FFEAEFC625471580ABD648C76A2E620DC04C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6EE1, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6e10f3c058bdba2fee4d323c05b74725b65917ef26f18063716474c1511a08
Instruction ID: 5bd836d6de0de0b340c0c1b718eaeaeac878c6bafd46e3363969c18fcc06d3f1
Opcode Fuzzy Hash: db6e10f3c058bdba2fee4d323c05b74725b65917ef26f18063716474c1511a08
Instruction Fuzzy Hash: AF1160352087568FC725DA2AE4C0836BBE4BF46320756845AEBDACBF61C720ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DF298A, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f765028317047521db1e9636a078a3741ef034eb230c9c15ecc2a82d924471f6
Instruction ID: 398abc16daa4d0da654690866e90a97140036442540af5f5d72870459987e983
Opcode Fuzzy Hash: f765028317047521db1e9636a078a3741ef034eb230c9c15ecc2a82d924471f6
Instruction Fuzzy Hash: B421E374600608CFCB14DB58C184A6AB7F2EF48311F668858D915AB761CB34FD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4CB0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de147acf49541ccdb216ed25484ef6423c1bb8857d7449007202a2025d4408e
Instruction ID: f7eb54f5df0f66c8d00700c4571300743edb7be1a4993000fd770bddf31f71aa
Opcode Fuzzy Hash: 1de147acf49541ccdb216ed25484ef6423c1bb8857d7449007202a2025d4408e
Instruction Fuzzy Hash: C811E5363015189FDB119F59EC40BABB7E2FFC8321F02C132F90587254C77688118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA650, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c41efb3d573628d313808b0148679eb4f8789dc9c6a82580361a8e7e69dcaa0
Instruction ID: d6b42835f2a3a5db771977fbd424877ca128203aae3e96a5ea2d78504f44cf4d
Opcode Fuzzy Hash: 3c41efb3d573628d313808b0148679eb4f8789dc9c6a82580361a8e7e69dcaa0
Instruction Fuzzy Hash: BE1106757002188FCB15AA3998147BEBBF59F85255F2A856DDD09DB3A1EB308E04C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4C08, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e940a089ddaa9cd5cd07858a8e23c06f2ae8dc9f8831d9795c7d30d364f62195
Instruction ID: d2ab2b14522698a569648f8a1863ef4ebe88e81f975250e2e5adc7af8696b6dd
Opcode Fuzzy Hash: e940a089ddaa9cd5cd07858a8e23c06f2ae8dc9f8831d9795c7d30d364f62195
Instruction Fuzzy Hash: B211EC72D0010DAFCF41DFA9D8048EFBBF9FF88314B01866AE618E2120E7359665DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DFDFC8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdf57ae1ae13af38bfe8ae2c1d25505c9d4a0ecec1212d25f188837d51c783d
Instruction ID: 8be7efdb24cb952226c21b2c4ceefcb80f962eb49468314a4c6bbc9d155c53c7
Opcode Fuzzy Hash: ebdf57ae1ae13af38bfe8ae2c1d25505c9d4a0ecec1212d25f188837d51c783d
Instruction Fuzzy Hash: D1110631E041188FDB14CB98D554BEEBBF2AF88314F1685A5D504BB260CBB5AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFDFB9, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cbcae14ca57ee804d23ef1d3b27a811b8f4fc7f4bb99aa4a322859d08b068e
Instruction ID: 6e3d5460ec08fd8586f8a9f051607b3384b78727da6d10c320f071ea0111a578
Opcode Fuzzy Hash: 27cbcae14ca57ee804d23ef1d3b27a811b8f4fc7f4bb99aa4a322859d08b068e
Instruction Fuzzy Hash: 3911F970A04118CFDB08DFA4C5587EDBBF2AF48314F168595C501BB2A0CBB59D45CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DFB1CD, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3360ce7188ee64b926d9fe0f6ce401991bf99330274bfc2a2763b434c7d2de2c
Instruction ID: 829591aaa751a59ffaf7f210d9b7bebaec1ab2e40181050aa3400538c3061d48
Opcode Fuzzy Hash: 3360ce7188ee64b926d9fe0f6ce401991bf99330274bfc2a2763b434c7d2de2c
Instruction Fuzzy Hash: D9110D71E0075A9ADB10CF51C854BA9FB72BF85314F65C686D5087B240EB70A9C9CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF62BC, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67d60ecd63f108c2a224dc2a83917b45100a337773eb365fc2883ea4071e6d8
Instruction ID: a5e59f624306726d4c420fca59ab2a7df488fe7283696569c23aadc6b37b04e4
Opcode Fuzzy Hash: a67d60ecd63f108c2a224dc2a83917b45100a337773eb365fc2883ea4071e6d8
Instruction Fuzzy Hash: BA110DB5D04249AFCF41CF99D8409AEBFF5FB49314B24419AE548A7252D332D913CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9340, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d443cfdeb34a15509ef50cc22f522ae99250b23dfce3cecc0d7b0f7219de84f3
Instruction ID: 0d05f53d5be157f2e5ccb4e956b62f8ed8be59e5e9c2e9f7d2873773a003ad4c
Opcode Fuzzy Hash: d443cfdeb34a15509ef50cc22f522ae99250b23dfce3cecc0d7b0f7219de84f3
Instruction Fuzzy Hash: 01012632E0868287DB114B7ACC247D9F7B1EFDA300F15C76BD54197290FB70999583A2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3348, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1302c9c0d3223f10d1d45a68570ac17f13f3e2d7ea218ee5b8be80548852b001
Instruction ID: 92f058ae6205bb7e248e34b01c952b9fcbbf81014ef6817f56fde526c97a0724
Opcode Fuzzy Hash: 1302c9c0d3223f10d1d45a68570ac17f13f3e2d7ea218ee5b8be80548852b001
Instruction Fuzzy Hash: 30115774A042459FC704DF48D894D6ABBB5FF89310B1585A9E909DB362C731EC52CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD49A, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4248a479dc3d72d0944a36fb3a2ae07e42615397f473aaccba90d20bd3750970
Instruction ID: e7372f4227381b2b01090d48e624b15f0efed978d9580828cb712bdc86b01e12
Opcode Fuzzy Hash: 4248a479dc3d72d0944a36fb3a2ae07e42615397f473aaccba90d20bd3750970
Instruction Fuzzy Hash: 7A019234B1010AABCB04EE99D840E9FBBEAFF85350B14842AE80897754D770ED15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6BF8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4e275c2484f30f103934af7604c7a6efad0885cf1a8ffae8720f8b0eeffb08
Instruction ID: 8be63140d4bb7d1909d686ad71791f661a1599518b5693194228e431afab946a
Opcode Fuzzy Hash: ef4e275c2484f30f103934af7604c7a6efad0885cf1a8ffae8720f8b0eeffb08
Instruction Fuzzy Hash: B4211730A01219CFDBA4DB34C950B99B7B2FF44308F2285E9D645AB2A1CB71ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5EB0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce4d01845cbfe191c134df845417fcf61bf52f544bf3a87043c48a45b624161
Instruction ID: 84b7760293f736680fee3a06b777cabdef697abca937516ed67d02d19cb202c5
Opcode Fuzzy Hash: 7ce4d01845cbfe191c134df845417fcf61bf52f544bf3a87043c48a45b624161
Instruction Fuzzy Hash: 3F0141312083406FC7069B28EC51F9A3FA2EF85304F12456EF700AF2E2CB765C2987A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9350, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdc37fa15d1f8c012a7fc285ff2e2e5731a090ef491ee0b20189e42d9d69882
Instruction ID: f81a91b5142e08bcedd04355119a2ce5bd3f0b675fb88eee69fd80672e0ecda7
Opcode Fuzzy Hash: cbdc37fa15d1f8c012a7fc285ff2e2e5731a090ef491ee0b20189e42d9d69882
Instruction Fuzzy Hash: 6B01DD32E04A8682DB10497ADC147D9F3A2EFD9310F25D72BD552932C4E770D4D182A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.494079911.0000000000E5D000.00000040.00000001.sdmp, Offset: 00E5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fc1c0f6f34bab9d1fdfabc1a2ed49c586520e23704651e72da714f4be9de0d
Instruction ID: 4893b7b3947b34503d8e92b11b3b103a169815975422525afe8db08984a75962
Opcode Fuzzy Hash: 41fc1c0f6f34bab9d1fdfabc1a2ed49c586520e23704651e72da714f4be9de0d
Instruction Fuzzy Hash: FD014C7140E3C05FE7228B258C94B52BFB8AF43229F0985DBD9849F2E3C2695849C772

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.494079911.0000000000E5D000.00000040.00000001.sdmp, Offset: 00E5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d42a9fd33eb5d84d25689ef22bb109839c83d1b5937e73d9a484a359890fa43
Instruction ID: 96d2127ed790b6e34674fe1a5630e88062fe878b6f2b1b3959811f3a031a86fc
Opcode Fuzzy Hash: 6d42a9fd33eb5d84d25689ef22bb109839c83d1b5937e73d9a484a359890fa43
Instruction Fuzzy Hash: 1E01F77140C384AAEB304A15CC84BA3BB99EF41339F18D91AED456F2C2C3799C49C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD430, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9835732c19024c707e67a0db665d5f0ed4202fb101d8df396b8eac41d8e13a
Instruction ID: eda2a98042d448b1c8100aebfdf71e748e71085727fb4925d89083100703d359
Opcode Fuzzy Hash: 0e9835732c19024c707e67a0db665d5f0ed4202fb101d8df396b8eac41d8e13a
Instruction Fuzzy Hash: 06F062757041156B971896AA9C44F6BF6DFEFD8394714C43AEA0CC7750EA30EC0587E0

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF300, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7780ea5d4cf0555379b7f0c2b95f0b0ba40ed9190add70189b09ddecadbdb0b
Instruction ID: 97f9abf0ae70382692cac068223ff2c3b147f4bdaaf492171a9da393a6a43c7d
Opcode Fuzzy Hash: f7780ea5d4cf0555379b7f0c2b95f0b0ba40ed9190add70189b09ddecadbdb0b
Instruction Fuzzy Hash: 6301DC2205E2D0AFD3024769DCA1AA23FB8EE433A074B80D7E540CF1B3C6159906D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF7018, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70af44ceccbf9d0cf2426e0b9c686ff29c378ab9ffda95e9951f49a96103677
Instruction ID: c208c9b0e9ffb3c35b829df79d7c63dd873f72191ef5002c7f1b7830f6e74581
Opcode Fuzzy Hash: f70af44ceccbf9d0cf2426e0b9c686ff29c378ab9ffda95e9951f49a96103677
Instruction Fuzzy Hash: 71015E70A0836D8AEB14EA64C8157FEBAF6AF44704F168459C241BB281CFBA5E4487F1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF62D0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2945e5b2243c3fdda908ad4a40194443eaa4b83422367e68bcf284615e413d7
Instruction ID: bf8034943a6055579defc01d3b5c5487f2867706a99b61261c0133ceb875abbf
Opcode Fuzzy Hash: f2945e5b2243c3fdda908ad4a40194443eaa4b83422367e68bcf284615e413d7
Instruction Fuzzy Hash: 4A0197B5900119AFCF45CF99D9409AEBBF9FB4D224B244199E918A7301D336E913CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5EC0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3ed63e3a5051495c83cfc7fd649c0f8661304d49498c8d4c6a7f0fbd5be50b
Instruction ID: f5427469718d6ce3cef2e021fa00af0af86ba2e92c52011e7200065a22290ce0
Opcode Fuzzy Hash: fc3ed63e3a5051495c83cfc7fd649c0f8661304d49498c8d4c6a7f0fbd5be50b
Instruction Fuzzy Hash: 4E012131200204ABCB059E28DC02F9E7BA2EF84314F014529F704AB2E0CBB6AC2587A5

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4BF8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3d35cc8be0f5847a7fde7a815124510cfb2a9baa7034d99d0d1059d119a8e7
Instruction ID: 949c86bef10e90b37c94d603a09b2611a2f9193d8b56d92fde606e5ec88481b1
Opcode Fuzzy Hash: da3d35cc8be0f5847a7fde7a815124510cfb2a9baa7034d99d0d1059d119a8e7
Instruction Fuzzy Hash: EF016D72D0525AAFCB41DFA998009EFBFF9AE89210B05817BD158E3111E7345A14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9678, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4299d2e40513e36bd99ad301351fc7b44e3f28abcc12638cd2d9d3c239db3358
Instruction ID: f05d14f8ea487220ff818344b01a378983a69192c15c39039d68fc3740cfa425
Opcode Fuzzy Hash: 4299d2e40513e36bd99ad301351fc7b44e3f28abcc12638cd2d9d3c239db3358
Instruction Fuzzy Hash: 19F0B4727004149BC7259B69E014AAAB3A5EFC4736B0A80BBF60DC7B60CF35DC52C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4C9F, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087e064e3631e5cbbac3d3db7aa2380c3be0f9f4a55cfcea2105189ba1f62b52
Instruction ID: a1eabe86ffa52551df203304b4b1517259dfee47a7af50dbc6da71d0b4a99011
Opcode Fuzzy Hash: 087e064e3631e5cbbac3d3db7aa2380c3be0f9f4a55cfcea2105189ba1f62b52
Instruction Fuzzy Hash: C5F0F6362052449FD7029F29D840ACABFE6FFDA320F06C166F9148B262C6318C11C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFEFC8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902514b9cf343f81d74d2bbaf748c5d314214e9d78bbbb046965868e086d0953
Instruction ID: c78c8dbbeeaba349dde306e5f6c5485171a82615f4d8270977723b72ef0d3731
Opcode Fuzzy Hash: 902514b9cf343f81d74d2bbaf748c5d314214e9d78bbbb046965868e086d0953
Instruction Fuzzy Hash: CDF0C2305002198FDB185B65C859BFEBBB5EF88311F068939D505B7391CF744805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF2C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e887eb8821d382c1247e2e07cbe3301919917491882128a637222c1e64d9cdf9
Instruction ID: 4db1c56ea164cea350a0347aff2272a914bf5cd0989635c646228dfafe6e3809
Opcode Fuzzy Hash: e887eb8821d382c1247e2e07cbe3301919917491882128a637222c1e64d9cdf9
Instruction Fuzzy Hash: F6F0BE3105E290AFD3024B69DC91A963FB8EF477A074740D7E5408F2B3C6159901D7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5231, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53e9d87ec8e464494be7484918410d0eaa269c0ef1c6e55571faef7b184ffb5
Instruction ID: c0946df0cee299b9157d0bbff93b9c6f22d9ca74a6cb1be21c6f58ea67a1f2c9
Opcode Fuzzy Hash: d53e9d87ec8e464494be7484918410d0eaa269c0ef1c6e55571faef7b184ffb5
Instruction Fuzzy Hash: 11F01975E04219EFCB40DFA9E8055EEBBF9FB48320B10815AEA59E7301E6349A508F91

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF268, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069e0aad1ae81981a47523ff2bfbdad0c795250083af030b57e4946f0957c6e2
Instruction ID: 9f2c80481670f8640f111e43c7aa3bccb551b0aa4f66febf46c1a010a9e7b0ce
Opcode Fuzzy Hash: 069e0aad1ae81981a47523ff2bfbdad0c795250083af030b57e4946f0957c6e2
Instruction Fuzzy Hash: 14F08C3740420DBF8F12CFA09C008EF7FBAEB49310B1584A6F904C7420D6318B21ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE617, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c5a9bd91c33fb7470f12b145ba39f75f75004c23538cb34acdafba09698c93
Instruction ID: 10968f10f47ad16fe6d274e688ae0b7737ff5a5a59b53bb3674d274f03dae74e
Opcode Fuzzy Hash: 42c5a9bd91c33fb7470f12b145ba39f75f75004c23538cb34acdafba09698c93
Instruction Fuzzy Hash: 31F0A935600249CFDF15CF94E8C48DEBBB1FF453007248A99D8868B212C735E816DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9817, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f941fc9f077ea8c36394b73d2fb540bad12b61ab4f25a3ebdb3ac25f53bd7f5
Instruction ID: ea95acdce4728dfb1137bd1c857c3ae8a4cb183479f569d62a66ab45e9b506a6
Opcode Fuzzy Hash: 4f941fc9f077ea8c36394b73d2fb540bad12b61ab4f25a3ebdb3ac25f53bd7f5
Instruction Fuzzy Hash: 24F08C30E00219DFDF55CF64D888BADB7B2BF85304F1480AAE40893240CB318995CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC980E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f941fc9f077ea8c36394b73d2fb540bad12b61ab4f25a3ebdb3ac25f53bd7f5
Instruction ID: ea95acdce4728dfb1137bd1c857c3ae8a4cb183479f569d62a66ab45e9b506a6
Opcode Fuzzy Hash: 4f941fc9f077ea8c36394b73d2fb540bad12b61ab4f25a3ebdb3ac25f53bd7f5
Instruction Fuzzy Hash: 24F08C30E00219DFDF55CF64D888BADB7B2BF85304F1480AAE40893240CB318995CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAEB8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5800b5ecdfbd4e057ea4c2a89f2d0915db03ccaaeb342c27872f2490913a02c3
Instruction ID: 71b73713e13edc46a9d2b0f5fb3bdbc26eec9c21b9663e4ba3bf865b4c92d8a3
Opcode Fuzzy Hash: 5800b5ecdfbd4e057ea4c2a89f2d0915db03ccaaeb342c27872f2490913a02c3
Instruction Fuzzy Hash: FCE02233309105AFE3005AB8AC8A7ABBB9AEBC8309F008025F70586261CA244C0283A2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5240, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea01329ecc8b2ce462379c8ce7f8b9ad13a9db0e2732ec6880325bfdc2cb2c5
Instruction ID: 9a4a6c3fd8e354679337a811c6178c0ea4f863f167ec1fc9ad40a23f12f122c0
Opcode Fuzzy Hash: 0ea01329ecc8b2ce462379c8ce7f8b9ad13a9db0e2732ec6880325bfdc2cb2c5
Instruction Fuzzy Hash: FDF0A475E00219EFCF40DFA9D8049EEBBF5FB4C260B10812AE919E3210E7349A109F90

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9410, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fbe820d8857a0688b7294b14a8f703d73c7e5257add11820e5a5c9b9af53bb
Instruction ID: 9b4a943ed854b377ba314440c1e739a452624b4aca5ae58475efab89e4e459f4
Opcode Fuzzy Hash: e5fbe820d8857a0688b7294b14a8f703d73c7e5257add11820e5a5c9b9af53bb
Instruction Fuzzy Hash: 96F0B77200428AAFDF028FA09C01EEA3FA6EF89214F098155FA9495062C639D530EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DF9278, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6203c16a2655ec63a2ae14fe425010d36fca459e7dd90e0e41dfb161749e0c3
Instruction ID: 9bd3bbe117f89e6bb3243fc111def6fe06198d727c565c7947ffaeb63b17ad62
Opcode Fuzzy Hash: c6203c16a2655ec63a2ae14fe425010d36fca459e7dd90e0e41dfb161749e0c3
Instruction Fuzzy Hash: 75E04F363006249B4B1497B9E4108AFB7DADFC5229714897AD60EC7700DF71EC0296A5

Uniqueness

Uniqueness Score: -1.00%

Function 00DF926A, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250904b78cf0e2f9e8a33e47c3789039ba23f4b7d45fda005cc3c54508b7d556
Instruction ID: 5a072e8fca65102793ae32f04aaef0a39c0b83784d933115bbf268f81a18b929
Opcode Fuzzy Hash: 250904b78cf0e2f9e8a33e47c3789039ba23f4b7d45fda005cc3c54508b7d556
Instruction Fuzzy Hash: ECE0262A3052E0479B055369F4301AF3B19CDC232A30A85ABD78DDB602C9408C09C3E5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC867, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31dbf8741616e0d5acb2e032e8c0c9b8fa599f6dd397fe09dd876d286392177
Instruction ID: 45970f21a070eac0008c443dd1a55f18f8e8ad7c4e3675e047c3253e219fa957
Opcode Fuzzy Hash: a31dbf8741616e0d5acb2e032e8c0c9b8fa599f6dd397fe09dd876d286392177
Instruction Fuzzy Hash: CCE0C2D376D2E20FCB076378A42C29CAF01DFA10A6B540AB7C3869B082C90A4C16C221

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9420, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6448b5e701538b8371bcd31397f5c596c51dcd28b10216c14f609e46351a7359
Instruction ID: 00a2fb817b71b3c64e757a1f89e4d0cc64add10ec635a51fda046455a31e0e1e
Opcode Fuzzy Hash: 6448b5e701538b8371bcd31397f5c596c51dcd28b10216c14f609e46351a7359
Instruction Fuzzy Hash: 23F0C27200014EBFDF528F90DD01FEA3FAAFB8C314F058155FA5454061C63AD530AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF198, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8090d186317b796359923c5decb23f9b8db6fe2c9148207811412d56cf72a9
Instruction ID: adcf7c0bba866cc4afb36e3bf8b35cccf760074d8cd610c3019a084274b0d7a8
Opcode Fuzzy Hash: ec8090d186317b796359923c5decb23f9b8db6fe2c9148207811412d56cf72a9
Instruction Fuzzy Hash: 4EE0CD313091904FC705165A64146973FDEDFC7761F1941D7D40CC7653CA650C0147F1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF278, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9851f27206344d0d18fbf945b0096a6ddadf6d5882b16af962d5cfd67e392cc
Instruction ID: e67b79cd08014537ed3d2ad4820ccee028e2f7f351a999b91378bbb85345d71c
Opcode Fuzzy Hash: b9851f27206344d0d18fbf945b0096a6ddadf6d5882b16af962d5cfd67e392cc
Instruction Fuzzy Hash: 2AE09A7650010DFF9F01DEA09D00CAF7BBAEB48200B00C455B90492110D6328A31AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5E78, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6aff8d59454263b82aa5a69dbd3109cf7b31322809a8a2b9e6da34d97de1a7
Instruction ID: 60e5da3c967b6ecd92f244ad4c6bb3eceb810761b1f853024ec1599005b4e906
Opcode Fuzzy Hash: cb6aff8d59454263b82aa5a69dbd3109cf7b31322809a8a2b9e6da34d97de1a7
Instruction Fuzzy Hash: F3D017723010106BE314118AAC09FBBB2EEDBCAB62F15C07EB209A728289A58C0143B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3D40, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15544ba8d2530f876340b1e052c05bcb138f2311524a0734d75e7cc0ce2b1b6b
Instruction ID: 3e135bc4e95be752e2922f17739f70b63d7ac0fa31e9a1eec685ff044a078a37
Opcode Fuzzy Hash: 15544ba8d2530f876340b1e052c05bcb138f2311524a0734d75e7cc0ce2b1b6b
Instruction Fuzzy Hash: 2CD05EB060D3875FD7110FAA9819E227F7DEE5331030945D9EC45C7462EA159A1087B6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC831, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0e6dc6991708aed6aff677bc49b648344854d4a2bf9a7ea1f7e87417eecec2
Instruction ID: 3d6264547341bd9ebb7897ef1006a90755e4ca1eb56f8b85f0321ff5066c0295
Opcode Fuzzy Hash: 0b0e6dc6991708aed6aff677bc49b648344854d4a2bf9a7ea1f7e87417eecec2
Instruction Fuzzy Hash: F8D012333412100AE1946269B8117AEA367EFE066AF72863BD3058EBD4CEA55C0A42D5

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF1A8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5ea82008d7ab2c3dcd72ff4703b4ad8541ac3011af8c7c97bdf919651fc661
Instruction ID: 4babfd2cccd66f6af38caad42ea85bd4642e207e9a5d8985a16f2be53dfaa960
Opcode Fuzzy Hash: dd5ea82008d7ab2c3dcd72ff4703b4ad8541ac3011af8c7c97bdf919651fc661
Instruction Fuzzy Hash: E7C01236721024138718219EB408AAF76CFDBC9A22B19813BE10DC33459DA58C0202E5

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6292, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
Instruction ID: f75b7baf96ad4f2481278a92471104b632be91219b651fce8265dedd431d87ab
Opcode Fuzzy Hash: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
Instruction Fuzzy Hash: DAD06C35A000199BCF04CA88D8546ECF7B0EB88329F1480AAD918AB281C776A956CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DF2F21, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba32733f606a1525c5b3c41cb5996fc5be5619e8fa0bf6d3f62736b5cb1cd2a
Instruction ID: 62f04b30cb2c090b12de087e90a590b48511c9292cc3fd0fb69727a747c8f94f
Opcode Fuzzy Hash: 1ba32733f606a1525c5b3c41cb5996fc5be5619e8fa0bf6d3f62736b5cb1cd2a
Instruction Fuzzy Hash: 17D0127B0142888FC7208B78E458AC43FA4AF15521F5540C9E4194F633D610E841C652

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF2F0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a93df405bc429466bd65229d29705813b12b6460fd06a522898cc08a59ba6a
Instruction ID: c16569c77793bc0f09bc920b9b274da3ad68a6c1fb003328aecad9df46874185
Opcode Fuzzy Hash: 79a93df405bc429466bd65229d29705813b12b6460fd06a522898cc08a59ba6a
Instruction Fuzzy Hash: E9B092342A02089FC2409B5AD849F01B7ACEF05A24F4140D0F2088F672C662E8008A80

Uniqueness

Uniqueness Score: -1.00%

Function 00DF2F30, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
Instruction ID: 96a74fec5220f98754945e00ce640a92889f3d2d232068f8612b65c1e83e2114
Opcode Fuzzy Hash: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
Instruction Fuzzy Hash: B4B092351502088F82009B68E448C4073E8AB08A253114090E10C8B232C621FC008A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DF18A8, Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DF1C7A
HJ, xrefs: 00DF1C34
HJ, xrefs: 00DF1BEE
HJ, xrefs: 00DF1BA8

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ
API String ID: 0-2451104629
Opcode ID: 850abb437c4b0f2cd90f2baf1435ef5ed496f330f73283d37d693e750b6228ff
Instruction ID: 045c569d6c41440347dcec20d402e1d2b680fd79c95911b7bb64cf1f6faeb8c1
Opcode Fuzzy Hash: 850abb437c4b0f2cd90f2baf1435ef5ed496f330f73283d37d693e750b6228ff
Instruction Fuzzy Hash: 04C1F034700718CBCB289B79881567AB6F6EFC4749B0A893DD606D7394EF34DD0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0487, Relevance: 6.4, Strings: 5, Instructions: 159COMMON

Download Yara Rule

Strings

`ol, xrefs: 00DC04A8
`ol, xrefs: 00DC0503
`ol, xrefs: 00DC0561
`ol, xrefs: 00DC0621
`ol, xrefs: 00DC05BF

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: `ol$`ol$`ol$`ol$`ol
API String ID: 0-1632316405
Opcode ID: 144f59472c5362f9e7a4855cbe83c1719033883d06100a01f4735493c2caa3b3
Instruction ID: 7f0144df73042c89683d13b5c25ffe624d6c56c32ffd9f0c0de5edfce03842d2
Opcode Fuzzy Hash: 144f59472c5362f9e7a4855cbe83c1719033883d06100a01f4735493c2caa3b3
Instruction Fuzzy Hash: EF516B30110705DFC324EB38C481B56B7A2BF88309F564E2CD24A8BAA5DB75BD59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0488, Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

`ol, xrefs: 00DC04A8
`ol, xrefs: 00DC0503
`ol, xrefs: 00DC0561
`ol, xrefs: 00DC0621
`ol, xrefs: 00DC05BF

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: `ol$`ol$`ol$`ol$`ol
API String ID: 0-1632316405
Opcode ID: ff120b67bb26b447969214014f38a2ba02c6113c01ebb78405034a3cc5285800
Instruction ID: 621c0e3eb11a7d954a76b499601654217bd186b316b5b93d7f1c5da2c942fc9d
Opcode Fuzzy Hash: ff120b67bb26b447969214014f38a2ba02c6113c01ebb78405034a3cc5285800
Instruction Fuzzy Hash: 18516B30110705DFC324EB38C481B56B7A2BF88309F564E2CC24A8BAA5DB75BD59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DF1B23, Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DF1C7A
HJ, xrefs: 00DF1C34
HJ, xrefs: 00DF1BEE
HJ, xrefs: 00DF1BA8

Memory Dump Source

Source File: 0000000E.00000002.492697166.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ
API String ID: 0-2451104629
Opcode ID: cdfbce21f3e8a30f9a099d6f5ff82986eff94556c75508136cd4cda77dbfc11f
Instruction ID: 214ee4b08d47525e68a9ed5c1fd945417e09a4cfa978987190c65c256d5d0b3d
Opcode Fuzzy Hash: cdfbce21f3e8a30f9a099d6f5ff82986eff94556c75508136cd4cda77dbfc11f
Instruction Fuzzy Hash: 8851F1387007148BC768AB79881563E76F7EFC564970A893DDA06CB395EF348C0A8796

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3B70, Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DC3C2F
HJ, xrefs: 00DC3D11
HJ, xrefs: 00DC3C7A
HJ, xrefs: 00DC3B9C

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ
API String ID: 0-2451104629
Opcode ID: 8204d7dd108c19d31356f1dca10ded3ee7856d71471186da5ae89911e85066d2
Instruction ID: 3ed1aed8c4ec85098493a46a33899d7c9a954660c7f194a50107e9581a992ead
Opcode Fuzzy Hash: 8204d7dd108c19d31356f1dca10ded3ee7856d71471186da5ae89911e85066d2
Instruction Fuzzy Hash: 56510875A001189FDB04DFB8D854AAEB7B6FF8D305F1184A8E906EB3A1DB309C41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7830, Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

HJ, xrefs: 00DC78DE
u, xrefs: 00DC78BB
HJ, xrefs: 00DC78C0
u, xrefs: 00DC78D9

Memory Dump Source

Source File: 0000000E.00000002.492127592.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$u$u
API String ID: 0-1046299971
Opcode ID: a1acceaceab919bfd92338c2142e738de64eecf2c4e38820365412b10e4961c4
Instruction ID: 8de872b4bc730baefe2c79f15d036b00d65b7832d49b5da2301d68816b5772fe
Opcode Fuzzy Hash: a1acceaceab919bfd92338c2142e738de64eecf2c4e38820365412b10e4961c4
Instruction Fuzzy Hash: A821F2343083404FCB149B75D868A6A7BA6EFC135531A487ED60ACB685DF30DC09CBB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 5nXX3v5zWn.exe PID: 5712 Parent PID: 3440 5nXX3v5zWn.exeCOMMON

Executed Functions

Non-executed Functions

Function 00431D21, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.274022671.0000000000430000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true

Associated: 0000000F.00000002.273166020.0000000000330000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.273182798.0000000000332000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57b0c947b27ab047afb6636fdf2b1eb615d0a10ab61369f648862bbeee70af3
Instruction ID: ca654d42b21eafa30935251950d8afc62f139dd2b3cd7df6f4ad61b2b4d884c4
Opcode Fuzzy Hash: a57b0c947b27ab047afb6636fdf2b1eb615d0a10ab61369f648862bbeee70af3
Instruction Fuzzy Hash: CBB012310053948FC3436B20C81180037B0AF5331070344D2C440CF0B3E3340D20E770

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 5nXX3v5zWn.exe PID: 3708 Parent PID: 3440 5nXX3v5zWn.exeCOMMON

Executed Functions

Function 057253F4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,?,00000001,00000000), ref: 0572598B

Strings

K@$,, xrefs: 057258CB
K@$,, xrefs: 057258AB

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: CreateFileMapping
String ID: K@$,$K@$,
API String ID: 524692379-322028838
Opcode ID: 191449d2fff14326b85c91295597ceb5965e2c3717aad75452f913ca93b4d1f0
Instruction ID: 42b5358af6eb48a43e2e20f1e33f521e44dbd87eb7dc3959040b30baeb8ee3c2
Opcode Fuzzy Hash: 191449d2fff14326b85c91295597ceb5965e2c3717aad75452f913ca93b4d1f0
Instruction Fuzzy Hash: 235102B1D043589FDB14CFA9C888B9EBBF2BF89314F25812EE409AB251D7759884CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05725876, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,?,00000001,00000000), ref: 0572598B

Strings

K@$,, xrefs: 057258CB
K@$,, xrefs: 057258AB

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: CreateFileMapping
String ID: K@$,$K@$,
API String ID: 524692379-322028838
Opcode ID: 9aa7157dee6ec83d66eab0839127d5ad7fe15c114cf589ec9fd233f9c1e823e4
Instruction ID: 895f318b7ecaa1607f67719786e964239b8be0c7d62df704fbbd708069776214
Opcode Fuzzy Hash: 9aa7157dee6ec83d66eab0839127d5ad7fe15c114cf589ec9fd233f9c1e823e4
Instruction Fuzzy Hash: 475102B1D043589FDB14CFA9C888BDEBBF2BF49314F29852AE409AB251D7749884CF51

Uniqueness

Uniqueness Score: -1.00%

Function 078B56DC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 078B8EDA

Strings

K@$,, xrefs: 078B8E32
K@$,, xrefs: 078B8E52

Memory Dump Source

Source File: 00000011.00000002.533612809.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: K@$,$K@$,
API String ID: 1029625771-322028838
Opcode ID: bbe705e1d867befe2d2ab982f750f2380185018d7af9db9c9e3badc659ebbaa3
Instruction ID: 39cf2b3e1fa51d8965de57235ddbb7c6ddf3be754b72f0a5f6f68f17419976c7
Opcode Fuzzy Hash: bbe705e1d867befe2d2ab982f750f2380185018d7af9db9c9e3badc659ebbaa3
Instruction Fuzzy Hash: 593103B0D10259DFDB24CFA8C8857DEBBF9AB19314F148529E815E7340DB78A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 078B8E04, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 078B8EDA

Strings

K@$,, xrefs: 078B8E32
K@$,, xrefs: 078B8E52

Memory Dump Source

Source File: 00000011.00000002.533612809.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: K@$,$K@$,
API String ID: 1029625771-322028838
Opcode ID: 8f30f082092d0707962065139711a259bfd4489c0815a2675a65a82adbe0fa19
Instruction ID: 7decd8417c029009158357be72b805f729816ee9d86d3a76c79661ec533d52c5
Opcode Fuzzy Hash: 8f30f082092d0707962065139711a259bfd4489c0815a2675a65a82adbe0fa19
Instruction Fuzzy Hash: CB3125B0D10249CFDB24CFA8C8857DEBBF5AB28314F148129E815E7380DB78A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 057254A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05726621

Strings

K@$,, xrefs: 057265A4

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: Create
String ID: K@$,
API String ID: 2289755597-3740991653
Opcode ID: 3dfd0efb1a384f42079ce641321532b74fbeafbbd3d5581f38224c6b22489d73
Instruction ID: 5f42ac0372a5ef98369eca199960c21442a73d3405deb6828e536cdd19a0835f
Opcode Fuzzy Hash: 3dfd0efb1a384f42079ce641321532b74fbeafbbd3d5581f38224c6b22489d73
Instruction Fuzzy Hash: BA41D271C0462CCBDB24CFA9C9447CEBBB5BF48304F25846AD409AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05726566, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05726621

Strings

K@$,, xrefs: 057265A4

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: Create
String ID: K@$,
API String ID: 2289755597-3740991653
Opcode ID: 2dbbb1aff209eb6cb35f5cdadb15cf05168a17bc10a9b91a7f0c81d74497d1a0
Instruction ID: e572b94e35077fa71acbdc84b5b5b2810678a1153cdab8d8cd031c46904a60be
Opcode Fuzzy Hash: 2dbbb1aff209eb6cb35f5cdadb15cf05168a17bc10a9b91a7f0c81d74497d1a0
Instruction Fuzzy Hash: 4441D2B1C00628CFDB24CFA9C9847DEBBB5BF48304F25846AD419BB251DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 05720CD0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05720D91

Strings

K@$,, xrefs: 05720CE7

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: CallProcWindow
String ID: K@$,
API String ID: 2714655100-3740991653
Opcode ID: d9b67af767d218816c0d15505638d0e09dfaf783a1892946eb3ed91a1a386afd
Instruction ID: 3d4807d7495fad66261418e9d81ca9744ec2cd65e10d42084d6594dfa869da4d
Opcode Fuzzy Hash: d9b67af767d218816c0d15505638d0e09dfaf783a1892946eb3ed91a1a386afd
Instruction Fuzzy Hash: A54139B8A00319DFCB14CF99C488BAABBF5FF88314F258559D519AB321D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05725B28, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,00000001,00000004), ref: 05725BB4

Strings

K@$,, xrefs: 05725B4A

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: FileView
String ID: K@$,
API String ID: 3314676101-3740991653
Opcode ID: caeab21c98844f9f8276068b65b157dc1d7c155784dc0eb93fec6f43a3c6fc99
Instruction ID: 62a261b8b6bba74fc75c5cea018b5608e008f2c3b0cc60bb5e56c7794b886afb
Opcode Fuzzy Hash: caeab21c98844f9f8276068b65b157dc1d7c155784dc0eb93fec6f43a3c6fc99
Instruction Fuzzy Hash: 692103B19002489FCB10CF99D988B8ABFF4EF89324F19C059E918AB221D775A805CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05725B30, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,00000001,00000004), ref: 05725BB4

Strings

K@$,, xrefs: 05725B4A

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID: FileView
String ID: K@$,
API String ID: 3314676101-3740991653
Opcode ID: 87ef6f03b769884e8457dacf55ce4501e3f263f1c3a2fe5fc41dc4e1006a4b49
Instruction ID: 650a64b711f10193c1d254efb50d78811e38350895b818c43e3e4f1a79acf74d
Opcode Fuzzy Hash: 87ef6f03b769884e8457dacf55ce4501e3f263f1c3a2fe5fc41dc4e1006a4b49
Instruction Fuzzy Hash: 3521F5B1900248DFCB10CF99D988B8EFFF4AF89324F15C059E919AB261D775A844CF61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0572A559, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a6e97c341a8e7827847ce6d17c7796dcfc144dc4225067d1a48019b6726a01
Instruction ID: dd3384b308c3b10669f7d8a80c2999d4377a327a33c4e51e7273d4b88de861bc
Opcode Fuzzy Hash: f0a6e97c341a8e7827847ce6d17c7796dcfc144dc4225067d1a48019b6726a01
Instruction Fuzzy Hash: 1E218970E05219DFCB05DFA8C4487EEBBB1BF49304F5986A9C405A7290D7749F86DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0572A568, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e57d09ff48c1d76cd5bc6e2594b0de9554b8652a540322ec89436cfef35024
Instruction ID: e60edcf807d23494df851ea657b11351677d75fc748c51769f9f8d776658a281
Opcode Fuzzy Hash: 53e57d09ff48c1d76cd5bc6e2594b0de9554b8652a540322ec89436cfef35024
Instruction Fuzzy Hash: 5021E270E05219DFCB04DFA8C548BEEB7B2BF48304F5545A9D405A7294D7709F85DB80

Uniqueness

Uniqueness Score: -1.00%

Function 078BFE8B, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533612809.00000000078B0000.00000040.00000001.sdmp, Offset: 078B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab5fe2fca02639d4dabd5643e8a930fba10b3d22b3d82f704fd2527a0f07dcc
Instruction ID: 6dd44290e24b27deeeedfc418f8066f4a9a63fcdb60d7919aae1b6a1b24a05d3
Opcode Fuzzy Hash: 3ab5fe2fca02639d4dabd5643e8a930fba10b3d22b3d82f704fd2527a0f07dcc
Instruction Fuzzy Hash: A32133B5E012289FDB04DFA4D858BEEBBF1BB48304F14856AD900B7380DB785A48CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05729EF5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction ID: f0238c3ef0b9dbd5d7d7a5a6b1fe55c90c4f56627f85ed833a695687be8ef1e6
Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction Fuzzy Hash: AFB09236E0001896CB00CEC4A0003FCF770E782236F042066C208B3500823086A8569A

Uniqueness

Uniqueness Score: -1.00%

Function 05722B75, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction ID: 3a42d7c060f8f90ba1cf978a3901f7a7270fb9d04c80fb2fa7bb1d24189dd548
Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction Fuzzy Hash: EAB0923AE0001896CF00CEC4A0003FCF770E782226F002066C208B3500923486A8569E

Uniqueness

Uniqueness Score: -1.00%

Function 05729A2D, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.526950709.0000000005720000.00000040.00000001.sdmp, Offset: 05720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction ID: ccb47174688003f4fa78faff1ac4573d449bf237016e2098e6900f041c9f5847
Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
Instruction Fuzzy Hash: F6B09236E0011896CB00CEC4A0003FCF770E782326F042062C608B3500923086A8969A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2440 Parent PID: 3708 vbc.exeCOMMON

Executed Functions

Function 00408836, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234filenativeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040885E

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4

Part of subcall function 0040FC89: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
_wcsicmp.MSVCRT ref: 0040898B
_wcsicmp.MSVCRT ref: 0040899E
_wcsicmp.MSVCRT ref: 004089B1
OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,000000FF,00000000,00000104), ref: 004089C5
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00408A0B
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00408A1A
memset.MSVCRT ref: 00408A38
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00408A6B
_wcsicmp.MSVCRT ref: 00408A8B
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 00408ACB
FreeLibrary.KERNELBASE(?,?,?,000000FF,00000000,00000104), ref: 00408AED

Strings

taskhost.exe, xrefs: 00408996
dllhost.exe, xrefs: 00408982
taskhostex.exe, xrefs: 004089A9

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindFreeInformationLibraryNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 1954110673-3398334509
Opcode ID: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction ID: ac6d74245de41f4a68afaf46936feeb9e4215e23a81ac82868d75cf9687b4f7b
Opcode Fuzzy Hash: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction Fuzzy Hash: FB9115B1D00209AFDB10EF95C985AAEBBB5FF04305F60447FE949B6291DB399E40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004422C7, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334

Strings

VaultEnumerateItems, xrefs: 004422F8
VaultGetInformation, xrefs: 00442312
vaultcli.dll, xrefs: 004422CF
VaultOpenVault, xrefs: 004422E0
VaultFree, xrefs: 00442305
VaultCloseVault, xrefs: 004422EB
VaultGetItem, xrefs: 0044231F, 00442324, 0044232D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2238633743-2107673790
Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14

Uniqueness

Uniqueness Score: -1.00%

Function 00411196, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111B6
memset.MSVCRT ref: 004111CB
Process32FirstW.KERNEL32(?,?), ref: 004111E7
OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
memset.MSVCRT ref: 00411253
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 004112C3
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
free.MSVCRT(?), ref: 0041130D
Process32NextW.KERNEL32(?,0000022C), ref: 00411356
CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366

Strings

kernel32.dll, xrefs: 00411283
QueryFullProcessImageNameW, xrefs: 00411292

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 3536422406-1740548384
Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00408441, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00410790,?), ref: 00408457
FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00410790,?), ref: 00408475
wcslen.MSVCRT ref: 004084A5
wcslen.MSVCRT ref: 004084AD

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileFindwcslen$FirstNext
String ID:
API String ID: 2163959949-0
Opcode ID: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction ID: 6e3c8222864954d55df90d51b8e56744ea09e2897b7152e8bd6019cb1af30d80
Opcode Fuzzy Hash: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction Fuzzy Hash: E5118272515706AFD7149B24D984A9B73DCAF04725F604A3FF09AD31C0FF78A9448B29

Uniqueness

Uniqueness Score: -1.00%

Function 00411EF8, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 00411F05
SizeofResource.KERNEL32(?,00000000), ref: 00411F16
LoadResource.KERNEL32(?,00000000), ref: 00411F26
LockResource.KERNEL32(00000000), ref: 00411F31

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction ID: cfb809c5d0a350ba8a2f28afb84d758f7034e38599ab5d81eab5ea4ee58a4c6c
Opcode Fuzzy Hash: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction Fuzzy Hash: 140192367042156BCB295FA5DC4999BBFAEFF867917088036F909C7331DB30D941C688

Uniqueness

Uniqueness Score: -1.00%

Function 00415F87, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00415EAF: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
Part of subcall function 00415EAF: malloc.MSVCRT ref: 00415EE6
Part of subcall function 00415EAF: free.MSVCRT(?), ref: 00415EF6

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416001
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416029
free.MSVCRT(00000000,?,00000000,?,00000000), ref: 00416032

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction ID: 7d405d749a0edc351a3ddf496a078fe72cac754ac47b8191c628d3d1323914f3
Opcode Fuzzy Hash: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction Fuzzy Hash: 45219276804108EEEB21EBA4C8849EF7BBCEF09304F1100ABE641D7141E778CEC597A5

Uniqueness

Uniqueness Score: -1.00%

Function 004161B0, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004161BB
GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED

Uniqueness

Uniqueness Score: -1.00%

Function 00410168, Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004101DA
wcsrchr.MSVCRT ref: 004101F2
memset.MSVCRT ref: 004102D9
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326

Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11

Part of subcall function 00408619: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 00408652
Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
Part of subcall function 00408619: wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
Part of subcall function 00408619: memset.MSVCRT ref: 00408725
Part of subcall function 00408619: memcpy.MSVCRT ref: 00408746

Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421

memset.MSVCRT ref: 004103AA
memset.MSVCRT ref: 004103C6
memset.MSVCRT ref: 004103E2
memset.MSVCRT ref: 004104F9

Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07

wcslen.MSVCRT ref: 00410437
wcslen.MSVCRT ref: 00410446
wcslen.MSVCRT ref: 0041048B
wcslen.MSVCRT ref: 0041049A
memset.MSVCRT ref: 00410562
memset.MSVCRT ref: 0041057A
wcslen.MSVCRT ref: 00410593
wcslen.MSVCRT ref: 004105A1
wcslen.MSVCRT ref: 004105FC
wcslen.MSVCRT ref: 0041060A
memset.MSVCRT ref: 0041068A
wcslen.MSVCRT ref: 00410699
wcslen.MSVCRT ref: 00410720
wcslen.MSVCRT ref: 0041072E
wcslen.MSVCRT ref: 004106A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD

Strings

wand.dat, xrefs: 00410727, 00410745
Path, xrefs: 004102E1
Opera\Opera7\profile\wand.dat, xrefs: 00410603, 00410621
Google\Chrome\User Data, xrefs: 00410432, 0041045D
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, xrefs: 004102E6
%programfiles%\Sea Monkey, xrefs: 00410321
Google\Chrome SxS\User Data, xrefs: 00410486, 004104B1
Opera, xrefs: 004106A0, 004106BE
Opera\Opera\wand.dat, xrefs: 0041059A, 004105B8

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
API String ID: 3717286792-109336846
Opcode ID: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
Opcode Fuzzy Hash: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2F1, Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00403926: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
Part of subcall function 00403926: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
Part of subcall function 00403926: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
Part of subcall function 00403926: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002), ref: 0040E319
GetModuleHandleW.KERNEL32(00000000,00411F7E,00000000,?,00000002), ref: 0040E332
EnumResourceTypesW.KERNEL32 ref: 0040E339
??3@YAXPAX@Z.MSVCRT ref: 0040E4CB
DeleteObject.GDI32(?), ref: 0040E4E1

Strings

/deleteregkey, xrefs: 0040E3B3
/savelangfile, xrefs: 0040E385
, xrefs: 0040E34D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 3591293073-28296030
Opcode ID: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
Instruction ID: 121834c48f7c844bba9a1922674ad86b62a86fe916e360ab8a1a69ef7a5829fa
Opcode Fuzzy Hash: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
Instruction Fuzzy Hash: 5451B171408345ABD720AFA2DD4895FB7A8FF84709F000D3EF640A3191DB79D9158B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B10, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408836: memset.MSVCRT ref: 0040885E
Part of subcall function 00408836: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
Part of subcall function 00408836: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
Part of subcall function 00408836: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
Part of subcall function 00408836: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4

OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
CloseHandle.KERNEL32(?), ref: 00408C30
CloseHandle.KERNEL32(?), ref: 00408C35
CloseHandle.KERNEL32(00000000), ref: 00408C3A
CloseHandle.KERNEL32(00000000), ref: 00408C3F

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408B16
bhv, xrefs: 00408BCF

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$CloseHandle$CreateProcess$CurrentTempView$??2@ChangeDirectoryDuplicateFindInformationMappingNameNotificationOpenPathQuerySizeSystemUnmapWindowsWritememset
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
API String ID: 2121777953-4002013007
Opcode ID: 605df682aca1a4ff42ceeac8dd6110a0503dbbb848fd46321c54b31420e585a4
Instruction ID: 68c5544b499915da94545e51db83da674be7fd43246ed759ba52d344f26358cd
Opcode Fuzzy Hash: 605df682aca1a4ff42ceeac8dd6110a0503dbbb848fd46321c54b31420e585a4
Instruction Fuzzy Hash: CD412775901218BBDF11AF95CD899DFBFB9EF09751F10802AF608A6250DB349A40CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402846, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 239fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040286E
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00402882
CopyFileW.KERNEL32(?,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028A3
FindCloseChangeNotification.KERNELBASE(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028AE
memset.MSVCRT ref: 004028C7
DeleteFileW.KERNEL32(?,?,?,?,?,00000003,00000000,00000000), ref: 00402B1A

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506

memset.MSVCRT ref: 0040293C

Part of subcall function 004027D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040280F
Part of subcall function 004027D7: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040283C

Part of subcall function 00407DF5: MultiByteToWideChar.KERNEL32(00000000,00000000,004029BE,000000FF,?,?,004029BE,?,?,000003FF), ref: 00407E07

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memset.MSVCRT ref: 00402A95
memcpy.MSVCRT ref: 00402AA8
LocalFree.KERNEL32(00000000,?,?,000000FF,?,?,?,00000000,00000000,00000003), ref: 00402AD2

Strings

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402908
chp, xrefs: 0040288D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$Timememset$FreeLibraryLocalTemp$AddressByteChangeCharCloseCopyCreateDeleteDirectoryFindLoadMultiNameNotificationPathProcSystemWideWindowsmemcpy
String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
API String ID: 3603309061-1844170479
Opcode ID: 99d4842a7612bd86dcae5b842672bed75adad362ebd04f8eaabe29f208d39f1f
Instruction ID: e637edadd966e00c71b87c8ff6cc297e5f4b8f19ec80fc414d035a4907c068e8
Opcode Fuzzy Hash: 99d4842a7612bd86dcae5b842672bed75adad362ebd04f8eaabe29f208d39f1f
Instruction Fuzzy Hash: 37815172D001186BDB11EBA59D46BEEB7BCAF04304F5404BAF509F7281EB786F448B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0D5, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F0F8
memset.MSVCRT ref: 0040F10D
memset.MSVCRT ref: 0040F122
memset.MSVCRT ref: 0040F137
memset.MSVCRT ref: 0040F14C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F172
wcslen.MSVCRT ref: 0040F183
wcslen.MSVCRT ref: 0040F1BB
wcslen.MSVCRT ref: 0040F1C9
wcslen.MSVCRT ref: 0040F202
wcslen.MSVCRT ref: 0040F210
memset.MSVCRT ref: 0040F296

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\SeaMonkey, xrefs: 0040F1FD, 0040F228
Mozilla\SeaMonkey\Profiles, xrefs: 0040F16D, 0040F19A, 0040F1B6, 0040F1E1

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 2775653040-2068335096
Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2E6, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F309
memset.MSVCRT ref: 0040F31E
memset.MSVCRT ref: 0040F333
memset.MSVCRT ref: 0040F348
memset.MSVCRT ref: 0040F35D

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F383
wcslen.MSVCRT ref: 0040F394
wcslen.MSVCRT ref: 0040F3CC
wcslen.MSVCRT ref: 0040F3DA
wcslen.MSVCRT ref: 0040F413
wcslen.MSVCRT ref: 0040F421
memset.MSVCRT ref: 0040F4A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\Firefox\Profiles, xrefs: 0040F37E, 0040F3AB, 0040F3C7, 0040F3F2
Mozilla\Firefox, xrefs: 0040F40E, 0040F439

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 2775653040-3369679110
Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041139E, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED

Strings

EnumProcessModules, xrefs: 004113BF
psapi.dll, xrefs: 004113A4
GetModuleInformation, xrefs: 004113E3
GetModuleFileNameExW, xrefs: 004113CB
GetModuleBaseNameW, xrefs: 004113B5
EnumProcesses, xrefs: 004113D7

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-70141382
Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction ID: b0fa25657284a8e9196716ee499a251a0e3e908d4b843c37df8f242eb1d66817
Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction Fuzzy Hash: A3F03478988704AEEB30AF75DC08E07BEF0EFA8B11721892EE0C593650D7799441EF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408619, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004037C3: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
Part of subcall function 004037C3: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 00408652
wcslen.MSVCRT ref: 00408678
wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
memset.MSVCRT ref: 00408725
memcpy.MSVCRT ref: 00408746
_wcsnicmp.MSVCRT ref: 0040878B
wcschr.MSVCRT ref: 004087B3
LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 004087D7

Strings

Microsoft_WinInet_, xrefs: 00408785
J, xrefs: 004086F6
Microsoft_WinInet, xrefs: 0040866A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$Microsoft_WinInet_
API String ID: 1313344744-1864008983
Opcode ID: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction ID: ae9214853af189039b11f9ecdcfbf9e5a6a1e8940f9aa775dff38fc8017bd4cb
Opcode Fuzzy Hash: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction Fuzzy Hash: E45129B5D00209AFDB20DFA4C981A9EB7F8FF08304F14446EE959F7241EB34A945CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00442628, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00443490,00000070), ref: 00442637
__set_app_type.MSVCRT ref: 00442696
__p__fmode.MSVCRT ref: 004426AB
__p__commode.MSVCRT ref: 004426B9
__setusermatherr.MSVCRT ref: 004426E5
_initterm.MSVCRT ref: 004426FB
__wgetmainargs.KERNELBASE ref: 0044271E
_initterm.MSVCRT ref: 00442731
GetStartupInfoW.KERNEL32(?), ref: 0044278E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004427B4
exit.KERNELBASE ref: 004427CB
_cexit.MSVCRT ref: 004427D1

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
Instruction ID: 706d3d187beade5fd8be42c29aa928e65c4a76933a7b40434c1f532ca5c4ff1d
Opcode Fuzzy Hash: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
Instruction Fuzzy Hash: 1E51C674C00305DFEB21AF64DA44AADB7B4FB05B15FA0422BF811A7291D7B84982CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409508, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040952C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 004090DF: memset.MSVCRT ref: 00409102
Part of subcall function 004090DF: memset.MSVCRT ref: 0040911A
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409136
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409145
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040918C
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040919B

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
wcschr.MSVCRT ref: 004095B8
wcschr.MSVCRT ref: 004095D8
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
GetLastError.KERNEL32 ref: 00409607
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 00409633
FindCloseUrlCache.WININET(?), ref: 00409644

Strings

visited:, xrefs: 0040959C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 615219573-1702587658
Opcode ID: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction ID: 77a6c5406e07bb2a3f369751b76910ce3bd9900599f044f3c0855e39104cf3e1
Opcode Fuzzy Hash: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction Fuzzy Hash: 7F417F72D00219BBDB11DF95CD85A9EBBB8EF05714F10406AE505F7281DB38AF41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409A34, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3

Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E

Part of subcall function 00409508: memset.MSVCRT ref: 0040952C
Part of subcall function 00409508: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095B8
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095D8
Part of subcall function 00409508: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
Part of subcall function 00409508: GetLastError.KERNEL32 ref: 00409607

Part of subcall function 00409657: memset.MSVCRT ref: 004096C7
Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
Part of subcall function 00409657: _wcsupr.MSVCRT ref: 0040970F
Part of subcall function 00409657: memset.MSVCRT ref: 0040975E
Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

_wcslwr.MSVCRT ref: 00409AFC
wcslen.MSVCRT ref: 00409B11

Strings

http://www.facebook.com/, xrefs: 00409A83
/, xrefs: 00409B1D
https://login.yahoo.com/config/login, xrefs: 00409A90
https://www.google.com/accounts/servicelogin, xrefs: 00409A76
/, xrefs: 00409B31

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 4091582287-4196376884
Opcode ID: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction ID: 093a45ac9553ae88d2071121675ee446b985e814abadd75c8d2b77a0ae050712
Opcode Fuzzy Hash: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction Fuzzy Hash: F731D872A1015466CB20BB6ACC4599F77A8AF80344B25087AF804B72C3CBBCEE45D699

Uniqueness

Uniqueness Score: -1.00%

Function 004090DF, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409102
memset.MSVCRT ref: 0040911A

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00409136
wcslen.MSVCRT ref: 00409145
wcslen.MSVCRT ref: 0040918C
wcslen.MSVCRT ref: 0040919B

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 00409187, 004091AF
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409130, 00409135, 0040915E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2036768262-2114579845
Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00441683, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00441734

Strings

RTRIM, xrefs: 004417C6
no such vfs: %s, xrefs: 0044177E
main, xrefs: 00441866
BINARY, xrefs: 0044179D, 004417A2, 004417AE, 004417BA, 004417DF
NOCASE, xrefs: 004417F7
temp, xrefs: 00441876

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction ID: 3c8b5220aebea45aa68cfe54a9ecef019ebf38e5b75abdf02c998a5d3c6681b4
Opcode Fuzzy Hash: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction Fuzzy Hash: 8E71D4B1600301BFF310AF16DCC1A6ABB98BB45318F14452FF459DB252D7B9A8D18B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040320A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F

Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
Part of subcall function 00410168: memset.MSVCRT ref: 004102D9

Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E

memset.MSVCRT ref: 0040330A
memcpy.MSVCRT ref: 0040331C
wcscmp.MSVCRT ref: 00403348
_wcsicmp.MSVCRT ref: 00403385

Strings

, xrefs: 00403235
J/@, xrefs: 004032EC

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
String ID: $J/@
API String ID: 1763786148-830378395
Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDFA, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0040F026: memset.MSVCRT ref: 0040F042
Part of subcall function 0040F026: memset.MSVCRT ref: 0040F057
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F080
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F0A9

memset.MSVCRT ref: 0040EE42
wcslen.MSVCRT ref: 0040EE59
wcslen.MSVCRT ref: 0040EE61
wcslen.MSVCRT ref: 0040EEBC
wcslen.MSVCRT ref: 0040EECA

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

places.sqlite, xrefs: 0040EEC3, 0040EED8
history.dat, xrefs: 0040EE22, 0040EE5E, 0040EE70

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$memsetwcscat$wcscpy
String ID: history.dat$places.sqlite
API String ID: 2541527827-467022611
Opcode ID: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
Instruction ID: 5a7552f2f2193819142f663f69cd0b376b18013dc8e05bcebec127321fadfdaa
Opcode Fuzzy Hash: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
Instruction Fuzzy Hash: AD315232D0411DAADF10EBA6D845ACDB3B8AF00319F6048BBE514F21C1E77CAA45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00410075, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410097
wcslen.MSVCRT ref: 004100A2
wcslen.MSVCRT ref: 004100B0
wcslen.MSVCRT ref: 00410105
wcslen.MSVCRT ref: 00410113

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Web Data, xrefs: 004100A8, 004100AD, 004100C3
Login Data, xrefs: 0041010B, 00410110, 00410121

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$memsetwcscatwcscpy
String ID: Login Data$Web Data
API String ID: 3932597654-4228647177
Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00415BAE, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBEAA6E,00000003,00000000,?,?,00000000), ref: 00415C86
CreateFileA.KERNEL32(?,-7FBEAA6E,00000003,00000000,00415512,00415512,00000000), ref: 00415C9E
GetLastError.KERNEL32 ref: 00415CAD
free.MSVCRT(?), ref: 00415CBA

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction ID: e414679dc355763f7cb5844f7b2dc3c916de6b309c6ec43d815c5638ef366406
Opcode Fuzzy Hash: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction Fuzzy Hash: 7741D0B1508701EFE7109F25EC4169BBBE5EFC4324F14892EF49596290E378D9848B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040F026, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F042
memset.MSVCRT ref: 0040F057

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3

wcscat.MSVCRT ref: 0040F080

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcscat.MSVCRT ref: 0040F0A9

Strings

Mozilla\Firefox\Profiles, xrefs: 0040F0A3
Mozilla\Profiles, xrefs: 0040F07A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412270, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
memset.MSVCRT ref: 004122C9
RegCloseKey.ADVAPI32(?), ref: 00412330
wcscpy.MSVCRT ref: 0041233E

Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2699640517-2036018995
Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E

Uniqueness

Uniqueness Score: -1.00%

Function 00411A13, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00411A2D
_snwprintf.MSVCRT ref: 00411A52
WritePrivateProfileStringW.KERNEL32(?,?,?,004495A0), ref: 00411A70
GetPrivateProfileStringW.KERNEL32 ref: 00411A88

Strings

"%s", xrefs: 00411A41

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction ID: ae5f1e9df6cd2f4a0780795b96407545f38e06b3c9618b8e9942ee44aab69889
Opcode Fuzzy Hash: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction Fuzzy Hash: 2101283240521ABAEF219F81EC05FDA3A6AFF04785F104066BA1960161D779C661EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00411140, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,004112EE,?,?,?,?,?,00000000,?), ref: 0041118E

Strings

kernel32.dll, xrefs: 0041114C
GetProcessTimes, xrefs: 0041115B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9D5, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041CA32
memcmp.MSVCRT ref: 0041CA5D
memcmp.MSVCRT ref: 0041CAC9

Strings

@ , xrefs: 0041CAC3
SQLite format 3, xrefs: 0041CA50

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 995df855505f47d3fff5b3ee1df3959e9c0b6b49e494aa249aa3272b4713cf3f
Instruction ID: bd67d5102a3eb66ea4de4e64a8b31fca419cb069452d494a6197ab8253893597
Opcode Fuzzy Hash: 995df855505f47d3fff5b3ee1df3959e9c0b6b49e494aa249aa3272b4713cf3f
Instruction Fuzzy Hash: D351D1719442149FDF10DF69C8827EAB7F4AF44314F14019BE804EB346E778EA85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0AC, Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040E0CE
??2@YAPAXI@Z.MSVCRT ref: 0040E0F7
DeleteObject.GDI32(?), ref: 0040E129
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
LoadIconW.USER32(00000000,00000065), ref: 0040E17A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@$DeleteHandleIconLoadModuleObject
String ID:
API String ID: 659443934-0
Opcode ID: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
Opcode Fuzzy Hash: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58

Uniqueness

Uniqueness Score: -1.00%

Function 00408FA4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B10: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
Part of subcall function 00408B10: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
Part of subcall function 00408B10: DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
Part of subcall function 00408B10: GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
Part of subcall function 00408B10: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
Part of subcall function 00408B10: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
Part of subcall function 00408B10: WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
Part of subcall function 00408B10: UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
Part of subcall function 00408B10: CloseHandle.KERNEL32(?), ref: 00408C30

CloseHandle.KERNEL32(000000FF,000000FF,00000000,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409074

Part of subcall function 00408D9D: memset.MSVCRT ref: 00408E72
Part of subcall function 00408D9D: wcschr.MSVCRT ref: 00408EAA
Part of subcall function 00408D9D: memcpy.MSVCRT ref: 00408EDE

DeleteFileW.KERNEL32(?,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409095
CloseHandle.KERNEL32(000000FF,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 004090BC

Part of subcall function 00408C67: memset.MSVCRT ref: 00408CAF
Part of subcall function 00408C67: _snwprintf.MSVCRT ref: 00408D49
Part of subcall function 00408C67: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74B5F560), ref: 00408D7D

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408FB4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
API String ID: 1979745280-1514811420
Opcode ID: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction ID: f61eabc5127fffa0127996e1b9e76e3c42d0daca9916cdcd83e0194a9dfe4be1
Opcode Fuzzy Hash: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction Fuzzy Hash: 10314CB1C006289BCF60DFA5CD855CEFBB8AF40315F1002ABA518B31A2DB756E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFDE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040CFFF
qsort.MSVCRT ref: 0040D0A9

Strings

/sort, xrefs: 0040CFFA
/nosort, xrefs: 0040D05F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction ID: 426287280b2395c37d482f654794667c251e21b6a2c3e86ec69022cc6db77350
Opcode Fuzzy Hash: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction Fuzzy Hash: 4821F8317006019FD714AB75C981E55B3A9FF95318F01053EF519A72D2CB7ABC11CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409EB8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004117E3: FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Strings

PStoreCreateInstance, xrefs: 00409ED6
pstorec.dll, xrefs: 00409EC4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Library$AddressFreeLoadProc
String ID: PStoreCreateInstance$pstorec.dll
API String ID: 145871493-2881415372
Opcode ID: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction ID: b7b877f0cca51cf4ed89ca0d343beedc6eb81d3109fbfde12955c258fb57ec89
Opcode Fuzzy Hash: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction Fuzzy Hash: 4DF0E2713047035BE7206BB99C45B9776E85F40715F10842EB126D16E2DBBCD9808BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00442D7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00442D84
??3@YAXPAX@Z.MSVCRT ref: 00442D94
??3@YAXPAX@Z.MSVCRT ref: 00442DA4
??3@YAXPAX@Z.MSVCRT ref: 00442DB4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 44d13ece2455e6bf70e94478653814ebefdf6deeb09379604d67fc2da5a05fd3
Instruction ID: 4d75bcbf83e2a718e0a773ad5cf6a383805f84e699810b963ae7674306c23c36
Opcode Fuzzy Hash: 44d13ece2455e6bf70e94478653814ebefdf6deeb09379604d67fc2da5a05fd3
Instruction Fuzzy Hash: 05E080A1705301777A105B36BE55B0313EC3A703423D8041FF40AC3255DEBCC840441C

Uniqueness

Uniqueness Score: -1.00%

Function 0043800C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043804F
memset.MSVCRT ref: 004383F8

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00409F53, Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409F8D
??2@YAPAXI@Z.MSVCRT ref: 00409FAB
??2@YAPAXI@Z.MSVCRT ref: 00409FC9
??2@YAPAXI@Z.MSVCRT ref: 00409FE7

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
Instruction ID: 97910a1e78d05b4995072b8892bf30812772bdb2f497aa37043254e3fee4362a
Opcode Fuzzy Hash: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
Instruction Fuzzy Hash: AB01DEB16523406FEB58DB39EE67B2A66949B58351F48453EF207C91F6EAB4C840CA08

Uniqueness

Uniqueness Score: -1.00%

Function 0041C702, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041C7B0

Strings

5lA, xrefs: 0041C8A3
BINARY, xrefs: 0041C70E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset
String ID: 5lA$BINARY
API String ID: 2221118986-2383938406
Opcode ID: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
Instruction ID: bfb3245fc00688105b1f81726e77846e409aff0e69a2cb21cfce066b793b8303
Opcode Fuzzy Hash: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
Instruction Fuzzy Hash: 52519C719443459FDB21DF68C8C1AEA7BE4AF08351F14446FE859CB381D778D980CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00414E1C, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414D9F: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD1
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD7

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00414E4C
GetLastError.KERNEL32 ref: 00414E56

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction ID: 78f6fc62e556ae6391f2b7d02d7635eeebb8002b3cc976368f6d55ef40470767
Opcode Fuzzy Hash: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction Fuzzy Hash: 20016D36244305BBEB108F65EC45BEB7B6CFB95761F100427F908D6240E774ED908AE9

Uniqueness

Uniqueness Score: -1.00%

Function 00414D9F, Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
GetLastError.KERNEL32 ref: 00414DD1
GetLastError.KERNEL32 ref: 00414DD7

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction ID: ce6d17c8e1bf95b997c08e1a60c9ed70337bd99ba9d8843779863386e1f48c80
Opcode Fuzzy Hash: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction Fuzzy Hash: 16F03936A10119BBCF009F74EC019EA7BA8EB45760B104726E822E6690EB30EA409AD4

Uniqueness

Uniqueness Score: -1.00%

Function 00407475, Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407491
memcpy.MSVCRT ref: 004074A9
free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: cfd8dded6270ab76b115604b577ea4a7b41de6cad30d2a4b436932789bdeb74f
Instruction ID: e360d5709d2f3202c1ca25caae3d4aa805c65bf3858a1f44a91d23c9b12a71fe
Opcode Fuzzy Hash: cfd8dded6270ab76b115604b577ea4a7b41de6cad30d2a4b436932789bdeb74f
Instruction Fuzzy Hash: FFF0E972A082229FD708EB75A94180B779DAF44364710442FF404E3281D738AC40C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044233C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,0040FF66,?,?,00403292,?), ref: 0044234D

Strings

Lh@, xrefs: 00442344

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FreeLibrary
String ID: Lh@
API String ID: 3664257935-1564020105
Opcode ID: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction ID: 76fd25b73cfe59c43d76c33e9e0e0ec1b0c89da13299cefcee144e01fa2b623b
Opcode Fuzzy Hash: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction Fuzzy Hash: 33E0F6B5900B008F93308F2BE944407FBF9BFE56113108E1FE4AAC2A24C3B4A6458F54

Uniqueness

Uniqueness Score: -1.00%

Function 004349F1, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 00434BB1

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ce38069431d75cbd9469390c6fd040c4a17fe8be27d7aae76b779c9a917add19
Instruction ID: 01fd0a19dca965820be780cd5e1a180e940d32085fcd4292c33d665daa4a4ca3
Opcode Fuzzy Hash: ce38069431d75cbd9469390c6fd040c4a17fe8be27d7aae76b779c9a917add19
Instruction Fuzzy Hash: B7819D716083519FCB10EF1AC84169FBBE0AFC8318F15592FF88497251D778EA85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5B3, Relevance: 3.1, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B

GetStdHandle.KERNEL32(000000F5,?,00000000,00000001,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C5DC
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000), ref: 0040C6E9

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Part of subcall function 004071BD: GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
Part of subcall function 004071BD: _snwprintf.MSVCRT ref: 004071FE
Part of subcall function 004071BD: MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction ID: 8008e0f7e2c68a0a7dbf7afa260ddf7c08443fea941bd9d01fd0dc6d198c04cd
Opcode Fuzzy Hash: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction Fuzzy Hash: 82415F31B00100EBCB359F69C8C9E5E76A5AF45710F215A2BF406A73D1CB7AAD80CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E227, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E274

Strings

/stext, xrefs: 0040E26F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040946C, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

index.dat, xrefs: 004094CB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$FileFindFirst
String ID: index.dat
API String ID: 1858513025-427268347
Opcode ID: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction ID: ea6e303a67c95597c7ba2300e155a691c3aaaa96276431a044c3ae834a976286
Opcode Fuzzy Hash: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction Fuzzy Hash: 8601527180526999EB20E662CD426DE727CAF00314F1041BBA858F21D2EB3CDF868F4D

Uniqueness

Uniqueness Score: -1.00%

Function 00412B2E, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B3D

Strings

failed to allocate %u bytes of memory, xrefs: 00412B57

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: f24fcd6304b93913b14247a0557fa27672ef6dd59737270ab95038e43013476f
Instruction ID: 83e647f58a001b4b33716092e1dc9084e7a57e1649cb419fd0ecfe0012ae2b1c
Opcode Fuzzy Hash: f24fcd6304b93913b14247a0557fa27672ef6dd59737270ab95038e43013476f
Instruction Fuzzy Hash: B1E026B7F4561267C2004F1AEC019866790AFC032171A063BF92CD7380D678E9A683A9

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE6, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00414DFF
FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,0045162C,00415453,00000008,00000000,00000000,?,00415610,?,00000000), ref: 00414E08

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction ID: a5fc701692feba82469beb2995ebf65a4cce15204005db1f3291e32cb0673270
Opcode Fuzzy Hash: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction Fuzzy Hash: 95E0CD372006155FD7005B7CDCC09D77399AF85734725032AF261C3190C665D4424664

Uniqueness

Uniqueness Score: -1.00%

Function 0041946A, Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041960E
memcmp.MSVCRT ref: 00419620

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction ID: 09c6ddd7a7fbafff04f5e46546a8ec227a467f18660dcb1fea67ae87f7adc2a4
Opcode Fuzzy Hash: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction Fuzzy Hash: EB6170B1E05205FFDB11EFA489A09EEB7B8AB04308F14806FE108E3241D7789ED5DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004098C2, Relevance: 2.6, APIs: 2, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

wcslen.MSVCRT ref: 00409901
memset.MSVCRT ref: 00409980

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID:
API String ID: 1960736289-0
Opcode ID: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction ID: eeeebaecff14eb5a2c3d0f3031068d4b6d2ebef8e1bb4496a3092dc18c5c1f6a
Opcode Fuzzy Hash: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction Fuzzy Hash: C0318172510249BBCF11EFA5CCC19EE77B9AF48304F14887EF505B7282D638AE499B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED6C, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EDFA: memset.MSVCRT ref: 0040EE42
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE59
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE61
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EEBC
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EECA

Part of subcall function 0040797A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
Part of subcall function 0040797A: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
Part of subcall function 0040797A: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 0040EDB8

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 4204647287-0
Opcode ID: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction ID: 7375e5b5c48a3cf746583bdb812c6cb833081a8f043ffb24ec2f547d3e817a13
Opcode Fuzzy Hash: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction Fuzzy Hash: 58114C72C00219ABCF11EBA5D9419DEBBB9EF44300F20047BE801F3280D634AF44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00411B36, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00411B5D

Part of subcall function 004119C6: memset.MSVCRT ref: 004119E5
Part of subcall function 004119C6: _itow.MSVCRT ref: 004119FC
Part of subcall function 004119C6: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00411A0B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction ID: e4974885a9e011c02de9f8347c72c3dce1736aa6ad634daf2893e710d343c839
Opcode Fuzzy Hash: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction Fuzzy Hash: ABE0B672000149AFDF125F80EC01AA97BA6FF04315F248459FA5805631D73695B0EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00411376, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0041139E: LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
Part of subcall function 0041139E: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0041126B,00000104,0041126B,00000000,?), ref: 00411395

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 161ab63227dca0468342f2fd6fc01eeb5e2c53d4d8b5c6eb41d2cf02796b8335
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: B3D0A9312183196BE220AB708C00FABA3E86B40710F008C2ABAA0D68A8D264C8805354

Uniqueness

Uniqueness Score: -1.00%

Function 00407BB2, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040C605,00000000,00448B84,00000002,?,?,?,0040E2DC,00000000), ref: 00407BC9

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction ID: 7a92458e03063ade3ff171a8f73d1b131da45bdd434acd56d38c8090c64c1cda
Opcode Fuzzy Hash: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction Fuzzy Hash: 47D0C93511020DFBDF01CF80DC06FDD7B7DEB04759F108054BA1495060D7B59B14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407144, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924

Uniqueness

Uniqueness Score: -1.00%

Function 0040715D, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924

Uniqueness

Uniqueness Score: -1.00%

Function 00408604, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040860B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
Instruction ID: b86fd1081c12c971c14e25096d529e9df9055785cb1c99d48f6af2a57df14557
Opcode Fuzzy Hash: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
Instruction Fuzzy Hash: D3C09BB15127015BFB345E15D50571273E45F50727F354C1DB4D1D24C2DB7CD4408518

Uniqueness

Uniqueness Score: -1.00%

Function 004084DA, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,004083EE,?,00000000,00000000,?,00410708,?), ref: 004084E4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction ID: a26663696ee19f03613d77843e46d9f39b2dea1a9069363f3edb82d48ea13a69
Opcode Fuzzy Hash: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction Fuzzy Hash: FFC092346205028BE23C5F38AD5A82A77E0BF4A3313B40F6CA0F3D20F0EB3884428A04

Uniqueness

Uniqueness Score: -1.00%

Function 004117E3, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction ID: 28a9858cfff7e6e2b1914a1c804994c03dcb5394f8963e6e43683e707f81cfe3
Opcode Fuzzy Hash: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction Fuzzy Hash: 83C04C351107028BE7218B12C849753B7F8BB00717F40C818A566859A0D77CE454CE18

Uniqueness

Uniqueness Score: -1.00%

Function 00411F7E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,00411EF8,00000000), ref: 00411F8D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction ID: 6c621939844f31da33ced499d0f7f7abb962291178acb537878d9391fa7c1b50
Opcode Fuzzy Hash: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction Fuzzy Hash: C8C09B32194342BBD7019F508C05F1B7A95BB55703F104C297561940B0C75140549605

Uniqueness

Uniqueness Score: -1.00%

Function 00407548, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction ID: 786af1a6681fc588f4ed673612d44b37cd66a9ddadc6b0c90f2aca86fde3c3ed
Opcode Fuzzy Hash: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction Fuzzy Hash: 41B012792100404BCB080B349C4504D75506F46B32B20473CB073C00F0DB30CD70BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00411B67, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction ID: 8fd1618fdc001f910610ea30bed12e65be45571f6aff6d2ea6de46bc6098db87
Opcode Fuzzy Hash: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction Fuzzy Hash: F8C09B35544301BFDE114F40FD05F09BF71BB84F05F004414B244640B1C2714414EB17

Uniqueness

Uniqueness Score: -1.00%

Function 004081EA, Relevance: 1.4, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3

free.MSVCRT(?,00000000,?,00000000), ref: 004082B2

Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010

Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free$mallocmemcpy
String ID:
API String ID: 3401966785-0
Opcode ID: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
Instruction ID: 9a294873d4d6790ac16ff047b4da0d243ffe3cbd3c442eed78fe53e82fef6e86
Opcode Fuzzy Hash: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
Instruction Fuzzy Hash: 22513672D006099BCB10DF99C5804DEBBB5BB48314F60817FE990B7391DB38AE85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00419681, Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction ID: 4be01e504a1dbe863e5cd1883b5f47abe9c308d3627063d178914d84215e5ed1
Opcode Fuzzy Hash: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction Fuzzy Hash: 32319E31614206EFDF14AF15D9517DAB3A0FF00364F11412BF8259B290EB38EDE09BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004085EB, Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00408604: ??3@YAXPAX@Z.MSVCRT ref: 0040860B

??2@YAPAXI@Z.MSVCRT ref: 004085F4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
Instruction ID: 922d8024f7c410ba2bf811e6c001bae8f16a2ee087a1061d919dd730706e44d9
Opcode Fuzzy Hash: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
Instruction Fuzzy Hash: 36C02B3241D2101FD764FFB4360205722D4CE822383014C2FF0C0D3100DD3884014B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00408037, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08

Uniqueness

Uniqueness Score: -1.00%

Function 00402778, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction ID: cac01d1bc301b84fbdbddb48431dcac5afc2edf88536e2650f831a4bf4b80b8a
Opcode Fuzzy Hash: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction Fuzzy Hash: 7AC00272550B019FF7609F15C94A762B3E4AF5077BF918C1DA4A5924C1E7BCD4448A18

Uniqueness

Uniqueness Score: -1.00%

Function 00412B6F, Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00412B73

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction ID: 46b4f55e9d8111901284769a6e1cf788246b5727949f953e2d9518689c8df02f
Opcode Fuzzy Hash: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction Fuzzy Hash: AC900282455501216C4522755D1750511080851176374074A7032A59D1DE688150601C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00441975, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004419A0
wcscpy.MSVCRT ref: 004419B7
memset.MSVCRT ref: 004419EA
wcscpy.MSVCRT ref: 00441A00
wcscat.MSVCRT ref: 00441A11
wcscpy.MSVCRT ref: 00441A37
wcscat.MSVCRT ref: 00441A48
wcscpy.MSVCRT ref: 00441A6F
wcscat.MSVCRT ref: 00441A80
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
LoadLibraryW.KERNEL32(sqlite3.dll,?,00000104,00000000), ref: 00441AB9
LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000104,00000000), ref: 00441AC7
LoadLibraryW.KERNEL32(nss3.dll,?,00000104,00000000), ref: 00441AD7
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00441B0C
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00441B19
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00441B26
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00441B33
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00441B40
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00441B4D
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00441B5A

Strings

sqlite3_column_int64, xrefs: 00441B28
sqlite3_column_text, xrefs: 00441B0E
sqlite3_step, xrefs: 00441B01
\mozsqlite3.dll, xrefs: 00441A42
sqlite3_column_int, xrefs: 00441B1B
sqlite3_close, xrefs: 00441B42
sqlite3_exec, xrefs: 00441B4F
sqlite3.dll, xrefs: 00441AB4
sqlite3_open, xrefs: 00441AED
\sqlite3.dll, xrefs: 00441A0B
sqlite3_prepare, xrefs: 00441AF5
mozsqlite3.dll, xrefs: 00441AC2
\nss3.dll, xrefs: 00441A7A
nss3.dll, xrefs: 00441AD2
sqlite3_finalize, xrefs: 00441B35

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 2522319644-522817110
Opcode ID: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
Instruction ID: 320c17c5e6ace6947bedab1e2bf77c9c6d077df099d9b5840aba930edb5fc244
Opcode Fuzzy Hash: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
Instruction Fuzzy Hash: 855165B1901709BADB20FFB18D49A4BB7F8AF08704F5008ABE54AE2551E778E644CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041604B, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00416065
memcpy.MSVCRT ref: 00416074
GetCurrentProcessId.KERNEL32 ref: 00416085
memcpy.MSVCRT ref: 00416098
GetTickCount.KERNEL32 ref: 004160AC
memcpy.MSVCRT ref: 004160BF
QueryPerformanceCounter.KERNEL32(?), ref: 004160D5
memcpy.MSVCRT ref: 004160E5

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction ID: b821822af8fa1f08beba458ee4fa97db6355aebb6f9a48b4278dc6bbcb45c8c8
Opcode Fuzzy Hash: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction Fuzzy Hash: 601163F3900118ABDB00EFA4DC899DAB7ACEF19710F454536FA09DB144E674E748C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415AFD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00415B06

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B2D
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B56
LocalFree.KERNEL32(?), ref: 00415B71
free.MSVCRT(?,0044A338,?), ref: 00415B9F

Part of subcall function 00414C63: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,00414D8E,?), ref: 00414C81
Part of subcall function 00414C63: malloc.MSVCRT ref: 00414C88

Strings

OsError 0x%x (%u), xrefs: 00415B83

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 2360000266-2664311388
Opcode ID: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
Instruction ID: b695a5953d892c14765524e538430075cec87daac3f875befcc4cde39e80dde6
Opcode Fuzzy Hash: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
Instruction Fuzzy Hash: 5F118E34A00218BBDB21AFA19C49CDFBF78EF85B51B104067F405A2250D6795B809BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407E0E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00407E26
FindNextFileW.KERNEL32(00000000,?), ref: 00407E45
FindClose.KERNEL32(00000000), ref: 00407E65

Strings

ld@, xrefs: 00407E51
., xrefs: 00407E33
nss3.dll, xrefs: 00407E18

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$ld@$nss3.dll
API String ID: 3541575487-3654816495
Opcode ID: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
Instruction ID: 78963b1eb2bf7b5f8aa15039180698213c9a680973a94e339c68aae197af375e
Opcode Fuzzy Hash: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
Instruction Fuzzy Hash: CEF0BB75901528ABDB206BB4DC8C9ABB7ACEB45765F0401B2ED06E3180D334AE458AD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D674, Relevance: 4.5, APIs: 3, Instructions: 41fileclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506

OpenClipboard.USER32(?), ref: 0040D6B0
GetLastError.KERNEL32 ref: 0040D6C9
DeleteFileW.KERNEL32(?), ref: 0040D6E8

Part of subcall function 00407363: EmptyClipboard.USER32 ref: 0040736D
Part of subcall function 00407363: GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
Part of subcall function 00407363: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
Part of subcall function 00407363: GlobalLock.KERNEL32 ref: 004073A8
Part of subcall function 00407363: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
Part of subcall function 00407363: GlobalUnlock.KERNEL32(00000000), ref: 004073CD
Part of subcall function 00407363: SetClipboardData.USER32 ref: 004073D6
Part of subcall function 00407363: CloseHandle.KERNEL32(?), ref: 004073EA
Part of subcall function 00407363: CloseClipboard.USER32 ref: 004073FE

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
String ID:
API String ID: 2633007058-0
Opcode ID: 892bfac1ef1963b2894920ffb08dc1c3419521efeb45fa25f451c514730559f5
Instruction ID: bc74c52ab6c87c34bb6cce86e30c95d4cd513021a264dd7f219e40d67a453ac4
Opcode Fuzzy Hash: 892bfac1ef1963b2894920ffb08dc1c3419521efeb45fa25f451c514730559f5
Instruction Fuzzy Hash: 45F0C831B0030457EB646B71DC4EFAF376DAB40B01F00057AF469A51E2EFBAF9458A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407674, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b36f1e02b416ec865f4d87fb5f88c2c9fdef71dbbf2c75f0f10f81923867f6e4
Instruction ID: 443b7a688d421a19dce43b17e8414db768b780ab8005fe7e93b00bb89c3c7b35
Opcode Fuzzy Hash: b36f1e02b416ec865f4d87fb5f88c2c9fdef71dbbf2c75f0f10f81923867f6e4
Instruction Fuzzy Hash: 76C0803C5002205FD7C04B88BC047C375B85B86727F004073ED40A1251C378680CCF9C

Uniqueness

Uniqueness Score: -1.00%

Function 004021D9, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00402201
_wcsicmp.MSVCRT ref: 00402231
_wcsicmp.MSVCRT ref: 0040225E
_wcsicmp.MSVCRT ref: 0040228B

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E

memset.MSVCRT ref: 0040262F
memcpy.MSVCRT ref: 00402664

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memcpy.MSVCRT ref: 004026C0
LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040271E
FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040272D

Strings

!, xrefs: 00402525
K, xrefs: 0040239F
n, xrefs: 0040258E
L, xrefs: 004025E9
Path, xrefs: 00402226
q, xrefs: 004024AF
I, xrefs: 004023F3
server, xrefs: 004021ED
S, xrefs: 004024D1
t, xrefs: 0040252C
}, xrefs: 004022E2
g, xrefs: 0040231A
Data, xrefs: 00402280
w, xrefs: 004024D8
y, xrefs: 00402352
t, xrefs: 0040261A
b, xrefs: 004022F7
~, xrefs: 00402579
>, xrefs: 004022E9
a, xrefs: 004024ED
=, xrefs: 0040251E
H, xrefs: 004022DB
F, xrefs: 004023A6
u, xrefs: 0040244D
@, xrefs: 00402533
K, xrefs: 0040253A
>, xrefs: 004022D4
0, xrefs: 0040240E
$, xrefs: 0040259C
com.apple.WebKit2WebProcess, xrefs: 00402656
{, xrefs: 00402383
n, xrefs: 0040254F
/, xrefs: 004024DF
`, xrefs: 004024A1
X, xrefs: 00402605
com.apple.Safari, xrefs: 00402634
h, xrefs: 004024BD
Account, xrefs: 00402253
', xrefs: 004023D7
z, xrefs: 0040255D
A, xrefs: 0040236E
y, xrefs: 00402469
8, xrefs: 0040249A
H, xrefs: 004022CD
#, xrefs: 004025CD
t, xrefs: 004025F7
&, xrefs: 004025C6
&, xrefs: 0040230C
2, xrefs: 00402580
O, xrefs: 00402360
\, xrefs: 00402510
), xrefs: 004025AA
u, xrefs: 004023DE
^, xrefs: 004025FE

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 462158748-1134094380
Opcode ID: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
Instruction ID: cc44404655acc20b5533cc0c34fbbab0c7f11d0fd0cfcd5d05bb593c6a12ed59
Opcode Fuzzy Hash: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
Instruction Fuzzy Hash: C9F1FF208087E9C9DB32D7788D097CEBE645B23324F0443D9E1E87A2D2D7B55B85CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00409B6A, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409B82
_wcsicmp.MSVCRT ref: 00409B97
_wcsnicmp.MSVCRT ref: 00409BB1
_wcsnicmp.MSVCRT ref: 00409BC5
wcslen.MSVCRT ref: 00409BD6
_wcsicmp.MSVCRT ref: 00409BF8
memset.MSVCRT ref: 00409C3D
wcscpy.MSVCRT ref: 00409C4A
wcslen.MSVCRT ref: 00409C6B
wcslen.MSVCRT ref: 00409C83
_wcsicmp.MSVCRT ref: 00409CC8
_wcsicmp.MSVCRT ref: 00409CDB
_wcsnicmp.MSVCRT ref: 00409CF2
memset.MSVCRT ref: 00409D38
wcschr.MSVCRT ref: 00409D40
wcslen.MSVCRT ref: 00409D48
wcscpy.MSVCRT ref: 00409D66
wcschr.MSVCRT ref: 00409D74
_wcsnicmp.MSVCRT ref: 00409DA4
memset.MSVCRT ref: 00409DD8
strlen.MSVCRT ref: 00409DDE
memcpy.MSVCRT ref: 00409DFA
strchr.MSVCRT ref: 00409E0F
memset.MSVCRT ref: 00409E39
memset.MSVCRT ref: 00409E4E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00409E6F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00409E82

Strings

ftp://, xrefs: 00409CEC
wininetcachecredentials, xrefs: 00409CBF, 00409CC4, 00409CD7
https://, xrefs: 00409BBF
:stringdata, xrefs: 00409BF2
internet explorer, xrefs: 00409B76, 00409B7B, 00409B93
http://, xrefs: 00409BAB
dpapi:, xrefs: 00409D9E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
API String ID: 2787044678-1843504584
Opcode ID: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
Instruction ID: bbe16b9e6473d86cc6eed57c0ed50d6d6787e5e5d2f3b2995f82d19aea11410f
Opcode Fuzzy Hash: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
Instruction Fuzzy Hash: 2891A571940209BFEF20EF55CD41EDF77A8AF54314F10006AF848A3292EB79EE508B68

Uniqueness

Uniqueness Score: -1.00%

Function 004113F4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00411421
GetDlgItem.USER32 ref: 0041142D
GetWindowLongW.USER32(00000000,000000F0), ref: 0041143C
GetWindowLongW.USER32(?,000000F0), ref: 00411448
GetWindowLongW.USER32(00000000,000000EC), ref: 00411451
GetWindowLongW.USER32(?,000000EC), ref: 0041145D
GetWindowRect.USER32 ref: 0041146F
GetWindowRect.USER32 ref: 0041147A
MapWindowPoints.USER32 ref: 0041148E
MapWindowPoints.USER32 ref: 0041149C
GetDC.USER32 ref: 004114D5
wcslen.MSVCRT ref: 00411515
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00411526
ReleaseDC.USER32 ref: 00411573
_snwprintf.MSVCRT ref: 00411636
SetWindowTextW.USER32(?,?), ref: 0041164A
SetWindowTextW.USER32(?,00000000), ref: 00411668
GetDlgItem.USER32 ref: 0041169E
GetWindowRect.USER32 ref: 004116AE
MapWindowPoints.USER32 ref: 004116BC
GetClientRect.USER32 ref: 004116D3
GetWindowRect.USER32 ref: 004116DD
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411723
GetClientRect.USER32 ref: 0041172D
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411765

Strings

STATIC, xrefs: 004115D5
EDIT, xrefs: 0041160B
%s:, xrefs: 0041162B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction ID: 8ff438caca04d900f401a49fee0f0db12add2221ca5be9c1dac879361ae65e4d
Opcode Fuzzy Hash: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction Fuzzy Hash: E3B1B071108341AFD720DF68C985E6BBBF9FB88704F004A2DF69692261DB75E944CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004010F7
ChildWindowFromPoint.USER32 ref: 00401109
GetDlgItem.USER32 ref: 0040113F
ChildWindowFromPoint.USER32 ref: 0040114C
GetDlgItem.USER32 ref: 0040117A
ChildWindowFromPoint.USER32 ref: 0040118C
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
LoadCursorW.USER32(00000000,00000067), ref: 0040119E
SetCursor.USER32(00000000,?,?), ref: 004011A5
GetDlgItem.USER32 ref: 004011C6
ChildWindowFromPoint.USER32 ref: 004011D3
GetDlgItem.USER32 ref: 004011ED
SetBkMode.GDI32(?,00000001), ref: 004011F9
SetTextColor.GDI32(?,00C00000), ref: 00401207
GetSysColorBrush.USER32(0000000F), ref: 0040120F
GetDlgItem.USER32 ref: 00401230
EndDialog.USER32(?,?), ref: 00401265
DeleteObject.GDI32(?), ref: 00401271
GetDlgItem.USER32 ref: 00401296
ShowWindow.USER32(00000000), ref: 0040129F
GetDlgItem.USER32 ref: 004012AB
ShowWindow.USER32(00000000), ref: 004012AE
SetDlgItemTextW.USER32 ref: 004012BF
SetWindowTextW.USER32(?,WebBrowserPassView), ref: 004012CD
SetDlgItemTextW.USER32 ref: 004012E5
SetDlgItemTextW.USER32 ref: 004012F6

Strings

WebBrowserPassView, xrefs: 004012C5

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: WebBrowserPassView
API String ID: 829165378-2171583229
Opcode ID: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction ID: 8d9c6eba8ddb3a7c26c98eaf12cf57faa7ce2db5dd3d1d54ce32cd9ff2fd20fc
Opcode Fuzzy Hash: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction Fuzzy Hash: 8C517E35500308BBDB22AF64DC45E6E7BB5FB04742F104A7AF952A66F0C774AE50EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040F767, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040F7AC
GetDlgItem.USER32 ref: 0040F7C4
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F7E2
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040F7EE
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040F7F6
memset.MSVCRT ref: 0040F81D
memset.MSVCRT ref: 0040F83F
memset.MSVCRT ref: 0040F858
memset.MSVCRT ref: 0040F86C
memset.MSVCRT ref: 0040F886
memset.MSVCRT ref: 0040F89B
GetCurrentProcess.KERNEL32 ref: 0040F8A3
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F8C6
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F8F8
memset.MSVCRT ref: 0040F94B
GetCurrentProcessId.KERNEL32 ref: 0040F959
memcpy.MSVCRT ref: 0040F987
wcscpy.MSVCRT ref: 0040F9AA
_snwprintf.MSVCRT ref: 0040FA19
SetDlgItemTextW.USER32 ref: 0040FA31
GetDlgItem.USER32 ref: 0040FA3B
SetFocus.USER32(00000000), ref: 0040FA42

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040FA0E
{Unknown}, xrefs: 0040F831

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction ID: 69e9f0bde0ef3093fe47e3bafb281a214b560c7f74f151c34d98b156b899ddfd
Opcode Fuzzy Hash: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction Fuzzy Hash: F7719FB680121DBEEF219B50DC45EDA7B6CEF08355F0000B6F508A21A1DA799E88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAFF, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FB20
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
memset.MSVCRT ref: 0040FB90
wcslen.MSVCRT ref: 0040FB9D
wcslen.MSVCRT ref: 0040FBAC
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040FC6B
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040FC77

Part of subcall function 0040648C: memset.MSVCRT ref: 004064AD
Part of subcall function 0040648C: memset.MSVCRT ref: 004064FA
Part of subcall function 0040648C: RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
Part of subcall function 0040648C: wcscpy.MSVCRT ref: 00406642
Part of subcall function 0040648C: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
Part of subcall function 0040648C: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

PK11_GetInternalKeySlot, xrefs: 0040FC3D
PK11_Authenticate, xrefs: 0040FC61
PK11SDR_Decrypt, xrefs: 0040FC6D
NSS_Init, xrefs: 0040FC28
NSS_Shutdown, xrefs: 0040FC31
PK11_FreeSlot, xrefs: 0040FC49
PK11_CheckUserPassword, xrefs: 0040FC55
nss3.dll, xrefs: 0040FB98, 0040FBC0

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2554026968-4029219660
Opcode ID: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction ID: eeb2f36212a21d3aa086fe7dd3a0485c0e35c5a93e030d286215ed8b11f998db
Opcode Fuzzy Hash: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction Fuzzy Hash: 15418371940309ABEB209F61CC85E9AB7F8BF58744F10087EE58593191EBB999848F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4F7, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F51A
wcslen.MSVCRT ref: 0040F522
wcslen.MSVCRT ref: 0040F52E
wcscpy.MSVCRT ref: 0040F5A5
wcscpy.MSVCRT ref: 0040F5B6
memset.MSVCRT ref: 0040F5CF
memset.MSVCRT ref: 0040F5E4
_snwprintf.MSVCRT ref: 0040F5FE
memset.MSVCRT ref: 0040F63D
wcslen.MSVCRT ref: 0040F64D
wcslen.MSVCRT ref: 0040F65B
wcscpy.MSVCRT ref: 0040F611

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

wcscpy.MSVCRT ref: 0040F6A2
memset.MSVCRT ref: 0040F6D1
memset.MSVCRT ref: 0040F6E6
_snwprintf.MSVCRT ref: 0040F702
wcscpy.MSVCRT ref: 0040F715

Strings

Profile%d, xrefs: 0040F5EA, 0040F6F4
Path, xrefs: 0040F72A
IsRelative, xrefs: 0040F745
General, xrefs: 0040F5B0
profiles.ini, xrefs: 0040F527, 0040F543

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 3014334669-2600475665
Opcode ID: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction ID: ca42eae1a8a54deb15ae60d9a008fbbac9316f2c57223d03809256618168ca92
Opcode Fuzzy Hash: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction Fuzzy Hash: F151627290021CBADB20EB55CD45ECEB7BCAF14744F5044B7B10DA2091EB789B888F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1D0, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 254windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A2C8: LoadMenuW.USER32 ref: 0040A2D0

SetMenu.USER32(?,00000000), ref: 0040D2E0
CreateStatusWindowW.COMCTL32(50000000,Function_000434FC,?,00000101), ref: 0040D2FB
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040D313
GetModuleHandleW.KERNEL32(00000000), ref: 0040D322
LoadImageW.USER32 ref: 0040D32F
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040D359
GetModuleHandleW.KERNEL32(00000000), ref: 0040D366
CreateWindowExW.USER32 ref: 0040D38D
GetFileAttributesW.KERNEL32(004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D468
GetTempPathW.KERNEL32(00000104,004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D478
wcslen.MSVCRT ref: 0040D47F
wcslen.MSVCRT ref: 0040D48D
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001,?,00000000,/nosaveload,00000000,00000001), ref: 0040D4DA
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040D515
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040D528

Part of subcall function 00403A14: wcslen.MSVCRT ref: 00403A31
Part of subcall function 00403A14: SendMessageW.USER32(?,00001061,?,?), ref: 00403A55

Strings

report.html, xrefs: 0040D486, 0040D49E
commdlg_FindReplace, xrefs: 0040D4D5
SysListView32, xrefs: 0040D387
/nosaveload, xrefs: 0040D412

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Message$Send$CreateWindowwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterStatusTempToolbar
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 1638525581-2103577948
Opcode ID: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction ID: 7a0d9eec849a31f4480aab016bccc9be6ec6f6c883519ecda8bf5f9757aa8271
Opcode Fuzzy Hash: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction Fuzzy Hash: D7A1A171500388AFEB11DF68CC89BCA7FA5AF55704F04447DFA486B292C7B59908CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD9, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB20
Part of subcall function 0040FAFF: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
Part of subcall function 0040FAFF: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB90
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FB9D
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FBAC
Part of subcall function 0040FAFF: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F

memset.MSVCRT ref: 00406E17
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
memset.MSVCRT ref: 00406E69
memset.MSVCRT ref: 00406E81
memset.MSVCRT ref: 00406E99
memset.MSVCRT ref: 00406EB1
wcslen.MSVCRT ref: 00406EBC
wcslen.MSVCRT ref: 00406ECA
wcslen.MSVCRT ref: 00406EF9
wcslen.MSVCRT ref: 00406F07
wcslen.MSVCRT ref: 00406F36
wcslen.MSVCRT ref: 00406F44
wcslen.MSVCRT ref: 00406F73
wcslen.MSVCRT ref: 00406F81
SetCurrentDirectoryW.KERNEL32(?), ref: 00407074

Part of subcall function 0040697E: memset.MSVCRT ref: 004069BD
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A3C
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A51

Strings

signons.txt, xrefs: 00406EC3, 00406ED8
signons.sqlite, xrefs: 00406F7A, 00406F8F
signons2.txt, xrefs: 00406F00, 00406F15
signons3.txt, xrefs: 00406F3D, 00406F52

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memsetwcslen$AddressProc$CurrentDirectory$LibraryLoad$ByteCharHandleModuleMultiWide
String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 1908949080-2435954524
Opcode ID: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction ID: 8f96e2222c77d76af5181fd0f533d019f0899d465181413e0b466bd376840954
Opcode Fuzzy Hash: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction Fuzzy Hash: 8871B07180461AABDB21EF61DC41A9E77BCFF04318F1004AEF909F2181E779AE548F69

Uniqueness

Uniqueness Score: -1.00%

Function 00441C15, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
??2@YAPAXI@Z.MSVCRT ref: 00441C46
GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
_snwprintf.MSVCRT ref: 00441CC6
wcscpy.MSVCRT ref: 00441CF0
??3@YAXPAX@Z.MSVCRT ref: 00441DA0

Strings

InternalName, xrefs: 00441D5D
\VarFileInfo\Translation, xrefs: 00441CA0
ProductName, xrefs: 00441CF7
ProductVersion, xrefs: 00441D33
LegalCopyright, xrefs: 00441D72
FileDescription, xrefs: 00441D09
OriginalFileName, xrefs: 00441D87
FileVersion, xrefs: 00441D1E
CompanyName, xrefs: 00441D48
040904E4, xrefs: 00441CEA
%4.4X%4.4X, xrefs: 00441CBB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 76175b8a86119ebe01a83dcd535ce8ac3cdcc4dd7478e422eacbcfec517dbd2c
Instruction ID: 5dc843b0b2888ef0cde47c2e58fd974eed7f8edc5a370bbe46a7031584b3d011
Opcode Fuzzy Hash: 76175b8a86119ebe01a83dcd535ce8ac3cdcc4dd7478e422eacbcfec517dbd2c
Instruction Fuzzy Hash: 044143B2940618BAE704EFA1EC82DDEB7BCFF08744B400557B505A3151DB78BA85CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8CF, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C912
memset.MSVCRT ref: 0040C927
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C970
ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C97B
SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
LoadImageW.USER32 ref: 0040C9F8
GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
LoadImageW.USER32 ref: 0040CA15
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
GetSysColor.USER32(0000000F), ref: 0040CA2E
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040CA49
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040CA59
DeleteObject.GDI32(?), ref: 0040CA65
DeleteObject.GDI32(?), ref: 0040CA6B
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040CA88

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
Instruction ID: 0a3ff62ab3886bf523a191411b010267208ec01492d8cd9208f2635b8a46902f
Opcode Fuzzy Hash: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
Instruction Fuzzy Hash: A541B871640304BFE7209F70CC8AF97B7ACFB09B45F000929F399A51D1C6B5A9408B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040648C, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 173registrytimeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004064AD

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

_wcsnicmp.MSVCRT ref: 00406520
memset.MSVCRT ref: 00406544
memset.MSVCRT ref: 00406560
_snwprintf.MSVCRT ref: 00406580
wcsrchr.MSVCRT ref: 004065A7
CompareFileTime.KERNEL32(?,?,00000000), ref: 004065DA
wcscpy.MSVCRT ref: 004065FC
memset.MSVCRT ref: 004064FA

Part of subcall function 00411BFE: RegEnumKeyExW.ADVAPI32(00000000,0040FB38,0040FB38,?,00000000,00000000,00000000,0040FB38,0040FB38,00000000), ref: 00411C21

RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
wcscpy.MSVCRT ref: 00406642
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

SOFTWARE\Mozilla, xrefs: 004064C9
PathToExe, xrefs: 00406585
%s\bin, xrefs: 0040656F
mozilla, xrefs: 0040651A
%programfiles%\Mozilla Firefox, xrefs: 00406654

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 1094916163-2797892316
Opcode ID: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction ID: 63e98d9b0590a06fe0611c8d8f76d67a06a86b9579f74a21c863053dc4382b5e
Opcode Fuzzy Hash: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction Fuzzy Hash: F5515472D00218BAEF20EB61DC45ADFB7BCAF04354F0104A6F905F2191EB799B94CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004125BA, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125DC
memset.MSVCRT ref: 004125F1
wcscpy.MSVCRT ref: 00412623
_snwprintf.MSVCRT ref: 00412643
wcscat.MSVCRT ref: 00412650
_snwprintf.MSVCRT ref: 0041267F
wcscat.MSVCRT ref: 0041268C
wcscat.MSVCRT ref: 0041269A
wcscat.MSVCRT ref: 004126AC
wcscat.MSVCRT ref: 004126B7
wcscat.MSVCRT ref: 004126C9
wcscat.MSVCRT ref: 004126DB

Strings

<font, xrefs: 0041261D
color="#%s", xrefs: 0041266E
</font>, xrefs: 004126D5
</b>, xrefs: 004126C3
<b>, xrefs: 004126A6
size="%d", xrefs: 00412632

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction ID: 1bdd15307226dc02cd036ffdab734ce65306a7f25c134a46d7f370f8b7d92746
Opcode Fuzzy Hash: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction Fuzzy Hash: 2C31E9B2900305BEEB20AA559E82DBF73BCDF41715F60405FF214E21C2DABC9E859A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC89, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

Strings

NtQuerySymbolicLinkObject, xrefs: 0040FCEB
ntdll.dll, xrefs: 0040FC97
NtUnloadDriver, xrefs: 0040FCC7
NtLoadDriver, xrefs: 0040FCB5
NtSuspendProcess, xrefs: 0040FD0F
NtResumeProcess, xrefs: 0040FD21
NtOpenSymbolicLinkObject, xrefs: 0040FCD9
NtQuerySystemInformation, xrefs: 0040FCA8
NtQueryObject, xrefs: 0040FCFD

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
Instruction ID: df14504fdc59ccf6a8c55cbe4aacceea24f9204784c5926a31105bf4aba29bc2
Opcode Fuzzy Hash: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
Instruction Fuzzy Hash: 8E018478D40314BBEB119F71AC09B563EA9F7187967180977F41862272DBB98810EE8C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEB4, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 184COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BED5
memset.MSVCRT ref: 0040BEFF
memset.MSVCRT ref: 0040BF15
memset.MSVCRT ref: 0040BF2B
_snwprintf.MSVCRT ref: 0040BF64
wcscpy.MSVCRT ref: 0040BFAF
_snwprintf.MSVCRT ref: 0040C03C
wcscat.MSVCRT ref: 0040C06E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

wcscpy.MSVCRT ref: 0040C050
_snwprintf.MSVCRT ref: 0040C0AD

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

<table border="1" cellpadding="5">, xrefs: 0040BF6C
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040BEDD
</table><p>, xrefs: 0040C0CF
nowrap, xrefs: 0040BFA9
 , xrefs: 0040C068
bgcolor="%s", xrefs: 0040BF56
<font color="%s">%s</font>, xrefs: 0040C02F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1277802453-601624466
Opcode ID: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
Instruction ID: c023c2c05774347514c90e9c4a79a5fc261e79551634f2018d74b142c4ca0a41
Opcode Fuzzy Hash: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
Instruction Fuzzy Hash: 6B619E31900208EFEF14EF94CC86EAEBB79EF44314F50419AF905AA1D2DB75AA51CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004126E8, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041270E
memset.MSVCRT ref: 00412723
memset.MSVCRT ref: 00412738
_snwprintf.MSVCRT ref: 00412767
_snwprintf.MSVCRT ref: 00412796
wcscpy.MSVCRT ref: 004127A7
_snwprintf.MSVCRT ref: 004127C7
memset.MSVCRT ref: 00412803
_snwprintf.MSVCRT ref: 00412824
_snwprintf.MSVCRT ref: 0041285E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

Strings

width="%s", xrefs: 00412813
<table border="1" cellpadding="5"><tr%s>, xrefs: 004127B6
bgcolor="%s", xrefs: 00412756
</font>, xrefs: 004127A1
<th%s>%s%s%s, xrefs: 0041284D
<font color="%s">, xrefs: 00412785

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction ID: df620ac0873104ba588d68bc57a3bc16e82c0a505241d1212890b0a23309d9f4
Opcode Fuzzy Hash: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction Fuzzy Hash: 03418371D402197AEB20EB55DD41EFB727CFF04304F4401AAB509E2181EB749B948F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004035E2, Relevance: 27.1, APIs: 18, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C912
Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C927
Part of subcall function 0040C8CF: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
Part of subcall function 0040C8CF: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040C9F8
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040CA15
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
Part of subcall function 0040C8CF: GetSysColor.USER32(0000000F), ref: 0040CA2E

GetModuleHandleW.KERNEL32(00000000), ref: 004035F4
LoadIconW.USER32(00000000,00000072), ref: 004035FF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403610
GetModuleHandleW.KERNEL32(00000000), ref: 00403614
LoadIconW.USER32(00000000,00000074), ref: 00403619
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403624
GetModuleHandleW.KERNEL32(00000000), ref: 00403628
LoadIconW.USER32(00000000,00000073), ref: 0040362D
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403638
GetModuleHandleW.KERNEL32(00000000), ref: 0040363C
LoadIconW.USER32(00000000,00000075), ref: 00403641
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 0040364C
GetModuleHandleW.KERNEL32(00000000), ref: 00403650
LoadIconW.USER32(00000000,0000006F), ref: 00403655
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00403660
GetModuleHandleW.KERNEL32(00000000), ref: 00403664
LoadIconW.USER32(00000000,00000076), ref: 00403669
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00403674

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Image$Icon$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 792915304-0
Opcode ID: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction ID: 62ec96a61e35675a05b55f01cd8090f0511f6faf4d41b9404683e1d7d0c62212
Opcode Fuzzy Hash: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction Fuzzy Hash: 6901E1A17957087AF53137B2EC4BF6B7B5EDF81F4AF214414F30C990E0C9A6AD105928

Uniqueness

Uniqueness Score: -1.00%

Function 00408D9D, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT(00000000), ref: 00408F8C

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

memset.MSVCRT ref: 00408E72

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E

wcschr.MSVCRT ref: 00408EAA
memcpy.MSVCRT ref: 00408EDE
memcpy.MSVCRT ref: 00408EF9
memcpy.MSVCRT ref: 00408F14
memcpy.MSVCRT ref: 00408F2F

Strings

AccessCount, xrefs: 00408E0E
Url, xrefs: 00408E4F
CreationTime, xrefs: 00408E1B
, xrefs: 00408DCF
AccessedTime, xrefs: 00408E35
ExpiryTime, xrefs: 00408E28
EntryID, xrefs: 00408E5C
ModifiedTime, xrefs: 00408E42

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction ID: 190f3b00b4426260eb01f26a53b79380eacfea7d83453a492e965ac02b193b52
Opcode Fuzzy Hash: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction Fuzzy Hash: 64510C72E00309AAEF10EFA5DD45A9EB7B9AF54314F14403FA544F7281EA78AA048F58

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9F, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,00000104,00000001,00000000,?,00407052,?,?,?,0000001E), ref: 00406BC8
??2@YAPAXI@Z.MSVCRT ref: 00406BDC

Part of subcall function 00407B93: ReadFile.KERNEL32(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

memset.MSVCRT ref: 00406C0B
memset.MSVCRT ref: 00406C2B
memset.MSVCRT ref: 00406C40
strcmp.MSVCRT ref: 00406C64
??3@YAXPAX@Z.MSVCRT ref: 00406DC3
CloseHandle.KERNEL32(Rp@,?,00407052,?,?,?,0000001E), ref: 00406DCC

Strings

Rp@, xrefs: 00406DC9, 00406BE6
---, xrefs: 00406D8E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Filememset$??2@??3@CloseCreateHandleReadSizestrcmp
String ID: ---$Rp@
API String ID: 2784192885-2834202798
Opcode ID: 7cf5505fde5f7a6ca81fe01c549bb0ad296e6a7104cc4401806f668b22f45092
Instruction ID: 5360a5981a47af023619c2d52a4e150b55de9ab2e9c88b676a0c17dd944fe9c5
Opcode Fuzzy Hash: 7cf5505fde5f7a6ca81fe01c549bb0ad296e6a7104cc4401806f668b22f45092
Instruction Fuzzy Hash: 2E51817290815DAAEF21DB558C819DEBBBCEF14304F1040FBE50AA3141DA389FD5DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA44, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AA6A
memset.MSVCRT ref: 0040AA86

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

Part of subcall function 00441C15: GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
Part of subcall function 00441C15: ??2@YAPAXI@Z.MSVCRT ref: 00441C46
Part of subcall function 00441C15: GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
Part of subcall function 00441C15: _snwprintf.MSVCRT ref: 00441CC6
Part of subcall function 00441C15: wcscpy.MSVCRT ref: 00441CF0

wcscpy.MSVCRT ref: 0040AACA
wcscpy.MSVCRT ref: 0040AAD9
wcscpy.MSVCRT ref: 0040AAE9
EnumResourceNamesW.KERNEL32(0040ABE8,00000004,0040A818,00000000), ref: 0040AB4E
EnumResourceNamesW.KERNEL32(0040ABE8,00000005,0040A818,00000000), ref: 0040AB58
wcscpy.MSVCRT ref: 0040AB60

Strings

general, xrefs: 0040AADE
TranslatorURL, xrefs: 0040AB06
TranslatorName, xrefs: 0040AAF5
RTL, xrefs: 0040AB2F
Version, xrefs: 0040AB1C
strings, xrefs: 0040AB5A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-517860148
Opcode ID: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
Instruction ID: 9c0725b1fda07d439eb4652870f5b63d7404026a1df9010dc4cb7dda8e53314a
Opcode Fuzzy Hash: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
Instruction Fuzzy Hash: 6D21807294021875E720B7529C46ECF7A6CAF40755F90447BF60CB20D2EAB85B948AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004038C4, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

Strings

CryptHashData, xrefs: 00403909
advapi32.dll, xrefs: 004038CA
CryptDestroyHash, xrefs: 00403915
CryptCreateHash, xrefs: 004038F1
CryptGetHashParam, xrefs: 004038FD
CryptReleaseContext, xrefs: 004038E5
CryptAcquireContextA, xrefs: 004038DB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-1621422469
Opcode ID: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
Instruction ID: 1a4948e4bf817cd33749cdf205c6c1bb7532e39c1774f91cd0a649ea1cfd5687
Opcode Fuzzy Hash: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
Instruction Fuzzy Hash: 18F0F475940744AAEB30AF769D49E06BEF0EFA8B027218D2EE1C1A3651D7B99240CE44

Uniqueness

Uniqueness Score: -1.00%

Function 00410D5D, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,0040F921), ref: 00410D70
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00410D89
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410D9A
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00410DAB
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410DBC
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00410DCD
FreeLibrary.KERNEL32(00000000), ref: 00410DED

Strings

EnumProcessModules, xrefs: 00410D94
psapi.dll, xrefs: 00410D6B
GetModuleInformation, xrefs: 00410DC7
GetModuleFileNameExW, xrefs: 00410DA5
GetModuleBaseNameW, xrefs: 00410D83
EnumProcesses, xrefs: 00410DB6

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
Instruction ID: 1ed5449ad40e57d8b224171af96504b1ffda3ff1f81db88aadee6c58e1c1cdad
Opcode Fuzzy Hash: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
Instruction Fuzzy Hash: BB01B574A45312AEE7109B64FC40BFB2EA4B781B42B20403BE400D1396DBBCD8C29A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E191, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E197
_wcsicmp.MSVCRT ref: 0040E1AC

Strings

/sverhtml, xrefs: 0040E1A7
/sxml, xrefs: 0040E1BC
/shtml, xrefs: 0040E192
/stab, xrefs: 0040E1D1
/stabular, xrefs: 0040E1E6
/skeepass, xrefs: 0040E210
/scomma, xrefs: 0040E1FB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction ID: 054bd0190cb9dfc881084e553ec7e2e67fad8357780775fa0482b63ba5cfd284
Opcode Fuzzy Hash: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction Fuzzy Hash: 7101DE72ACA31138F83851672D17F971A598FA1B7AF70196FF514D81C6EEAC9000709D

Uniqueness

Uniqueness Score: -1.00%

Function 00410CD9, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040F928), ref: 00410CE8
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00410D01
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00410D12
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00410D23
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00410D34
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00410D45

Strings

Module32Next, xrefs: 00410D1D
kernel32.dll, xrefs: 00410CE3
Process32First, xrefs: 00410D2E
Process32Next, xrefs: 00410D3F
CreateToolhelp32Snapshot, xrefs: 00410CFB
Module32First, xrefs: 00410D0C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
Instruction ID: 16f3a03532fd71bf7b987582fee040d1dd7fa58dea07b6b8c7b27d1037cf047a
Opcode Fuzzy Hash: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
Instruction Fuzzy Hash: 92F0F474605321A9A3108BA8BD00BA72FF86781F52B10013BED00D1266DBBCD8C29F7E

Uniqueness

Uniqueness Score: -1.00%

Function 004037C3, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040383E: FreeLibrary.KERNEL32(?,004037CB,00000000,00408635,?,00000000,?), ref: 00403845

LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

Strings

CredEnumerateA, xrefs: 00403803
CredEnumerateW, xrefs: 0040380F
advapi32.dll, xrefs: 004037CB
CredDeleteA, xrefs: 004037F7
CredReadA, xrefs: 004037E3
CredFree, xrefs: 004037EB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction ID: c94656deef6b20b6b745ef32668947add9de3545ed3fb2bb9f52e7e7eb3e89f2
Opcode Fuzzy Hash: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction Fuzzy Hash: D9012C355007809AD730AF6AC809F06BEE4EF54B02B21886FF091A3791D7B9E240CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004033DF, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 00403415
memset.MSVCRT ref: 0040342A
memset.MSVCRT ref: 0040343F
_snwprintf.MSVCRT ref: 00403467
wcscpy.MSVCRT ref: 00403483
_snwprintf.MSVCRT ref: 004034C6

Strings

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004033EF
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004034B9
WebBrowserPassView, xrefs: 004034AB
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040345A
<table dir="rtl"><tr><td>, xrefs: 0040347D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$_snwprintf$FileWritewcscpywcslen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$WebBrowserPassView
API String ID: 2731979376-1376879643
Opcode ID: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction ID: ae32d01ec2d3a7685ec326ba9a70c170c8059c8ae6e66fa8bd15e07dd33865c2
Opcode Fuzzy Hash: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction Fuzzy Hash: 2E217672D002187ADB21AF55DC41FEA76BCEB08785F0040AFF509A6191DA799F848F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE35, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040DE90
SetTextColor.GDI32(?,00FF0000), ref: 0040DE9E
SelectObject.GDI32(?,?), ref: 0040DEB3
DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040DEE9
SelectObject.GDI32(00000014,00000000), ref: 0040DEF3
GetModuleHandleW.KERNEL32(00000000), ref: 0040DF0E
LoadCursorW.USER32(00000000,00000067), ref: 0040DF17
SetCursor.USER32(00000000), ref: 0040DF1E
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040DF64

Strings

WebBrowserPassView, xrefs: 0040DF2C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CursorObjectSelectText$ColorDrawHandleLoadMessageModeModulePost
String ID: WebBrowserPassView
API String ID: 101102110-2171583229
Opcode ID: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
Instruction ID: 5844c3f8be721e5f4358c4987d475350c1bb70f51af30b4dfd416207439779ca
Opcode Fuzzy Hash: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
Instruction Fuzzy Hash: D451D431A00206ABDB10AFA4C845F6AB7A6BF44315F20853AF507B72E0C779AD15DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040931D, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,004094E9,?,?,00409553,00000000), ref: 0040933D

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

GetFileSize.KERNEL32(00000000,00000000), ref: 0040936D

Part of subcall function 0040928C: _memicmp.MSVCRT ref: 004092A6
Part of subcall function 0040928C: memcpy.MSVCRT ref: 004092BD

memcpy.MSVCRT ref: 004093B4
strchr.MSVCRT ref: 004093D9
strchr.MSVCRT ref: 004093EA
_strlwr.MSVCRT ref: 004093F8
memset.MSVCRT ref: 00409413
CloseHandle.KERNEL32(00000000), ref: 00409460

Strings

h, xrefs: 004093C5
4, xrefs: 00409361

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction ID: cde85974a53443ad19b2097b399cb4fe7e1f14935bf37b0ef0624c00476b394c
Opcode Fuzzy Hash: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction Fuzzy Hash: 333186B1900118BEEB11EB54CC85BEE77ACEF04358F10406AFA08E6181D7789F558B69

Uniqueness

Uniqueness Score: -1.00%

Function 00411C63, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411C91
memset.MSVCRT ref: 00411CA6
_snwprintf.MSVCRT ref: 00411CC0
_snwprintf.MSVCRT ref: 00411CDF
memset.MSVCRT ref: 00411D11
memset.MSVCRT ref: 00411D26
memset.MSVCRT ref: 00411D3B
_snwprintf.MSVCRT ref: 00411D55
_snwprintf.MSVCRT ref: 00411D72

Strings

%%0.%df, xrefs: 00411CB3, 00411D48

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
Instruction ID: 8dc9084977ea8e099579ef4c9ca95b08d60ceca6feee4e1064a0b0e4f5e47a8f
Opcode Fuzzy Hash: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
Instruction Fuzzy Hash: 79313E71800229BAEB20DF55DC85FEBBBBCFF49308F4000EAB609A2151D7749B94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00410DF5, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00410E0E
wcscpy.MSVCRT ref: 00410E1E

Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC

wcscpy.MSVCRT ref: 00410E6D
wcscat.MSVCRT ref: 00410E78
memset.MSVCRT ref: 00410E54

Part of subcall function 00407723: GetWindowsDirectoryW.KERNEL32(00451698,00000104,?,00410EAD,?,?,00000000,00000208,?), ref: 00407739
Part of subcall function 00407723: wcscpy.MSVCRT ref: 00407749

memset.MSVCRT ref: 00410E9C
memcpy.MSVCRT ref: 00410EB7
wcscat.MSVCRT ref: 00410EC3

Strings

\systemroot, xrefs: 00410E2B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
Instruction ID: 1a8d2db1a324573a28d88b24eeb1ed9c65cf0fc221c6a4ee7099d5d8ca3d40a6
Opcode Fuzzy Hash: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
Instruction Fuzzy Hash: B121F9B280530479E621E7628D86EEB63EC9F05754F60455FF119E2082FABCA6C58B1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040697E, Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00441975: memset.MSVCRT ref: 004419A0
Part of subcall function 00441975: wcscpy.MSVCRT ref: 004419B7
Part of subcall function 00441975: memset.MSVCRT ref: 004419EA
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A00
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A11
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A37
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A48
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A6F
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A80
Part of subcall function 00441975: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
Part of subcall function 00441975: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF

memset.MSVCRT ref: 004069BD

Part of subcall function 00407DC0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,004028DC,?,?,00000003,00000000,00000000), ref: 00407DD9

memset.MSVCRT ref: 00406A3C
memset.MSVCRT ref: 00406A51
strcpy.MSVCRT(?,00000000,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AC4
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406ADA
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AF0
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B06
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B1C
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B32
memset.MSVCRT ref: 00406B48

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00406A03

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
API String ID: 2096775815-1740008135
Opcode ID: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
Instruction ID: 0d09ea3875aa138d6f02baa8234f1932a31c53e7e6ecd19b10853a161b4d72d0
Opcode Fuzzy Hash: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
Instruction Fuzzy Hash: 6D61E9B2C0421EEEDF11AF91DC419DEBBB8EF04314F10406BF505B2191EA79AA94CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00415EAF, Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
malloc.MSVCRT ref: 00415EE6
free.MSVCRT(?), ref: 00415EF6
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F0A
free.MSVCRT(?), ref: 00415F0F
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415F25
malloc.MSVCRT ref: 00415F2D
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F40
free.MSVCRT(?), ref: 00415F45
free.MSVCRT(?), ref: 00415F59
free.MSVCRT(00000000,0044A338,00000000), ref: 00415F78

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free$FullNamePath$malloc$Version
String ID:
API String ID: 3356672799-0
Opcode ID: 61acd55b7f6f74b1de7cfca591009593a893279d718121bcb2ed6df4730cb7d0
Instruction ID: 788494e2a8c2de429da1840323bde4c0a518de2f45811afbb62912a9d7d550b6
Opcode Fuzzy Hash: 61acd55b7f6f74b1de7cfca591009593a893279d718121bcb2ed6df4730cb7d0
Instruction Fuzzy Hash: F321CB71900108FFEB117FA5DD46CDFBBA9DF80368B20007BF404A2160EA785F809568

Uniqueness

Uniqueness Score: -1.00%

Function 00407363, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 0040736D

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
GlobalLock.KERNEL32 ref: 004073A8
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
GlobalUnlock.KERNEL32(00000000), ref: 004073CD
SetClipboardData.USER32 ref: 004073D6
GetLastError.KERNEL32 ref: 004073DE
CloseHandle.KERNEL32(?), ref: 004073EA
GetLastError.KERNEL32 ref: 004073F5
CloseClipboard.USER32 ref: 004073FE

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction ID: 70226e125eefff96fe42492f97b8668800667adb6f1e94a7dd2fd5f696112ff0
Opcode Fuzzy Hash: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction Fuzzy Hash: E311423A904204FBE7105FB5EC4DA5E7F78EB06B52F204176FD02E5290DB749A01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004121F2, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00412265

Strings

Favorites, xrefs: 00412224
Common Start Menu, xrefs: 00412232
AppData, xrefs: 0041224A
Desktop, xrefs: 0041220F
Common Desktop, xrefs: 00412251
Startup, xrefs: 0041221D
Start Menu, xrefs: 00412216
Common Startup, xrefs: 00412258
Programs, xrefs: 0041222B
Common Programs, xrefs: 0041225F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction ID: 454bece2ea24cac32075296694d9d3cbfc4d611bf65854eebe1c10393ee0200f
Opcode Fuzzy Hash: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction Fuzzy Hash: 46F01D3329C746A0383D09680B06AFF1001E2127497B585D3A882E06D5C8FDCEF2F81F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A16C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040A182
memset.MSVCRT ref: 0040A1A6
GetMenuItemInfoW.USER32 ref: 0040A1E1
memset.MSVCRT ref: 0040A210
wcschr.MSVCRT ref: 0040A21C
wcscat.MSVCRT ref: 0040A277
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040A293

Strings

0, xrefs: 0040A1C1
6, xrefs: 0040A1CC

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction ID: 34000a492db7a65727c4d20bf870b817f1c48c155544aae5e12c30b4e9d7c158
Opcode Fuzzy Hash: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction Fuzzy Hash: 64318B72408340AFDB20DF91D845A9BB7E8FF84354F00497EF948A2291E37ADA14CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00403926, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
#17.COMCTL32(?,00000002,?,?,?,0040E305,00000000), ref: 00403979
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

Strings

InitCommonControlsEx, xrefs: 00403951
Error, xrefs: 0040398B
Error: Cannot load the common control classes., xrefs: 00403990
comctl32.dll, xrefs: 0040392E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
Instruction ID: dc7e95600dee0bf6daca19896d95929b9e7fb1f9fe7c184dfd563e32ea829a14
Opcode Fuzzy Hash: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
Instruction Fuzzy Hash: 8501D1B67502117BE3111FB49C89B6B7EACDB42F4BB100139B502F2280DBB8CF05869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FABA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAC9
GetModuleHandleW.KERNEL32(sqlite3.dll,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAD2
GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FADB
FreeLibrary.KERNEL32(00000000,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAEA
FreeLibrary.KERNEL32(00000000,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF1
FreeLibrary.KERNEL32(00000000,?,74B057F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF8

Strings

sqlite3.dll, xrefs: 0040FACB
mozsqlite3.dll, xrefs: 0040FAD4
nss3.dll, xrefs: 0040FAC4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
Instruction ID: c5d69885cf2e3d5474ff6b38c23ba8038bf1212ac087c8b68f6824d90ef94812
Opcode Fuzzy Hash: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
Instruction Fuzzy Hash: 1AE0D816B0132E669E2067F16C44D1B7E5CC892AE53150037A904A32408DEC5C0599F8

Uniqueness

Uniqueness Score: -1.00%

Function 00441FDC, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00442017
memcpy.MSVCRT ref: 004420BB
memcpy.MSVCRT ref: 004420CD
memcpy.MSVCRT ref: 004420F5
memcpy.MSVCRT ref: 00442107
memcpy.MSVCRT ref: 00442119
memcpy.MSVCRT ref: 00442168
memset.MSVCRT ref: 004421B6

Strings

G"D, xrefs: 00442164, 00442170, 00442167, 00442173
G"D, xrefs: 00442009, 004421D0, 0044203F, 00442089, 00442011

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$memchrmemset
String ID: G"D$G"D
API String ID: 1581201632-2001841848
Opcode ID: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
Instruction ID: 18be241936230d761fb3e4c1ab226db0ef0f42d77396bda2a3194a4a2a5a8e65
Opcode Fuzzy Hash: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
Instruction Fuzzy Hash: CE51E671900219ABDB10EF65CD85EEEB7BCAF44304F44446BFA49D7141E778EA48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00407890, Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004078A9
GetSystemMetrics.USER32 ref: 004078AF
GetDC.USER32(00000000), ref: 004078BC
GetDeviceCaps.GDI32(00000000,00000008), ref: 004078CD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004078D4
ReleaseDC.USER32 ref: 004078DB
GetWindowRect.USER32 ref: 004078EE
GetParent.USER32(?), ref: 004078F3
GetWindowRect.USER32 ref: 00407910
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040796F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
Instruction ID: 40da1e460122d0dbc2375826a99d02d2520f98ce936ed6642694246a0da552c1
Opcode Fuzzy Hash: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
Instruction Fuzzy Hash: D3318176A00209AFDB04DFB8CC85AEEBBB9FB48351F150175E901F3290DA70AE418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0040684F, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406878
memset.MSVCRT ref: 0040688C
strcpy.MSVCRT(?), ref: 004068A6
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004068EB
strcpy.MSVCRT(?,00001000,?,?,?,?,?,?), ref: 004068FF
strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?), ref: 00406912
wcscpy.MSVCRT ref: 00406921
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 00406948
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 0040695E

Strings

Rp@, xrefs: 0040684F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID: Rp@
API String ID: 4248099071-3382320042
Opcode ID: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction ID: 073529020724e05d4964247b7c64433db30515fb9166064be710f6d7ccb76f44
Opcode Fuzzy Hash: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction Fuzzy Hash: 653141B290011DBFDB20DA55CC84FEA77BCFF09358F0445AAB919E3141DA74AA588F68

Uniqueness

Uniqueness Score: -1.00%

Function 00402B99, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00402BA5
abs.MSVCRT ref: 00402C95
abs.MSVCRT ref: 00402CC5
log.MSVCRT ref: 00402D61
log.MSVCRT ref: 00402D72
free.MSVCRT(00000000), ref: 00402D8E
free.MSVCRT(?), ref: 00402DA0

Strings

, xrefs: 00402BCB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
Instruction ID: 27dbad6a18cb5119fe9557e6abee58e32c1211c22f38b2cca10356837960f856
Opcode Fuzzy Hash: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
Instruction Fuzzy Hash: DA615770C0811AEBEF189F95E6895AEB771FF04305F60847FE442B62E0DBB84981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408C67, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

memset.MSVCRT ref: 00408CAF

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74B5F560), ref: 00408D7D

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

Part of subcall function 00408116: wcslen.MSVCRT ref: 00408125
Part of subcall function 00408116: _memicmp.MSVCRT ref: 00408153

_snwprintf.MSVCRT ref: 00408D49

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D

Strings

, xrefs: 00408CCA
Name, xrefs: 00408CFB
Containers, xrefs: 00408C87
Container_%I64d, xrefs: 00408D38
ContainerId, xrefs: 00408CEE

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
Instruction ID: ce292a4a65043f2a6a20625204029b960355a9169e5f8c073e361fa6e4a76ec5
Opcode Fuzzy Hash: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
Instruction Fuzzy Hash: 1E313E72D00219AADF50EFA5DD85ADEB7B8AF04354F50017FA508B21C1DE78AE458F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A818, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 0040A83F

Part of subcall function 0040A668: GetMenuItemCount.USER32 ref: 0040A67E
Part of subcall function 0040A668: memset.MSVCRT ref: 0040A69D
Part of subcall function 0040A668: GetMenuItemInfoW.USER32 ref: 0040A6D9
Part of subcall function 0040A668: wcschr.MSVCRT ref: 0040A6F1

DestroyMenu.USER32(00000000), ref: 0040A85D
CreateDialogParamW.USER32 ref: 0040A8AB
memset.MSVCRT ref: 0040A8C7
GetWindowTextW.USER32 ref: 0040A8DC
EnumChildWindows.USER32 ref: 0040A907
DestroyWindow.USER32(00000000), ref: 0040A90E

Part of subcall function 0040A497: _snwprintf.MSVCRT ref: 0040A4BC

Strings

caption, xrefs: 0040A8F3

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
String ID: caption
API String ID: 1928666178-4135340389
Opcode ID: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction ID: 1ee1ed61ad6e464c94b1b5c04ceaba47984998c4c5bccbb9cf540d7a9e91c68f
Opcode Fuzzy Hash: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction Fuzzy Hash: 4C21B472100314BBDB11AF50DC49BAF3B78FF45751F148436F905A5191D7788AA0CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00407CFE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407D1F
_snwprintf.MSVCRT ref: 00407D52
wcslen.MSVCRT ref: 00407D5E
memcpy.MSVCRT ref: 00407D76
wcslen.MSVCRT ref: 00407D84
memcpy.MSVCRT ref: 00407D97

Strings

G@, xrefs: 00407D24, 00407D7B, 00407D9C
%s (%s), xrefs: 00407D47

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$G@
API String ID: 3979103747-4021399728
Opcode ID: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
Instruction ID: 7020ae682d4dad294ec7254b180182bae2c538f47323e789ebcab58d633c0506
Opcode Fuzzy Hash: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
Instruction Fuzzy Hash: 58215E72900219BBDF21DF95CD4599BB7B8BF04358F40846AF948AB201EB74EA188BD4

Uniqueness

Uniqueness Score: -1.00%

Function 004070BF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 004070E4
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE), ref: 00407102
wcslen.MSVCRT ref: 0040710F
wcscpy.MSVCRT ref: 0040711F
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 00407129
wcscpy.MSVCRT ref: 00407139

Strings

Unknown Error, xrefs: 00407131
netmsg.dll, xrefs: 004070DF

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction ID: 89f566b746906e4e3228774242dd749435861e54522ca67c51f24cfbd45377e0
Opcode Fuzzy Hash: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction Fuzzy Hash: 2301F231A08114BBEB145B61EC46E9FBB68EB05BA1F20007AF606F41D0DEB96F00969C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A97E, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00407548: GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

wcscpy.MSVCRT ref: 0040A998
wcscpy.MSVCRT ref: 0040A9A8
GetPrivateProfileIntW.KERNEL32 ref: 0040A9B9

Part of subcall function 0040A51E: GetPrivateProfileStringW.KERNEL32 ref: 0040A53A

Strings

general, xrefs: 0040A99D
charset, xrefs: 0040A9C7
TranslatorURL, xrefs: 0040A9F1
TranslatorName, xrefs: 0040A9DD
rtl, xrefs: 0040A9B3

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
Instruction ID: f715108fd1d236bc9ad6a323193eaeb919362f53399fbb1b2bc2ef5a739791b1
Opcode Fuzzy Hash: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
Instruction Fuzzy Hash: 33F0CD22EC035536E61176221D07F3E25088BA1B66F95447FBD08BA2D3DE7C4A14869E

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD7E, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042CE42
memset.MSVCRT ref: 0042CE7D

Strings

database is already attached, xrefs: 0042CEA8
cannot ATTACH database within transaction, xrefs: 0042CDED
out of memory, xrefs: 0042CFEC
too many attached databases - max %d, xrefs: 0042CDD7
attached databases must use the same text encoding as main database, xrefs: 0042CEF6
unable to open database: %s, xrefs: 0042CFD5
database %s is already in use, xrefs: 0042CE4F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
Instruction ID: 266062839a895961ad217d8ef2c4278de09ba8d71166d49c3bc68db0563119ae
Opcode Fuzzy Hash: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
Instruction Fuzzy Hash: BE91C171B00315AFDB20DF69D981B9EBBF1AF04308F64845FE8159B282D778EA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFDA, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06

??2@YAPAXI@Z.MSVCRT ref: 0040B01A
??2@YAPAXI@Z.MSVCRT ref: 0040B036
memcpy.MSVCRT ref: 0040B05B
memcpy.MSVCRT ref: 0040B06F
??2@YAPAXI@Z.MSVCRT ref: 0040B0F2
??2@YAPAXI@Z.MSVCRT ref: 0040B0FC
??2@YAPAXI@Z.MSVCRT ref: 0040B134

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Strings

(, xrefs: 0040B0BC
d, xrefs: 0040B113

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: ($d
API String ID: 1140211610-1915259565
Opcode ID: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
Instruction ID: 8a5fa3be38e8e11f26e8e9502e5dff09d3bfeaf4ce2a81799fe883ad29a31388
Opcode Fuzzy Hash: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
Instruction Fuzzy Hash: 50517872601700AFE728DF2AC586A5AB7E4FF48358F10852EE55ACB791DB74E940CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004150B6, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041510E
Sleep.KERNEL32(00000001), ref: 00415118
GetLastError.KERNEL32 ref: 0041512A
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00415202

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction ID: 880e68434f8ef122057b7821066ce039c6a6aeb50982fb6198a036ab3cbbf4dd
Opcode Fuzzy Hash: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction Fuzzy Hash: 7641F379504B42EFE3228F219C05BEBB7E0EFC0B15F20492FF59556240CBB9D9858E1A

Uniqueness

Uniqueness Score: -1.00%

Function 00415D4D, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415D77
GetFileAttributesW.KERNEL32(00000000), ref: 00415D7E
GetLastError.KERNEL32 ref: 00415D8B
Sleep.KERNEL32(00000064), ref: 00415DA0
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415DA9
GetFileAttributesA.KERNEL32(00000000), ref: 00415DB0
GetLastError.KERNEL32 ref: 00415DBD
Sleep.KERNEL32(00000064), ref: 00415DD2
free.MSVCRT(00000000), ref: 00415DDB

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
Instruction ID: 389b81331b8195f66de6fade72418799adbb9e1ccdce19076b3e4dce97b88e29
Opcode Fuzzy Hash: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
Instruction Fuzzy Hash: 13118A39500E10DBC6203B747C8D6FF36249BD7B37B21832BF963952D1DA5948C2566A

Uniqueness

Uniqueness Score: -1.00%

Function 004124C0, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004124F7
memcpy.MSVCRT ref: 00412523
memcpy.MSVCRT ref: 0041253D

Strings

<br>, xrefs: 00412537
<, xrefs: 004124D4
", xrefs: 004124F1
°, xrefs: 0041250E
>, xrefs: 004124E2
&, xrefs: 0041251D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction ID: 1d27d4cf7977f40543be0eb13b72094ec5c0409efe485552fd301264f6eb4def
Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction Fuzzy Hash: 570145B6E54260F2FA3024058EE6FF30145CB62754FA40027F88AA02C0A1CD0EE3A29F

Uniqueness

Uniqueness Score: -1.00%

Function 00409657, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010

memset.MSVCRT ref: 004096C7
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
_wcsupr.MSVCRT ref: 0040970F

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D

memset.MSVCRT ref: 0040975E
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 00409796

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00409674

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 4131475296-680441574
Opcode ID: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
Instruction ID: ced938f56f23152dc4036b8c9c372f29a7907612beabbfd18841790b2154e098
Opcode Fuzzy Hash: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
Instruction Fuzzy Hash: F84118B6D4011DABCB10EF99DD85AEFB7BCAF18304F1040AAB504F2191D7749B458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409FF5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
wcscpy.MSVCRT ref: 0040A076

Part of subcall function 0040A4E7: memset.MSVCRT ref: 0040A4FA
Part of subcall function 0040A4E7: _itow.MSVCRT ref: 0040A508

wcslen.MSVCRT ref: 0040A094
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409F8D
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FAB
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FC9
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FE7

Strings

strings, xrefs: 0040A06C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
Instruction ID: f88dad89c8a087f2027bd78e20ebd55682c2f8a720c3c381d0e8595ecd4ac891
Opcode Fuzzy Hash: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
Instruction Fuzzy Hash: 84419A792003059BD7149F18EC91F323365F76430AB99053AE802A73B2DB79EC22CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A759, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A77E
GetDlgCtrlID.USER32(?), ref: 0040A789
GetWindowTextW.USER32 ref: 0040A7A0
memset.MSVCRT ref: 0040A7C7
GetClassNameW.USER32 ref: 0040A7DE
_wcsicmp.MSVCRT ref: 0040A7F0

Part of subcall function 0040A62F: memset.MSVCRT ref: 0040A642
Part of subcall function 0040A62F: _itow.MSVCRT ref: 0040A650

Strings

sysdatetimepick32, xrefs: 0040A7EA

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction ID: 9d6a1000cc6d846fb7caa7b95204278ebeb8f13d5a9664e287c5e204bace7976
Opcode Fuzzy Hash: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction Fuzzy Hash: E21177325002197AEB24EB91DD4AE9F77BCEF04750F4040B6F508E1192E7745A51CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00419008, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00419140
memcpy.MSVCRT ref: 00419152
memcpy.MSVCRT ref: 0041916A
memcpy.MSVCRT ref: 00419187
memcpy.MSVCRT ref: 0041919F
memset.MSVCRT ref: 0041926C

Strings

-wal, xrefs: 00419199
-journal, xrefs: 00419164

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
Instruction ID: 551b55634523189e5c53bd135c739114fe40c1c2f7e89174430398bb56853e76
Opcode Fuzzy Hash: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
Instruction Fuzzy Hash: 54A1DEB1A00606BFDB14CFA4C8517DEBBB0BF04314F14856EE468D7381D778AA95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404D3C, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00404DE0
GetDlgItem.USER32 ref: 00404DF3
GetDlgItem.USER32 ref: 00404E08
GetDlgItem.USER32 ref: 00404E20
EndDialog.USER32(?,00000002), ref: 00404E3C
EndDialog.USER32(?,00000001), ref: 00404E51

Part of subcall function 00404AFB: GetDlgItem.USER32 ref: 00404B08
Part of subcall function 00404AFB: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404B1D

SendDlgItemMessageW.USER32 ref: 00404E69
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00404F7A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
Instruction ID: 9cc36a3a9081561078e880a2f522ad53539937229c5c78969c314d16862aa257
Opcode Fuzzy Hash: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
Instruction Fuzzy Hash: DE61D570100705ABDB31AF25C885A2A73B9FF90724F04C63EF615A66E1D778ED50CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441DE1, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00441E61
_wcsicmp.MSVCRT ref: 00441E76
_wcsicmp.MSVCRT ref: 00441E8B

Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC

Strings

signIn, xrefs: 00441E85
log profile, xrefs: 00441DEF
https://, xrefs: 00441E23
http://, xrefs: 00441E18
.save, xrefs: 00441E5B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
Instruction ID: 7a979a8a07820355720b76b8412d60638824142cd7e99aea4044fab4cdb489ca
Opcode Fuzzy Hash: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
Instruction Fuzzy Hash: A34146755487014AF7309A65898177773E8CB04329F308A2FF86BE26E2EB7CB4C6551E

Uniqueness

Uniqueness Score: -1.00%

Function 00404F8A, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00404F9A
??3@YAXPAX@Z.MSVCRT ref: 00404FB6
??2@YAPAXI@Z.MSVCRT ref: 00404FDC
memset.MSVCRT ref: 00404FEC
??2@YAPAXI@Z.MSVCRT ref: 0040501B
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405068
SetFocus.USER32(?,?,?,?), ref: 00405071
??3@YAXPAX@Z.MSVCRT ref: 00405081

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 07ae1ada1d4f6eb4fb6f42e99af867561cb551597841fb4f97c145b1ea01b73e
Instruction ID: ba4bb41810d6ea78f7103a52efe52e464eccc4a9d5620aafabcd38e7c3fa5a1e
Opcode Fuzzy Hash: 07ae1ada1d4f6eb4fb6f42e99af867561cb551597841fb4f97c145b1ea01b73e
Instruction Fuzzy Hash: 2331D3B1501601BFDB24AF69D94692AF7B8FF04304B10813EF145EB291D778EC90CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0C3, Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0040D0E2
GetWindowRect.USER32 ref: 0040D0F8
GetWindowRect.USER32 ref: 0040D10B
BeginDeferWindowPos.USER32 ref: 0040D128
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040D145
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040D165
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040D18C
EndDeferWindowPos.USER32(?), ref: 0040D195

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction ID: 1b30ad45943261d114c7945feb8e2d934b1f0a15928f611d2c59e033839f0f44
Opcode Fuzzy Hash: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction Fuzzy Hash: 5F21D875900209FFDB11DFA8CD89FEEBBB9FB48701F104164F655A2160C771AA519B24

Uniqueness

Uniqueness Score: -1.00%

Function 004072FB, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32(?,?,0040D79F,-00000210), ref: 00407303
wcslen.MSVCRT ref: 00407310
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040D79F,-00000210), ref: 00407320
GlobalLock.KERNEL32 ref: 0040732D
memcpy.MSVCRT ref: 00407336
GlobalUnlock.KERNEL32(00000000), ref: 0040733F
SetClipboardData.USER32 ref: 00407348
CloseClipboard.USER32 ref: 00407358

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction ID: e9f640a6ba64593c4f3b5e3a0a2b414f675f529f5a9edaa6aa7e0ad5043136ba
Opcode Fuzzy Hash: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction Fuzzy Hash: 14F0B43B5002187BD2102FE5AC4DE1B772CEB86F97B050179FA09D2251DE749E0486B9

Uniqueness

Uniqueness Score: -1.00%

Function 00404BC7, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00404BDE
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404BF7
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404C04
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404C10
memset.MSVCRT ref: 00404C74
SendMessageW.USER32(?,0000105F,?,?), ref: 00404CA9
SetFocus.USER32(?), ref: 00404D2F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
Instruction ID: e15596ac8dd535375262745d85448c61c7cc278dece76afc2af43b7580886122
Opcode Fuzzy Hash: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
Instruction Fuzzy Hash: 8B417C70901219BBDB20DF95CD85DAFBFB8FF08755F10406AF509A6291D3749E40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD8C, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

wcscat.MSVCRT ref: 0040BE5B
_snwprintf.MSVCRT ref: 0040BE82

Strings

<td bgcolor=#%s>%s, xrefs: 0040BDAA
<tr>, xrefs: 0040BDB4
 , xrefs: 0040BE55
<td bgcolor=#%s nowrap>%s, xrefs: 0040BD9C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite_snwprintfwcscatwcslen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 2451617256-4153097237
Opcode ID: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
Instruction ID: be6843ca6d8e3427859c99e4dc5891dee3dff4c22b8a3cb8274265ecf8740657
Opcode Fuzzy Hash: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
Instruction Fuzzy Hash: BC31A031900208EFDF04AF55CC86EEE7B75FF44320F10416AE905AB1E2DB75AA51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A668, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040A67E
memset.MSVCRT ref: 0040A69D
GetMenuItemInfoW.USER32 ref: 0040A6D9
wcschr.MSVCRT ref: 0040A6F1

Strings

6, xrefs: 0040A6C0
0, xrefs: 0040A6B8

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction ID: 6379b183058c7bfcb2c9996af6a46f5bf8fbaffb9494aead0661b6c96fd4ce8b
Opcode Fuzzy Hash: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction Fuzzy Hash: FF219A72505340ABD721DF55C84599BB7F8FB84745F044A3FFA84A2280E7B6CA10CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407A1C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407A3C
_snwprintf.MSVCRT ref: 00407A63
wcscat.MSVCRT ref: 00407A75
wcscat.MSVCRT ref: 00407A92
wcscat.MSVCRT ref: 00407AA1

Strings

%2.2X, xrefs: 00407A52

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
Instruction ID: ec6d441468c88601e944e5005585d56a697b1d5e2a610cd326798869af21cd90
Opcode Fuzzy Hash: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
Instruction Fuzzy Hash: 0F012D72E4431575F720AB519C46BBF73A89F40B19F10407FFC14A50C2EABCEA444A99

Uniqueness

Uniqueness Score: -1.00%

Function 00441B86, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00441B9B
wcscat.MSVCRT ref: 00441BAA
wcscat.MSVCRT ref: 00441BBB
wcscat.MSVCRT ref: 00441BCA
VerQueryValueW.VERSION(?,?,00000000,?), ref: 00441BE4

Part of subcall function 00407447: wcslen.MSVCRT ref: 0040744E
Part of subcall function 00407447: memcpy.MSVCRT ref: 00407464

Part of subcall function 00407511: lstrcpyW.KERNEL32 ref: 00407526
Part of subcall function 00407511: lstrlenW.KERNEL32(?), ref: 0040752D

Strings

\StringFileInfo\, xrefs: 00441B95

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
Instruction ID: a565dbaf5ef1236623e3a457584e7ee1bc303587053621a732091bcd91b9d386
Opcode Fuzzy Hash: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
Instruction Fuzzy Hash: 27017C7290020CB6EF51EAA1CD45EDF77BCAF04308F4005A7B514E2052EB78DB86AB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A497, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A4BC
wcscpy.MSVCRT ref: 0040A4DF

Strings

general, xrefs: 0040A4D5
menu_%d, xrefs: 0040A4A0
dialog_%d, xrefs: 0040A4B0
strings, xrefs: 0040A4CA

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction ID: 8e174b2d8d79018ad6e296a97c01706163ed31911536b8ede193c50f01e1bc5f
Opcode Fuzzy Hash: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction Fuzzy Hash: CBE0B679A8830079F96025861E4BB2E61508774F59FB0886FF50AB05D1E9FE95A8710F

Uniqueness

Uniqueness Score: -1.00%

Function 00412BDF, Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 21COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00412C04
memcpy.MSVCRT ref: 00412C14

Strings

!-A, xrefs: 00412C0F
,A, xrefs: 00412BDF, 00412C1F
Y,A, xrefs: 00412BF7, 00412BFE
a,A, xrefs: 00412BFF, 00412C25
a,A, xrefs: 00412BF0

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy
String ID: !-A$Y,A$a,A$a,A$,A
API String ID: 3510742995-194831239
Opcode ID: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
Instruction ID: c1edbe63f0487e6d5a9ef4690cfcbd933ff0b0d7cc0200e8d9d6566c39fc0ab4
Opcode Fuzzy Hash: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
Instruction Fuzzy Hash: C8E04F35980610EAF330DB459C07B863394A796756F50C43BF508A6193C6FC599C8B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428591, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00428610

Strings

aggregate functions are not allowed in the GROUP BY clause, xrefs: 00428853
ORDER, xrefs: 0042879B
a GROUP BY clause is required before HAVING, xrefs: 0042883F
GROUP, xrefs: 004287CD
8, xrefs: 00428728

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction ID: a56ed1d78848c17894bc611d03527086a745bd119e00672256ad5f5daa2e3940
Opcode Fuzzy Hash: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction Fuzzy Hash: 93818E706093619FDB10DF15E88161FB7E0BF98354F94885FE8849B252EB78EC44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00410EDB, Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F96C,00000000,00000000), ref: 00410F16
memset.MSVCRT ref: 00410F78
memset.MSVCRT ref: 00410F88

Part of subcall function 00410DF5: wcscpy.MSVCRT ref: 00410E1E

memset.MSVCRT ref: 00411073
wcscpy.MSVCRT ref: 00411094
CloseHandle.KERNEL32(?,0040F96C,?,?,?,0040F96C,00000000,00000000), ref: 004110EA

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
Instruction ID: ff77c4a4bb0d76b6113ba9f034b07e179d87586f5f3f4fadb46fa2bb0041fc85
Opcode Fuzzy Hash: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
Instruction Fuzzy Hash: CB5170B0508381AFD720DF55DC85A9BBBE8FBC8305F00492EF68882261DB74D985CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040D53E, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D560

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97

Part of subcall function 00407B1D: GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
Part of subcall function 00407B1D: wcscpy.MSVCRT ref: 00407B83

Strings

*.csv, xrefs: 0040D5B1
*.xml, xrefs: 0040D5ED
*.htm;*.html, xrefs: 0040D5C6
txt, xrefs: 0040D565
*.txt, xrefs: 0040D582

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 1392923015-3614832568
Opcode ID: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction ID: 456ec3227f593179f02471f626d387f8bd8a0122acdd439c58b7a13f613657e4
Opcode Fuzzy Hash: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction Fuzzy Hash: 6131FAB1D002599BDB50EFA9D8C1AEDBBB4FF09314F10417AF508B7282DF385A458B99

Uniqueness

Uniqueness Score: -1.00%

Function 00415DF9, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415E2B
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00415E39
free.MSVCRT(00000000), ref: 00415E7F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
Instruction ID: de39e7dabe3dcffc9507685f2d24beb71d21f2267e90135c35d9c9407e9ebe28
Opcode Fuzzy Hash: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
Instruction Fuzzy Hash: B111A236D04B05EBDB106FB498C06FF7368AA85754B54013BF911E6280D7789F8195AA

Uniqueness

Uniqueness Score: -1.00%

Function 00414D24, Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00414D2B
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D49
malloc.MSVCRT ref: 00414D53
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D6A
free.MSVCRT(?), ref: 00414D73
free.MSVCRT(?,?), ref: 00414D91

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: 5d2fa95a5ae56aca068832dc9df58c4b26db0adcf1ab4a8fdf40dc6136318e35
Instruction ID: 75ff5f127907765bac19b59c8f0cf631f86937604d45831965c424c16304f1b7
Opcode Fuzzy Hash: 5d2fa95a5ae56aca068832dc9df58c4b26db0adcf1ab4a8fdf40dc6136318e35
Instruction Fuzzy Hash: 3501D4725041257BAF225BB6AC41DFF369CDF857B4721022AFC04E3280EA288E4141EC

Uniqueness

Uniqueness Score: -1.00%

Function 004159C6, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00415592), ref: 00415A0A
GetTempPathA.KERNEL32(000000E6,?,?,00415592), ref: 00415A32
free.MSVCRT(00000000,0044A338,00000000), ref: 00415A5A

Strings

%s\etilqs_, xrefs: 00415AB1
etilqs_, xrefs: 00415A62

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
Instruction ID: 407cf19e3f66aff666bf3235626637e86bc259e86a40955958787b48e693a0c3
Opcode Fuzzy Hash: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
Instruction Fuzzy Hash: 80316831A44645DAE720EB61DCC1BFB739C9FA4348F1405BFE841D6182FE6C8EC54A19

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0F2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 0040C129

Part of subcall function 004124C0: memcpy.MSVCRT ref: 0041253D

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C173

Strings

<%s>%s</%s>, xrefs: 0040C166
</item>, xrefs: 0040C18D
<item>, xrefs: 0040C0FC

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 2236007434-2769808009
Opcode ID: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction ID: bd8afa7c54c2b984639c4d8fb182e53c6b214fce1ab7be0445daf1b4a409d2ac
Opcode Fuzzy Hash: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction Fuzzy Hash: 82119132904615BFEB11AF65DC82E99BB74FF04318F10402AF9046A5E2DB75B960CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D83C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D86C

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

wcsrchr.MSVCRT ref: 0040D886
wcscat.MSVCRT ref: 0040D8A2

Strings

.cfg, xrefs: 0040D89C
General, xrefs: 0040D8AC

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
Instruction ID: b769b6074c2bbd437ee926744873151467191c08e4afcaaf49059e595a4f98b4
Opcode Fuzzy Hash: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
Instruction Fuzzy Hash: 34119877901318AADB10EF55DC45ECE7378AF48314F1041F6F518A7182DB78AA848F9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E030, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040E051
RegisterClassW.USER32 ref: 0040E076
GetModuleHandleW.KERNEL32(00000000), ref: 0040E07D
CreateWindowExW.USER32 ref: 0040E09C

Strings

WebBrowserPassView, xrefs: 0040E094, 0040E099, 0040E09A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: WebBrowserPassView
API String ID: 2678498856-2171583229
Opcode ID: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction ID: d6937ed4ed068f8a41babfbfc400960a7e9d41ce1fcf29d78c1aeb4d070e2d0f
Opcode Fuzzy Hash: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction Fuzzy Hash: 5301C4B1901629ABDB019F998D89ADFBFBCFF09B50F10421AF514A2240D7B45A408BE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2C7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C2EB
memset.MSVCRT ref: 0040C302

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C33E

Strings

<%s>, xrefs: 0040C32D
<?xml version="1.0" ?>, xrefs: 0040C307

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: <%s>$<?xml version="1.0" ?>
API String ID: 168708657-3296998653
Opcode ID: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction ID: 826567bfe222e6a97a7157a9ef984588091dd6de8d25c20f5ec279ce0d2f683a
Opcode Fuzzy Hash: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction Fuzzy Hash: 780167F2D401297AEB20A755CC46FEE767CEF44308F0000B6BB09B61D1DB78AA458A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403853, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
FreeLibrary.KERNEL32(00000000), ref: 00403897

Strings

crypt32.dll, xrefs: 0040385D
CryptUnprotectData, xrefs: 0040386E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction ID: e5a88ed766aaa6e52f35248584035ac6595561cae6bd6684aeb1aa38a92ec81b
Opcode Fuzzy Hash: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction Fuzzy Hash: 0A011A32500611ABC6219F158C4881BFEEAEBA1B42724887FF1C5E2660C3748A80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00411DB2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00411DC1
wcscpy.MSVCRT ref: 00411DDC
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040D8DB,00000000,?,0040D8DB,?,General,?), ref: 00411E03
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 00411E0A

Strings

General, xrefs: 00411DD6

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
Instruction ID: 9a0facac0be4658f1d28dd1d6e0b9c096870c14066d41f215ae7e32982aabb00
Opcode Fuzzy Hash: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
Instruction Fuzzy Hash: 9AF024B2508301BFF3109B90AC85EAF769CDB10799F20842FF20591061DA396D50825D

Uniqueness

Uniqueness Score: -1.00%

Function 004071BD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
_snwprintf.MSVCRT ref: 004071FE
MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Strings

Error, xrefs: 00407208
Error %d: %s, xrefs: 004071ED

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction ID: 3b05860ebe56c522f2c5ab20428fa68284bb982c16b5ab54bfd07cc8ba07ffa8
Opcode Fuzzy Hash: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction Fuzzy Hash: 74F0E23680021867DB11AB94CC02FDA72ACBB54B82F0400AAB905F2180EAF4EB404A69

Uniqueness

Uniqueness Score: -1.00%

Function 00412455, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,004048E6,00000000), ref: 0041245E
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

Strings

shlwapi.dll, xrefs: 00412457
SHAutoComplete, xrefs: 00412466

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction ID: b7e45597e31c4a606350929a185ef34a25fe7475720eeaf8429eabe2a59cceae
Opcode Fuzzy Hash: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction Fuzzy Hash: 6BD05B393502206BA7116F35BC48EAF2E65EFC6F537150031F501D1260CB544E429669

Uniqueness

Uniqueness Score: -1.00%

Function 0043310B, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

oid, xrefs: 004331D5
foreign key constraint failed, xrefs: 004333AB
old, xrefs: 0043318F
new, xrefs: 00433199

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction ID: 956c7fa9d19c0f39a897be9568c0d7cc0038550a6314a583777b8070e5951de7
Opcode Fuzzy Hash: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction Fuzzy Hash: 90E18F71E00208EFDF14DFA5D881AAEBBB5FF48304F14846EE805AB251DB79AE41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0042EDD2, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042EED2
memcpy.MSVCRT ref: 0042EFE9

Strings

unknown column "%s" in foreign key definition, xrefs: 0042EFB9
foreign key on %s should reference only one column of table %T, xrefs: 0042EE2E
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0042EE56

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
Instruction ID: 495bb5eb18a6352e4e4c54452741b55d9a16d19d8a312fbbfa639f366bc90293
Opcode Fuzzy Hash: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
Instruction Fuzzy Hash: 72914C71A0021ADFCB10CF5AD580A9EBBF1FF58314B55856AE809AB302D735E945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004063C1, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004063E2
wcslen.MSVCRT ref: 004063ED
wcslen.MSVCRT ref: 004063FB
memset.MSVCRT ref: 00406451

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

nss3.dll, xrefs: 004063F3, 004063F8, 0040640C

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memsetwcslen$wcscatwcscpy
String ID: nss3.dll
API String ID: 1250441359-2492180550
Opcode ID: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction ID: 7e6fc29c8000acf8dfdc2cef167c58109b3e52db234c734628f4c22aee9d38d0
Opcode Fuzzy Hash: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction Fuzzy Hash: E711ECB2D0421DAADB10E750DD45BCA73EC9F10314F1004B7F60CE20C2F778AA548A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE21, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06

??3@YAXPAX@Z.MSVCRT ref: 0040AE3C
??3@YAXPAX@Z.MSVCRT ref: 0040AE4F
??3@YAXPAX@Z.MSVCRT ref: 0040AE62
??3@YAXPAX@Z.MSVCRT ref: 0040AE75
free.MSVCRT(00000000), ref: 0040AEAE

Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 0b66915f84970c8dee2b815cea6b5dfc4349602c711738901fa1bf88fce7501e
Instruction ID: 5cedf5899733f7fd452d28a3e5974aab2a3b061775a7969347507653aae84efd
Opcode Fuzzy Hash: 0b66915f84970c8dee2b815cea6b5dfc4349602c711738901fa1bf88fce7501e
Instruction Fuzzy Hash: 13010832946A20ABC6367B2AD50251FB368BE91B90306457FF445BB3818F3C7C5186DF

Uniqueness

Uniqueness Score: -1.00%

Function 00414CBE, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00414CC6
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00414CE6
malloc.MSVCRT ref: 00414CEC
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00414D0A
free.MSVCRT(?), ref: 00414D13

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 7aaa167120dddf07ba2af9e079abf54c4ac6044bb501c5d34657e102407f57a5
Instruction ID: 44ea64674f021cea2031e16b60495934b5371f4db2927085d3abb6a650cf4446
Opcode Fuzzy Hash: 7aaa167120dddf07ba2af9e079abf54c4ac6044bb501c5d34657e102407f57a5
Instruction Fuzzy Hash: 6601F4B140011DBEAF115FA9DCC5CAF7EACDA457E8720036AF810E2190E6344E4056B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A302, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040A314
GetWindowRect.USER32 ref: 0040A321
GetClientRect.USER32 ref: 0040A32C
MapWindowPoints.USER32 ref: 0040A33C
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040A358

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction ID: 816d64d46c4b910dad83cc5cff1f19606824cbaca0e9d5d20ff5cebd8420fa85
Opcode Fuzzy Hash: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction Fuzzy Hash: 06014836800129BBDB11AFA59C49EFFBFBCFF46B15F044169F901A2190D77896028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004421EB, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,00410671,?,?), ref: 00442202
??2@YAPAXI@Z.MSVCRT ref: 00442216
memset.MSVCRT ref: 00442225

Part of subcall function 00407B93: ReadFile.KERNEL32(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

??3@YAXPAX@Z.MSVCRT ref: 00442248

Part of subcall function 00441FDC: memchr.MSVCRT ref: 00442017
Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420BB
Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420CD
Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420F5

CloseHandle.KERNEL32(00000000), ref: 0044224F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 3fb3a795f412c9ef8ba02b3b663898961b1c6dbae64b6d36bd5d494f69bd21b5
Instruction ID: 5cd116c641245c85bcd5bad65d9d69835b0888748ca48550e443bbafd66aa86b
Opcode Fuzzy Hash: 3fb3a795f412c9ef8ba02b3b663898961b1c6dbae64b6d36bd5d494f69bd21b5
Instruction Fuzzy Hash: 3DF0FC325041007AE21077329D4AF6B7B9CDF85761F10053FF515911D2EA789904C179

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADBB, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
??3@YAXPAX@Z.MSVCRT ref: 0040AE06

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: bb5b54d35ac9345d4f67fd1f43b9bd0339cc6982e71662365849d1d3c181b2be
Instruction ID: 7485fa72425b52f9fdb5b203d173836123891f19866e380edd82503d68adac07
Opcode Fuzzy Hash: bb5b54d35ac9345d4f67fd1f43b9bd0339cc6982e71662365849d1d3c181b2be
Instruction Fuzzy Hash: D8F0FF72509701AFD720AF6999D991BB7F9BF943147A0493FF049D3A41CB78A8904A18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C35B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C37F
memset.MSVCRT ref: 0040C396

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C3C5

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

</%s>, xrefs: 0040C3B4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: </%s>
API String ID: 168708657-259020660
Opcode ID: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction ID: 40532074a48dce177473b235f1db1661615fe75cb863f0afecc7fe9ed9b88556
Opcode Fuzzy Hash: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction Fuzzy Hash: 910136F3D4012976EB20A755DC45FEE76BCEF45308F4000B6BB09B7181DB78AA458AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A414, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A44E
SetWindowTextW.USER32(?,?), ref: 0040A47E
EnumChildWindows.USER32 ref: 0040A48E

Strings

caption, xrefs: 0040A463

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction ID: f5bb4e3483ddd063dbb45333af41605001ac6cd66b5ccbc099165aa82e617e5a
Opcode Fuzzy Hash: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction Fuzzy Hash: 44F0C83690031466FB20EB51DD4EB9A3768AB04755F5000B6FF04B61D2DBF89E50CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004075AD: memset.MSVCRT ref: 004075B7
Part of subcall function 004075AD: wcscpy.MSVCRT ref: 004075F7

CreateFontIndirectW.GDI32(?), ref: 0040105D
SendDlgItemMessageW.USER32 ref: 0040107C
SendDlgItemMessageW.USER32 ref: 0040109A

Strings

MS Sans Serif, xrefs: 00401049

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction ID: b86dbe1d582a7894089203107e7a1e4413fc3d6f7e8de8594febed0b37e93160
Opcode Fuzzy Hash: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction Fuzzy Hash: 56F05E75A4030877E621ABA0DC06F8A7BB9B740B01F000935B711B51E0D7E4A285C658

Uniqueness

Uniqueness Score: -1.00%

Function 004076CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004076EC
GetClassNameW.USER32 ref: 00407703
_wcsicmp.MSVCRT ref: 00407715

Strings

edit, xrefs: 0040770F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction ID: 51a03c7d5923a90201923a44b10f324a390683a0d3b2f84b2934c4bf373e0ab9
Opcode Fuzzy Hash: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction Fuzzy Hash: A9E04872D8031E7AFB14ABA0DC4BFA977BCBB04704F5001F5B615E10D2EBB4A6454A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004121C3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

Strings

SHGetSpecialFolderPathW, xrefs: 004121E0
shell32.dll, xrefs: 004121CC

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction ID: 4b50289c71ca44835333f785f02b611be4b8370b72da6f54bb0e40a9521e89f3
Opcode Fuzzy Hash: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction Fuzzy Hash: 86D0C774600313BADB108F209D48B4239746712743F251036F430D1771DF7895C49A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0C3, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B0D6
memcpy.MSVCRT ref: 0041B0EC
memcmp.MSVCRT ref: 0041B0FB
memcmp.MSVCRT ref: 0041B143
memcpy.MSVCRT ref: 0041B15E

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction ID: 295c5a0bc2866328f8dcc37ada2a4d99e769f04d629d2bea2717987aff5dfa66
Opcode Fuzzy Hash: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction Fuzzy Hash: 01217C72E10248BBDB18DAA5DC56E9F73ECEB44740F50042AB512D7281EB78E644C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5BA, Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E5D9
memset.MSVCRT ref: 0040E5EF
memset.MSVCRT ref: 0040E601
memcpy.MSVCRT ref: 0040E626
memset.MSVCRT ref: 0040E630

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction ID: 5db9a22820b402d4d4dd4a010236648e296a7231ae54e5ee969484aed16c8927
Opcode Fuzzy Hash: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction Fuzzy Hash: D301F0B174070077D335AA35CC03F1A73E49FA1714F400E1DF152666C2D7F8A105866D

Uniqueness

Uniqueness Score: -1.00%

Function 00415494, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004154B8
memset.MSVCRT ref: 004154E8

Part of subcall function 0041538D: memset.MSVCRT ref: 004153AA
Part of subcall function 0041538D: UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA

Part of subcall function 00414EFE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F2A
Part of subcall function 00414EFE: SetEndOfFile.KERNEL32(?), ref: 00414F54
Part of subcall function 00414EFE: GetLastError.KERNEL32 ref: 00414F5E

Strings

,A, xrefs: 00415560
%s-shm, xrefs: 004154FC

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset$File$ErrorLastUnlockUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s-shm$,A
API String ID: 1271386063-2158068007
Opcode ID: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction ID: 8012e8fd2c705de7aa363bc2bd32bd15ad04531b7aa24a5a7ab2fd91cc4b7507
Opcode Fuzzy Hash: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction Fuzzy Hash: B1510671504B05FFD710AF21DC02BDB77A6AF80754F10481FF9299A282EBB9E5908B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00415804, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004158E7
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 00415912
GetLastError.KERNEL32 ref: 00415939
CloseHandle.KERNEL32(00000000), ref: 0041594F

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction ID: 02e61587b06ba7d058713df3830c0e33945dcb010177779d6ae1e8dc7ea6695b
Opcode Fuzzy Hash: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction Fuzzy Hash: B6518EB4214B02DFD724DF25C981AA7B7E9FB84315F10492FE88286651E734E854CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C345, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004132EA: memset.MSVCRT ref: 00413304

memcpy.MSVCRT ref: 0042C42D

Strings

sqlite_altertab_%s, xrefs: 0042C3FE
virtual tables may not be altered, xrefs: 0042C384
Cannot add a column to a view, xrefs: 0042C39A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction ID: 3e8a37011c5d834ac6e6d4f8fd11fd3d4e87e0ccd438cada7bf19ffd6667b676
Opcode Fuzzy Hash: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction Fuzzy Hash: 03419D71A00615AFDB10DF69D881A5EB7F0FF08314F24856BE8489B352D778EA51CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0042E398, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042E4D8

Strings

, xrefs: 0042E40E
CREATE TABLE , xrefs: 0042E44D
, , xrefs: 0042E415

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction ID: 75c0c8dac0447bb43292008ef446c40d7ab48a9469891862f1914eead86e2b05
Opcode Fuzzy Hash: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction Fuzzy Hash: C3518171E00219DFCF10DF9AD4856AEB7B5FF44309F64809BE841AB205D778AA45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040475A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004047A1

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97

Part of subcall function 00407AB6: GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
Part of subcall function 00407AB6: wcscpy.MSVCRT ref: 00407B0D

Strings

*.*, xrefs: 004047E2
wand.dat, xrefs: 004047C7
dat, xrefs: 004047A6

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 3589925243-1828844352
Opcode ID: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction ID: 6d0f55f818233349c8d1636aac4371a0276c995c789a620d4a51b657e5e4e923
Opcode Fuzzy Hash: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction Fuzzy Hash: 6F419971A04206AFDB14EF61D885AAE77B4FF40314F10C42BFA05A71C2EF79A9958BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBC1, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B

wcslen.MSVCRT ref: 0040CBEF
_wtoi.MSVCRT ref: 0040CBFB
_wcsicmp.MSVCRT ref: 0040CC49
_wcsicmp.MSVCRT ref: 0040CC5A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
Instruction ID: 2e88af878a7a0ebae712eab1be6a0374a06ab0ac9bbd2c3eb3becf244d067ed8
Opcode Fuzzy Hash: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
Instruction Fuzzy Hash: C3416D31900204EBEF21DF59C5C4A9DBBB4EF45319F1546BAEC09EB3A6D638D940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E51C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040E55F
memcpy.MSVCRT ref: 0040E589
memcpy.MSVCRT ref: 0040E5AD

Strings

@|=D, xrefs: 0040E5A6

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy
String ID: @|=D
API String ID: 3510742995-4242725666
Opcode ID: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction ID: e04d1c669876fac24280ac48723ffca9e388da4b41f072ca806e7767fffd92f4
Opcode Fuzzy Hash: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction Fuzzy Hash: 19113BF29003047BDB348E66DC84C5A77A8EB603987000E3EF90696291F675DF69C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D4A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412D6B

Strings

Y,A, xrefs: 00412E25
-+A, xrefs: 00412D4D
-+A, xrefs: 00412D55

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memset
String ID: -+A$-+A$Y,A
API String ID: 2221118986-4154596189
Opcode ID: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
Instruction ID: 1dfdef816599cc938eba6c7f1cf8632c899ce6bbbbec6bb0dc4dd89a5a59c02f
Opcode Fuzzy Hash: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
Instruction Fuzzy Hash: 482156799417008FD3268F0AFE0565AB7E5FBE2702724413FE201D62B2D7B4489A8F8C

Uniqueness

Uniqueness Score: -1.00%

Function 004084EE, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408523
memset.MSVCRT ref: 00408534
memcpy.MSVCRT ref: 00408540
??3@YAXPAX@Z.MSVCRT ref: 0040854D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 2bd6b428f8dbf6c8ba8eecf3f59a287ad605b09a5cb6ba98fc7a768114adc393
Instruction ID: d20edd04bd2483e58964879576c48f2ebc5a647496c0cba51e85d391a6ad2c86
Opcode Fuzzy Hash: 2bd6b428f8dbf6c8ba8eecf3f59a287ad605b09a5cb6ba98fc7a768114adc393
Instruction Fuzzy Hash: 0D118C71204601AFD328DF2DCA91A26F7E5FFD8340B60892EE4DAC7385EA75E801CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00411A90, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411ABC

Part of subcall function 00407BF7: _snwprintf.MSVCRT ref: 00407C3C
Part of subcall function 00407BF7: memcpy.MSVCRT ref: 00407C4C

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00411AE5
memset.MSVCRT ref: 00411AEF
GetPrivateProfileStringW.KERNEL32 ref: 00411B11

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
Instruction ID: 7dd1a1e3bfb09d1cc1018fb107044e1a6d1141f919409e292c6c821828e7f11b
Opcode Fuzzy Hash: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
Instruction Fuzzy Hash: 48118271500119BFEF11AF61DD02EDE7BB9EF04741F100066FF05B2060E675AA608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004123CC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004123DC
SHBrowseForFolderW.SHELL32(?), ref: 0041240E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00412422
wcscpy.MSVCRT ref: 00412435

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction ID: 5cda3e6a61a15ee9057d47663b3b2e0c0e874c437a77379260a47c7555d96391
Opcode Fuzzy Hash: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction Fuzzy Hash: C5110CB5A00208AFDB00DFA9D9889EEB7F8FF49714F10406AE905E7200D779EB45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042D603, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042D63E
memset.MSVCRT ref: 0042D648
memcpy.MSVCRT ref: 0042D673

Strings

sqlite_master, xrefs: 0042D616

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction ID: ee6e5cfbbe52718914f41d47f1c84030a85cc49ac4fd556a51d86816da10b362
Opcode Fuzzy Hash: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction Fuzzy Hash: 6901B972900218BAEB11EFB18D42FDDB77DFF04315F50405AF60462142D77A9B15C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CECE, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D

_snwprintf.MSVCRT ref: 0040CEFB
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040CF60

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

_snwprintf.MSVCRT ref: 0040CF26
wcscat.MSVCRT ref: 0040CF39

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
Instruction ID: 10942a5e8a652da15fc5691646fc128facbf295aae85401a998ce48512d7e6da
Opcode Fuzzy Hash: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
Instruction Fuzzy Hash: 8F0184B19403057AE720E775DC8AFBB73ACAF40709F04046AB719F21C3DA79A9454A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00414C63, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,00414D8E,?), ref: 00414C81
malloc.MSVCRT ref: 00414C88
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74B05970,?,00414D8E,?), ref: 00414CA7
free.MSVCRT(00000000,?,74B05970,?,00414D8E,?), ref: 00414CAE

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 1562b6304e5c60342503921195ce0066c0efbc861a8a386339b4f0c24ca6086c
Instruction ID: 08e12ed7d8240a3e2c5be9bdce3f46534c50a62d4f36ceba048af803e5c5c189
Opcode Fuzzy Hash: 1562b6304e5c60342503921195ce0066c0efbc861a8a386339b4f0c24ca6086c
Instruction Fuzzy Hash: CBF0E9B260A21D7E76006FB59CC0C3B7B9CD7863FDB21072FF510A2180F9659C0116B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041538D, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004153AA
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004153D6
GetLastError.KERNEL32 ref: 004153E4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction ID: b4c6314a975e1eba122d49f899d78a16df92238a1a9f5a4b2f2908291fae13bb
Opcode Fuzzy Hash: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction Fuzzy Hash: 7201D131100608FFDB219FA4EC848EBBBB8FB80785F20442AF912D6050D6B09A44CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00401B06, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401B27

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00401B40
wcslen.MSVCRT ref: 00401B4E

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00401B3A, 00401B3F, 00401B67

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
String ID: Apple Computer\Preferences\keychain.plist
API String ID: 3183857889-296063946
Opcode ID: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
Instruction ID: 16ca9930086f175389a7ca6d9dd60f6601f6a2e2e4035c9292d9b79f31a3f5d2
Opcode Fuzzy Hash: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
Instruction Fuzzy Hash: F8F0FE7290531476E720A7559C89FDA736C9F00318F6005B7F514E10C3F77CAA5446AD

Uniqueness

Uniqueness Score: -1.00%

Function 00403081, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004030A6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 004030C3
strlen.MSVCRT ref: 004030D5
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004030E6

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction ID: e51875297eda531c80c3ec5ec415ee795d437164a5b9689062039e3667910632
Opcode Fuzzy Hash: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction Fuzzy Hash: 56F04FB680022CBEFB15AB949DC5DEB776CDB04254F0001A2B709E2041E5749F448B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA53, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BA78
WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00443980,00000000,00000000,00000000,?,00000000,00000000), ref: 0040BA91
strlen.MSVCRT ref: 0040BAA3
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040BAB4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
Instruction ID: f1b04ddda804f0d23e85d9b3a1a681265272c1a7bd8491b11875ee0cd1c6d5d4
Opcode Fuzzy Hash: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
Instruction Fuzzy Hash: 7CF06DB780022CBEFB059B94DDC9DEB77ACDB04258F0001A2B709E2042E6749F44CB78

Uniqueness

Uniqueness Score: -1.00%

Function 0041176D, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 004076CD: memset.MSVCRT ref: 004076EC
Part of subcall function 004076CD: GetClassNameW.USER32 ref: 00407703
Part of subcall function 004076CD: _wcsicmp.MSVCRT ref: 00407715

SetBkMode.GDI32(?,00000001), ref: 00411794
SetBkColor.GDI32(?,00FFFFFF), ref: 004117A2
SetTextColor.GDI32(?,00C00000), ref: 004117B0
GetStockObject.GDI32(00000000), ref: 004117B8

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction ID: 4524e9a356975b07e10c0673c8b36924071ef161512cc5bea393be377801c3c3
Opcode Fuzzy Hash: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction Fuzzy Hash: 9AF0A435100209BBDF112F64DC05BDD3F61AF05B25F104636FA25541F5CF769990D648

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA51, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040FA6B
memcpy.MSVCRT ref: 0040FA7D
GetModuleHandleW.KERNEL32(00000000), ref: 0040FA90
DialogBoxParamW.USER32 ref: 0040FAA4

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
Instruction ID: 350a086b8d7ad7ad16c9f4c49a9849c7d3de4f0e2d0f3119e9b48998a0ebe44a
Opcode Fuzzy Hash: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
Instruction Fuzzy Hash: 49F0A731680310BBEB70AFA4BD4AF163A919705F57F20043AF644A60E2C7B585558B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004048C7, Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004048DE

Part of subcall function 00412455: LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,004048E6,00000000), ref: 0041245E
Part of subcall function 00412455: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
Part of subcall function 00412455: FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

GetDlgItem.USER32 ref: 004048F0
GetDlgItem.USER32 ref: 00404902
GetDlgItem.USER32 ref: 00404914

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Item$Library$AddressFreeLoadProc
String ID:
API String ID: 2406072140-0
Opcode ID: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
Instruction ID: 27d5e7a410d711f85fb169ee5f4284aad0304eb1bf7711d039073b83f91ac3c5
Opcode Fuzzy Hash: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
Instruction Fuzzy Hash: 33F01CB18043026BCB313F72DC09D6FBAADEF84310B010D2EA1D1D61A1CFBE94618A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA3A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0040DA6F
InvalidateRect.USER32(?,00000000,00000000), ref: 0040DABB

Strings

<M@, xrefs: 0040DC3B

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InvalidateMessageRectSend
String ID: <M@
API String ID: 909852535-3778786622
Opcode ID: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
Instruction ID: 05eea1ce1b03382e5db893e26ff0cd35ef39184770bc15fe2d13ad66f6086966
Opcode Fuzzy Hash: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
Instruction Fuzzy Hash: 89518430E003049ADB20AFA5C845F9EB3A5AF44324F51853BF4197B1E2CAB99D89CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BABE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040BB00
wcschr.MSVCRT ref: 0040BB0E

Part of subcall function 004080BF: wcslen.MSVCRT ref: 004080DB
Part of subcall function 004080BF: memcpy.MSVCRT ref: 004080FE

Strings

", xrefs: 0040BB4A

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
Instruction ID: 425732c6536ade4c189e7d45363e94d8349111ce0189a23fa1b0a907d348dab1
Opcode Fuzzy Hash: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
Instruction Fuzzy Hash: D2317E31904204ABDF04EFA5C8419EEB7F8EF44364B20816BE855B72D5DB78AA41CADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040928C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

_memicmp.MSVCRT ref: 004092A6
memcpy.MSVCRT ref: 004092BD

Strings

URL , xrefs: 004092A0

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction ID: 33b3fc867a4e2474f07ea88972ed825a8fcb80c5477311fdb059a6d734a7dbfa
Opcode Fuzzy Hash: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction Fuzzy Hash: 8411A031604208BBEB11DF29CC05F5F7BA8AF85348F054066F904AB2D2E775EE10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407BF7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00407C3C
memcpy.MSVCRT ref: 00407C4C

Strings

%2.2X , xrefs: 00407C31

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
Instruction ID: 0f19ce75f7d61601c6dcaf4457f6717ff276ffca2b35b3dd887d371e09c964f6
Opcode Fuzzy Hash: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
Instruction Fuzzy Hash: 87117C32908209BEEB10DFE8C9C69AE73A8BB45714F108436ED15E7141D678AA158BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004153F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00415610,?,00000000), ref: 0041542C
CloseHandle.KERNEL32(?), ref: 00415438

Strings

!-A, xrefs: 00415417

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseFileHandleUnmapView
String ID: !-A
API String ID: 2381555830-3879722540
Opcode ID: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction ID: 6c5ed3bf8746cf55bcd37c1067f9027f6bc59eb5530dee428a664ff8177fa162
Opcode Fuzzy Hash: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction Fuzzy Hash: 5611BF35500B10DFCB319F25E945BD777E0FF84712B00492EE4929A662C738F8C48B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040BD3E
_snwprintf.MSVCRT ref: 0040BD5E

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

%%-%d.%ds , xrefs: 0040BD33

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _snwprintf$FileWritewcslen
String ID: %%-%d.%ds
API String ID: 889019245-2008345750
Opcode ID: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
Instruction ID: f6bde454874e3f12fe5a715dcb314e2825e8b387052435345983f70e28f49e73
Opcode Fuzzy Hash: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
Instruction Fuzzy Hash: 1D01D871500604BFD7109F69CC82D6AB7F9FF48318B10442EF946AB2A2DB75F841DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408116, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00408125
_memicmp.MSVCRT ref: 00408153

Strings

History, xrefs: 0040811F, 00408124, 00408151

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction ID: 2715e0f5b76d9e8bf3bfa22bf35e41ec2dcc8bed56e6222f305abdff7d2b472d
Opcode Fuzzy Hash: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction Fuzzy Hash: 7BF0A4721046029BD210EA299D41A2BB7E8DF813A8F11093FF4D196282DF79DC5646A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407B1D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
wcscpy.MSVCRT ref: 00407B83

Strings

X, xrefs: 00407B51

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
Instruction ID: df6fc214ccc966a4ef74be52ccb1fa8de01b9f2d97edd1d3ec6f174b54628a36
Opcode Fuzzy Hash: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
Instruction Fuzzy Hash: C801E5B1E002499FDF00DFE9D8847AEBBF4AF08319F10402AE815E6280DB78A949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC82, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AC9A
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040ACC9

Strings

", xrefs: 0040ACC2

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
Instruction ID: c9b4fa4cd35477e261f68ac5278df415403352ef960fa58aa17ae8539a272808
Opcode Fuzzy Hash: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
Instruction Fuzzy Hash: 4E01D635800304EBEB20DF5AC841AEFB7F8FF84745F01802AE854A6281D3349955CF79

Uniqueness

Uniqueness Score: -1.00%

Function 004017B7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,0040D8F3,?,General,?,?,?,?,?,00000000,00000001), ref: 004017E0
memset.MSVCRT ref: 004017F3

Strings

WinPos, xrefs: 00401806

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction ID: 403492ab1ae1e8e085d1b686bd15613ed323b870b3f74ac0ef6546771a88dbd4
Opcode Fuzzy Hash: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction Fuzzy Hash: BDF0FF71600204ABEB14EFA5D989F6E73E8AF04700F544479E9099B1D1D7B899008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00407AB6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
wcscpy.MSVCRT ref: 00407B0D

Strings

X, xrefs: 00407AE0

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileNameOpenwcscpy
String ID: X
API String ID: 3246554996-3081909835
Opcode ID: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
Instruction ID: 22468463e432baa7279a8bf0e718ba1534ae3331c134da9758c07f59fbfd6832
Opcode Fuzzy Hash: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
Instruction Fuzzy Hash: 6601B2B1D0024CAFCB40DFE9D8856CEBBF8AF09708F10802AE819F6240EB7495458F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

wcsrchr.MSVCRT ref: 0040AB86
wcscat.MSVCRT ref: 0040AB9C

Strings

_lng.ini, xrefs: 0040AB96

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
Instruction ID: faf96e17328b6cfe7fea8df6c793311bae4d5162fb77f626620ffa022952bc65
Opcode Fuzzy Hash: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
Instruction Fuzzy Hash: E6C0125394672070F52233226E13B8F17696F22306F60002FF901280C3EFAC631180AF

Uniqueness

Uniqueness Score: -1.00%

Function 0042917D, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042921F
memcpy.MSVCRT ref: 00429258
memset.MSVCRT ref: 0042926E
memcpy.MSVCRT ref: 004292A7

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction ID: 8c22702d92a242b4074cdc0308f2d59ea0ad553ae454c6356856be76eef94a8a
Opcode Fuzzy Hash: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction Fuzzy Hash: 2551A775A0021AFBEF15DF95DC81AEEB775FF04340F54849AF805A6241E7389E50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407EDE, Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00407EF0

Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2

free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
memcpy.MSVCRT ref: 00407F5D

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
Instruction ID: 7e4f8ba4ba14ff744b1d1ae1a3210968bf085ae1c99a6b147d894c05d7fb7a00
Opcode Fuzzy Hash: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
Instruction Fuzzy Hash: 9E21AC71504605EFD720DF18C880C9AB7F4EF443247108A2EF866AB6A1D734F916CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD07, Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004079E0: memset.MSVCRT ref: 004079EE

??2@YAPAXI@Z.MSVCRT ref: 0040AD2E
??2@YAPAXI@Z.MSVCRT ref: 0040AD55
??2@YAPAXI@Z.MSVCRT ref: 0040AD76
??2@YAPAXI@Z.MSVCRT ref: 0040AD97

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
Instruction ID: 8f402eb808e7ad555a909232128954833d185930e872f23c51b71e42452eb786
Opcode Fuzzy Hash: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
Instruction Fuzzy Hash: B121F7B0A017009FD7258F6A8545A52FBE5FF90311B29C9AFE108CBAB2D7B8C800CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00414C13, Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,00415592,?,?,00415592,004159A7,00000000,?,00415C14,?,00000000), ref: 00414C2E
malloc.MSVCRT ref: 00414C36
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C4D
free.MSVCRT(00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C54

Memory Dump Source

Source File: 0000001D.00000002.380044952.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 9b055066e38bee567b126a3868761c6a9d3deb5596daa05209853c95383d11b4
Instruction ID: ac963edc179c34f330cc22ede2b288a34a1f5b158d5d5a2152ff40f2e70c1069
Opcode Fuzzy Hash: 9b055066e38bee567b126a3868761c6a9d3deb5596daa05209853c95383d11b4
Instruction Fuzzy Hash: 9AF0A77220521E3BE61026A55C40D7B778CEB86375B10072BB910E21C1FD59D80006B4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 5nXX3v5zWn

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: HawkEye

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre