Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report X5C9EzCB7A

Overview

General Information

Sample Name:X5C9EzCB7A (renamed file extension from none to dll)
Analysis ID:492086
MD5:dc4fca98a02c5cc7ee5f565c56915c86
SHA1:4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
SHA256:ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
DLL side loading technique detected
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 2368 cmdline: loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 5760 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5356 cmdline: rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2192 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wermgr.exe (PID: 6572 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • wermgr.exe (PID: 6600 cmdline: C:\Users\user\AppData\Local\M5A\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • WFS.exe (PID: 6640 cmdline: C:\Windows\system32\WFS.exe MD5: CD6ACF3B997099B6CFB2417D3942F755)
        • WFS.exe (PID: 6652 cmdline: C:\Users\user\AppData\Local\QEkvVts\WFS.exe MD5: CD6ACF3B997099B6CFB2417D3942F755)
        • wusa.exe (PID: 6888 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)
        • wusa.exe (PID: 6912 cmdline: C:\Users\user\AppData\Local\8FwY\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)
    • rundll32.exe (PID: 1596 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2840 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4156 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2888 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2916 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1064 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6288 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6360 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6388 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6404 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6428 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6484 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6524 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6620 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6752 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 16 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: X5C9EzCB7A.dllVirustotal: Detection: 64%Perma Link
            Source: X5C9EzCB7A.dllMetadefender: Detection: 57%Perma Link
            Source: X5C9EzCB7A.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: X5C9EzCB7A.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\8FwY\dpx.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\M5A\wer.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: X5C9EzCB7A.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\8FwY\dpx.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\M5A\wer.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBF5C8 RegQueryValueExW,RegQueryValueExW,CryptUnprotectData,GetLastError,LocalFree,34_2_00007FF7D5CBF5C8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBF500 CryptProtectData,GetLastError,RegSetValueExW,34_2_00007FF7D5CBF500
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,40_2_00007FF6EE1F8780
            Source: X5C9EzCB7A.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,31_2_00007FF740981BA0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,31_2_00007FF74097BE54
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,34_2_00007FF7D5C871B0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,34_2_00007FF7D5CA30D8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,34_2_00007FF7D5C7F0AC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,34_2_00007FF7D5CB89BC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,34_2_00007FF7D5C85B40
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,40_2_00007FF6EE1F1BC0
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,40_2_00007FF6EE1F8D04
            Source: explorer.exe, 00000004.00000000.268276705.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.310372882.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.341553991.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.256116400.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.353298117.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.363607406.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.270725525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.279755934.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.249682229.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.317261849.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.287591369.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.302760143.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.339544401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.263669758.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.367587367.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.399487635.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.370038497.0000000140001000.00000020.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            PE file contains section with special charsShow sources
            Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400348700_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B2200_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400352700_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC00_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E00_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C3400_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B800_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B00_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B00_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC00_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD400_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B00_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F300_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400690100_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400010100_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400660200_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F8400_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D8500_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400640800_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400108800_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A00_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D00_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D00_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400161000_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D1000_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A1100_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D9100_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400151200_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B1200_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F9400_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400391400_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400231400_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400579500_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E1700_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400029800_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A00_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A00_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A00_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B00_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007C9D00_2_000000014007C9D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D00_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F00_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA000_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A000_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A400_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A500_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A600_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC00_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B000_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400183000_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB200_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400313400_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400223400_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B400_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB400_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400793600_2_0000000140079360
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB600_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400053700_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB800_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B3900_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA00_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB00_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C00_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C00_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD00_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F00_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF00_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4240_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4360_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400244400_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C400_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4460_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F4900_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D000_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400355200_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D200_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400305300_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400235300_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078D3F0_2_0000000140078D3F
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400315400_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400335400_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD500_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400785700_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400195800_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A00_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB00_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC00_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C00_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE00_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007D5F00_2_000000014007D5F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF00_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF00_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400016200_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400186300_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400326500_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140050E600_2_0000000140050E60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E800_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E800_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400796810_2_0000000140079681
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA00_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B00_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB00_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C00_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC00_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078EBB0_2_0000000140078EBB
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED00_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E00_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F200_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400227300_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400297800_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F800_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB00_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B00_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D00_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE00_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097CFF031_2_00007FF74097CFF0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740972F5431_2_00007FF740972F54
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097E36831_2_00007FF74097E368
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740977EFC31_2_00007FF740977EFC
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74098243831_2_00007FF740982438
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097684831_2_00007FF740976848
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740980A5831_2_00007FF740980A58
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7B6C434_2_00007FF7D5C7B6C4
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB063034_2_00007FF7D5CB0630
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C785B034_2_00007FF7D5C785B0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAF5D034_2_00007FF7D5CAF5D0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CC15BC34_2_00007FF7D5CC15BC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBB90434_2_00007FF7D5CBB904
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB18CC34_2_00007FF7D5CB18CC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9E84034_2_00007FF7D5C9E840
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9F71C34_2_00007FF7D5C9F71C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7573834_2_00007FF7D5C75738
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7325834_2_00007FF7D5C73258
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7925034_2_00007FF7D5C79250
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBA1B034_2_00007FF7D5CBA1B0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB618034_2_00007FF7D5CB6180
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB54E034_2_00007FF7D5CB54E0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7C4F834_2_00007FF7D5C7C4F8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAE4C034_2_00007FF7D5CAE4C0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9541C34_2_00007FF7D5C9541C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD244034_2_00007FF7D5CD2440
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBB41034_2_00007FF7D5CBB410
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9B3A834_2_00007FF7D5C9B3A8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAA38034_2_00007FF7D5CAA380
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAD32034_2_00007FF7D5CAD320
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C73A3034_2_00007FF7D5C73A30
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB3E1C34_2_00007FF7D5CB3E1C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB6E5034_2_00007FF7D5CB6E50
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBB0DC34_2_00007FF7D5CBB0DC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAC06034_2_00007FF7D5CAC060
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD1F6034_2_00007FF7D5CD1F60
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C87AF034_2_00007FF7D5C87AF0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB8AB034_2_00007FF7D5CB8AB0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C73A3034_2_00007FF7D5C73A30
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBA9E034_2_00007FF7D5CBA9E0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C819D034_2_00007FF7D5C819D0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7C97434_2_00007FF7D5C7C974
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9394034_2_00007FF7D5C93940
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C74CD434_2_00007FF7D5C74CD4
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB5C1034_2_00007FF7D5CB5C10
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBFC0C34_2_00007FF7D5CBFC0C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB6C0034_2_00007FF7D5CB6C00
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD2B6C34_2_00007FF7D5CD2B6C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C90B8034_2_00007FF7D5C90B80
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAFB3034_2_00007FF7D5CAFB30
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAAB1C34_2_00007FF7D5CAAB1C
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1FA0FC40_2_00007FF6EE1FA0FC
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F3D8840_2_00007FF6EE1F3D88
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F5EA440_2_00007FF6EE1F5EA4
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F1BC040_2_00007FF6EE1F1BC0
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F878040_2_00007FF6EE1F8780
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F991040_2_00007FF6EE1F9910
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F356C40_2_00007FF6EE1F356C
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F23F040_2_00007FF6EE1F23F0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: String function: 00007FF7D5C738C8 appears 261 times
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: String function: 00007FF6EE1F9520 appears 162 times
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F3A2C memset,GetSystemDirectoryW,wcsrchr,memset,CreateProcessAsUserW,GetLastError,WaitForSingleObject,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,CloseHandle,CloseHandle,LocalFree,40_2_00007FF6EE1F3A2C
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003BFF0 NtDuplicateObject,0_2_000000014003BFF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220 NtReadVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtProtectVirtualMemory,0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025280 NtDuplicateObject,0_2_0000000140025280
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0 NtDuplicateObject,NtQueueApcThread,0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025330 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,0_2_0000000140025330
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003BC10 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,0_2_000000014003BC10
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004E440 NtDelayExecution,0_2_000000014004E440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,0_2_0000000140046C90
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003C560 NtDuplicateObject,NtClose,0_2_000000014003C560
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039F50 NtReadVirtualMemory,0_2_0000000140039F50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003BF70 NtDuplicateObject,NtClose,0_2_000000014003BF70
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AF90 NtQueueApcThread,0_2_000000014003AF90
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740978404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,31_2_00007FF740978404
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981F54 NtQueryLicenseValue,31_2_00007FF740981F54
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,31_2_00007FF74097E368
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF7409782EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,31_2_00007FF7409782EC
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740982438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,31_2_00007FF740982438
            Source: wermgr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wusa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wusa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wusa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DevicePairingWizard.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: recdisc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: recdisc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: recdisc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: perfmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: perfmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: perfmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ACTIVEDS.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: WTSAPI32.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: DUI70.dll0.4.drStatic PE information: Number of sections : 43 > 10
            Source: UxTheme.dll0.4.drStatic PE information: Number of sections : 43 > 10
            Source: wer.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: XmlLite.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: VERSION.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: DUI70.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: WINMM.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: X5C9EzCB7A.dllStatic PE information: Number of sections : 42 > 10
            Source: dpx.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: UxTheme.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: MFC42u.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: X5C9EzCB7A.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: wer.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINMM.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dpx.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ACTIVEDS.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SppExtComObj.Exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: X5C9EzCB7A.dllVirustotal: Detection: 64%
            Source: X5C9EzCB7A.dllMetadefender: Detection: 57%
            Source: X5C9EzCB7A.dllReversingLabs: Detection: 75%
            Source: X5C9EzCB7A.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandlerJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRefJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRefJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcAJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcWJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTraceJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTargetJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTargetJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenarioJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTreeJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisualJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateActionJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F5438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,40_2_00007FF6EE1F5438
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9aJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@91/45@0/0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740978F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize,31_2_00007FF740978F2C
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,31_2_00007FF74097DE98
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9541C SendDlgItemMessageW,memset,memset,LoadStringW,FormatMessageW,SetDlgItemTextW,GetLastError,GetLastError,PeekMessageW,TranslateMessage,DispatchMessageW,#5065,#5065,PeekMessageW,34_2_00007FF7D5C9541C
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003C240 GetProcessId,CreateToolhelp32Snapshot,Thread32First,0_2_000000014003C240
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeMutant created: \Sessions\1\BaseNamedObjects\{f4c92513-81b4-e2bc-e5ad-0bbbd5f6a12c}
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{3baca1ad-f576-2ca5-ab39-dd9076560d1e}
            Source: wusa.exeString found in binary or memory: Failed to display update-installed message box
            Source: wusa.exeString found in binary or memory: Failed to display update-not-installed message box
            Source: X5C9EzCB7A.dllStatic PE information: More than 149 > 100 exports found
            Source: X5C9EzCB7A.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: X5C9EzCB7A.dllStatic file information: File size 2117632 > 1048576
            Source: X5C9EzCB7A.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE201964 push rbx; iretd 40_2_00007FF6EE201965
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE2015F8 push rbx; retf 40_2_00007FF6EE2015F9
            Source: X5C9EzCB7A.dllStatic PE information: section name: .qkm
            Source: X5C9EzCB7A.dllStatic PE information: section name: .cvjb
            Source: X5C9EzCB7A.dllStatic PE information: section name: .tlmkv
            Source: X5C9EzCB7A.dllStatic PE information: section name: .wucsxe
            Source: X5C9EzCB7A.dllStatic PE information: section name: .fltwtj
            Source: X5C9EzCB7A.dllStatic PE information: section name: .sfplio
            Source: X5C9EzCB7A.dllStatic PE information: section name: .rpg
            Source: X5C9EzCB7A.dllStatic PE information: section name: .bewzc
            Source: X5C9EzCB7A.dllStatic PE information: section name: .vksvaw
            Source: X5C9EzCB7A.dllStatic PE information: section name: .wmhg
            Source: X5C9EzCB7A.dllStatic PE information: section name: .kswemc
            Source: X5C9EzCB7A.dllStatic PE information: section name: .kaxfk
            Source: X5C9EzCB7A.dllStatic PE information: section name: .pjf
            Source: X5C9EzCB7A.dllStatic PE information: section name: .favk
            Source: X5C9EzCB7A.dllStatic PE information: section name: .vhtukj
            Source: X5C9EzCB7A.dllStatic PE information: section name: .hmbyox
            Source: X5C9EzCB7A.dllStatic PE information: section name: .txms
            Source: X5C9EzCB7A.dllStatic PE information: section name: .vqqm
            Source: X5C9EzCB7A.dllStatic PE information: section name: .cbwb
            Source: X5C9EzCB7A.dllStatic PE information: section name: .cti
            Source: X5C9EzCB7A.dllStatic PE information: section name: .ktfjac
            Source: X5C9EzCB7A.dllStatic PE information: section name: .hvmici
            Source: X5C9EzCB7A.dllStatic PE information: section name: .bvyyd
            Source: X5C9EzCB7A.dllStatic PE information: section name: .qhjn
            Source: X5C9EzCB7A.dllStatic PE information: section name: .bsvkca
            Source: X5C9EzCB7A.dllStatic PE information: section name: .nvpgx
            Source: X5C9EzCB7A.dllStatic PE information: section name: .yaa
            Source: X5C9EzCB7A.dllStatic PE information: section name: .qsimby
            Source: X5C9EzCB7A.dllStatic PE information: section name: .dibg
            Source: X5C9EzCB7A.dllStatic PE information: section name: .odxfk
            Source: X5C9EzCB7A.dllStatic PE information: section name: .zczpdd
            Source: X5C9EzCB7A.dllStatic PE information: section name: .iceycz
            Source: X5C9EzCB7A.dllStatic PE information: section name: .lwp
            Source: X5C9EzCB7A.dllStatic PE information: section name: .ejt
            Source: X5C9EzCB7A.dllStatic PE information: section name: .gzpi
            Source: X5C9EzCB7A.dllStatic PE information: section name: .oima
            Source: wermgr.exe.4.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe.4.drStatic PE information: section name: .didat
            Source: WFS.exe.4.drStatic PE information: section name: .didat
            Source: SndVol.exe.4.drStatic PE information: section name: .imrsiv
            Source: SndVol.exe.4.drStatic PE information: section name: .didat
            Source: wlrmdr.exe.4.drStatic PE information: section name: .imrsiv
            Source: ProximityUxHost.exe.4.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe0.4.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe0.4.drStatic PE information: section name: .didat
            Source: LicensingUI.exe.4.drStatic PE information: section name: .imrsiv
            Source: wer.dll.4.drStatic PE information: section name: .qkm
            Source: wer.dll.4.drStatic PE information: section name: .cvjb
            Source: wer.dll.4.drStatic PE information: section name: .tlmkv
            Source: wer.dll.4.drStatic PE information: section name: .wucsxe
            Source: wer.dll.4.drStatic PE information: section name: .fltwtj
            Source: wer.dll.4.drStatic PE information: section name: .sfplio
            Source: wer.dll.4.drStatic PE information: section name: .rpg
            Source: wer.dll.4.drStatic PE information: section name: .bewzc
            Source: wer.dll.4.drStatic PE information: section name: .vksvaw
            Source: wer.dll.4.drStatic PE information: section name: .wmhg
            Source: wer.dll.4.drStatic PE information: section name: .kswemc
            Source: wer.dll.4.drStatic PE information: section name: .kaxfk
            Source: wer.dll.4.drStatic PE information: section name: .pjf
            Source: wer.dll.4.drStatic PE information: section name: .favk
            Source: wer.dll.4.drStatic PE information: section name: .vhtukj
            Source: wer.dll.4.drStatic PE information: section name: .hmbyox
            Source: wer.dll.4.drStatic PE information: section name: .txms
            Source: wer.dll.4.drStatic PE information: section name: .vqqm
            Source: wer.dll.4.drStatic PE information: section name: .cbwb
            Source: wer.dll.4.drStatic PE information: section name: .cti
            Source: wer.dll.4.drStatic PE information: section name: .ktfjac
            Source: wer.dll.4.drStatic PE information: section name: .hvmici
            Source: wer.dll.4.drStatic PE information: section name: .bvyyd
            Source: wer.dll.4.drStatic PE information: section name: .qhjn
            Source: wer.dll.4.drStatic PE information: section name: .bsvkca
            Source: wer.dll.4.drStatic PE information: section name: .nvpgx
            Source: wer.dll.4.drStatic PE information: section name: .yaa
            Source: wer.dll.4.drStatic PE information: section name: .qsimby
            Source: wer.dll.4.drStatic PE information: section name: .dibg
            Source: wer.dll.4.drStatic PE information: section name: .odxfk
            Source: wer.dll.4.drStatic PE information: section name: .zczpdd
            Source: wer.dll.4.drStatic PE information: section name: .iceycz
            Source: wer.dll.4.drStatic PE information: section name: .lwp
            Source: wer.dll.4.drStatic PE information: section name: .ejt
            Source: wer.dll.4.drStatic PE information: section name: .gzpi
            Source: wer.dll.4.drStatic PE information: section name: .oima
            Source: wer.dll.4.drStatic PE information: section name: .akm
            Source: WINMM.dll.4.drStatic PE information: section name: .qkm
            Source: WINMM.dll.4.drStatic PE information: section name: .cvjb
            Source: WINMM.dll.4.drStatic PE information: section name: .tlmkv
            Source: WINMM.dll.4.drStatic PE information: section name: .wucsxe
            Source: WINMM.dll.4.drStatic PE information: section name: .fltwtj
            Source: WINMM.dll.4.drStatic PE information: section name: .sfplio
            Source: WINMM.dll.4.drStatic PE information: section name: .rpg
            Source: WINMM.dll.4.drStatic PE information: section name: .bewzc
            Source: WINMM.dll.4.drStatic PE information: section name: .vksvaw
            Source: WINMM.dll.4.drStatic PE information: section name: .wmhg
            Source: WINMM.dll.4.drStatic PE information: section name: .kswemc
            Source: WINMM.dll.4.drStatic PE information: section name: .kaxfk
            Source: WINMM.dll.4.drStatic PE information: section name: .pjf
            Source: WINMM.dll.4.drStatic PE information: section name: .favk
            Source: WINMM.dll.4.drStatic PE information: section name: .vhtukj
            Source: WINMM.dll.4.drStatic PE information: section name: .hmbyox
            Source: WINMM.dll.4.drStatic PE information: section name: .txms
            Source: WINMM.dll.4.drStatic PE information: section name: .vqqm
            Source: WINMM.dll.4.drStatic PE information: section name: .cbwb
            Source: WINMM.dll.4.drStatic PE information: section name: .cti
            Source: WINMM.dll.4.drStatic PE information: section name: .ktfjac
            Source: WINMM.dll.4.drStatic PE information: section name: .hvmici
            Source: WINMM.dll.4.drStatic PE information: section name: .bvyyd
            Source: WINMM.dll.4.drStatic PE information: section name: .qhjn
            Source: WINMM.dll.4.drStatic PE information: section name: .bsvkca
            Source: WINMM.dll.4.drStatic PE information: section name: .nvpgx
            Source: WINMM.dll.4.drStatic PE information: section name: .yaa
            Source: WINMM.dll.4.drStatic PE information: section name: .qsimby
            Source: WINMM.dll.4.drStatic PE information: section name: .dibg
            Source: WINMM.dll.4.drStatic PE information: section name: .odxfk
            Source: WINMM.dll.4.drStatic PE information: section name: .zczpdd
            Source: WINMM.dll.4.drStatic PE information: section name: .iceycz
            Source: WINMM.dll.4.drStatic PE information: section name: .lwp
            Source: WINMM.dll.4.drStatic PE information: section name: .ejt
            Source: WINMM.dll.4.drStatic PE information: section name: .gzpi
            Source: WINMM.dll.4.drStatic PE information: section name: .oima
            Source: WINMM.dll.4.drStatic PE information: section name: .saaaq
            Source: dpx.dll.4.drStatic PE information: section name: .qkm
            Source: dpx.dll.4.drStatic PE information: section name: .cvjb
            Source: dpx.dll.4.drStatic PE information: section name: .tlmkv
            Source: dpx.dll.4.drStatic PE information: section name: .wucsxe
            Source: dpx.dll.4.drStatic PE information: section name: .fltwtj
            Source: dpx.dll.4.drStatic PE information: section name: .sfplio
            Source: dpx.dll.4.drStatic PE information: section name: .rpg
            Source: dpx.dll.4.drStatic PE information: section name: .bewzc
            Source: dpx.dll.4.drStatic PE information: section name: .vksvaw
            Source: dpx.dll.4.drStatic PE information: section name: .wmhg
            Source: dpx.dll.4.drStatic PE information: section name: .kswemc
            Source: dpx.dll.4.drStatic PE information: section name: .kaxfk
            Source: dpx.dll.4.drStatic PE information: section name: .pjf
            Source: dpx.dll.4.drStatic PE information: section name: .favk
            Source: dpx.dll.4.drStatic PE information: section name: .vhtukj
            Source: dpx.dll.4.drStatic PE information: section name: .hmbyox
            Source: dpx.dll.4.drStatic PE information: section name: .txms
            Source: dpx.dll.4.drStatic PE information: section name: .vqqm
            Source: dpx.dll.4.drStatic PE information: section name: .cbwb
            Source: dpx.dll.4.drStatic PE information: section name: .cti
            Source: dpx.dll.4.drStatic PE information: section name: .ktfjac
            Source: dpx.dll.4.drStatic PE information: section name: .hvmici
            Source: dpx.dll.4.drStatic PE information: section name: .bvyyd
            Source: dpx.dll.4.drStatic PE information: section name: .qhjn
            Source: dpx.dll.4.drStatic PE information: section name: .bsvkca
            Source: dpx.dll.4.drStatic PE information: section name: .nvpgx
            Source: dpx.dll.4.drStatic PE information: section name: .yaa
            Source: dpx.dll.4.drStatic PE information: section name: .qsimby
            Source: dpx.dll.4.drStatic PE information: section name: .dibg
            Source: dpx.dll.4.drStatic PE information: section name: .odxfk
            Source: dpx.dll.4.drStatic PE information: section name: .zczpdd
            Source: dpx.dll.4.drStatic PE information: section name: .iceycz
            Source: dpx.dll.4.drStatic PE information: section name: .lwp
            Source: dpx.dll.4.drStatic PE information: section name: .ejt
            Source: dpx.dll.4.drStatic PE information: section name: .gzpi
            Source: dpx.dll.4.drStatic PE information: section name: .oima
            Source: dpx.dll.4.drStatic PE information: section name: .hmoki
            Source: UxTheme.dll.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.4.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll.4.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll.4.drStatic PE information: section name: .rpg
            Source: UxTheme.dll.4.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll.4.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll.4.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll.4.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll.4.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll.4.drStatic PE information: section name: .pjf
            Source: UxTheme.dll.4.drStatic PE information: section name: .favk
            Source: UxTheme.dll.4.drStatic PE information: section name: .vhtukj
            Source: UxTheme.dll.4.drStatic PE information: section name: .hmbyox
            Source: UxTheme.dll.4.drStatic PE information: section name: .txms
            Source: UxTheme.dll.4.drStatic PE information: section name: .vqqm
            Source: UxTheme.dll.4.drStatic PE information: section name: .cbwb
            Source: UxTheme.dll.4.drStatic PE information: section name: .cti
            Source: UxTheme.dll.4.drStatic PE information: section name: .ktfjac
            Source: UxTheme.dll.4.drStatic PE information: section name: .hvmici
            Source: UxTheme.dll.4.drStatic PE information: section name: .bvyyd
            Source: UxTheme.dll.4.drStatic PE information: section name: .qhjn
            Source: UxTheme.dll.4.drStatic PE information: section name: .bsvkca
            Source: UxTheme.dll.4.drStatic PE information: section name: .nvpgx
            Source: UxTheme.dll.4.drStatic PE information: section name: .yaa
            Source: UxTheme.dll.4.drStatic PE information: section name: .qsimby
            Source: UxTheme.dll.4.drStatic PE information: section name: .dibg
            Source: UxTheme.dll.4.drStatic PE information: section name: .odxfk
            Source: UxTheme.dll.4.drStatic PE information: section name: .zczpdd
            Source: UxTheme.dll.4.drStatic PE information: section name: .iceycz
            Source: UxTheme.dll.4.drStatic PE information: section name: .lwp
            Source: UxTheme.dll.4.drStatic PE information: section name: .ejt
            Source: UxTheme.dll.4.drStatic PE information: section name: .gzpi
            Source: UxTheme.dll.4.drStatic PE information: section name: .oima
            Source: UxTheme.dll.4.drStatic PE information: section name: .sbt
            Source: DUI70.dll.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll.4.drStatic PE information: section name: .favk
            Source: DUI70.dll.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll.4.drStatic PE information: section name: .txms
            Source: DUI70.dll.4.drStatic PE information: section name: .vqqm
            Source: DUI70.dll.4.drStatic PE information: section name: .cbwb
            Source: DUI70.dll.4.drStatic PE information: section name: .cti
            Source: DUI70.dll.4.drStatic PE information: section name: .ktfjac
            Source: DUI70.dll.4.drStatic PE information: section name: .hvmici
            Source: DUI70.dll.4.drStatic PE information: section name: .bvyyd
            Source: DUI70.dll.4.drStatic PE information: section name: .qhjn
            Source: DUI70.dll.4.drStatic PE information: section name: .bsvkca
            Source: DUI70.dll.4.drStatic PE information: section name: .nvpgx
            Source: DUI70.dll.4.drStatic PE information: section name: .yaa
            Source: DUI70.dll.4.drStatic PE information: section name: .qsimby
            Source: DUI70.dll.4.drStatic PE information: section name: .dibg
            Source: DUI70.dll.4.drStatic PE information: section name: .odxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .zczpdd
            Source: DUI70.dll.4.drStatic PE information: section name: .iceycz
            Source: DUI70.dll.4.drStatic PE information: section name: .lwp
            Source: DUI70.dll.4.drStatic PE information: section name: .ejt
            Source: DUI70.dll.4.drStatic PE information: section name: .gzpi
            Source: DUI70.dll.4.drStatic PE information: section name: .oima
            Source: DUI70.dll.4.drStatic PE information: section name: .iokrmu
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .pjf
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .favk
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .vhtukj
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .hmbyox
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .txms
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .vqqm
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cbwb
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cti
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ktfjac
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .hvmici
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bvyyd
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qhjn
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bsvkca
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .nvpgx
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .yaa
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qsimby
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .dibg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .odxfk
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .zczpdd
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .iceycz
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .lwp
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ejt
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .gzpi
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .oima
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bxvwc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll0.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll0.4.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll0.4.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll0.4.drStatic PE information: section name: .rpg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .pjf
            Source: UxTheme.dll0.4.drStatic PE information: section name: .favk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vhtukj
            Source: UxTheme.dll0.4.drStatic PE information: section name: .hmbyox
            Source: UxTheme.dll0.4.drStatic PE information: section name: .txms
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vqqm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cbwb
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cti
            Source: UxTheme.dll0.4.drStatic PE information: section name: .ktfjac
            Source: UxTheme.dll0.4.drStatic PE information: section name: .hvmici
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bvyyd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qhjn
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bsvkca
            Source: UxTheme.dll0.4.drStatic PE information: section name: .nvpgx
            Source: UxTheme.dll0.4.drStatic PE information: section name: .yaa
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qsimby
            Source: UxTheme.dll0.4.drStatic PE information: section name: .dibg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .odxfk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .zczpdd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .iceycz
            Source: UxTheme.dll0.4.drStatic PE information: section name: .lwp
            Source: UxTheme.dll0.4.drStatic PE information: section name: .ejt
            Source: UxTheme.dll0.4.drStatic PE information: section name: .gzpi
            Source: UxTheme.dll0.4.drStatic PE information: section name: .oima
            Source: UxTheme.dll0.4.drStatic PE information: section name: .zpg
            Source: DUI70.dll0.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll0.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll0.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll0.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll0.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll0.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll0.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll0.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll0.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll0.4.drStatic PE information: section name: .favk
            Source: DUI70.dll0.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll0.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll0.4.drStatic PE information: section name: .txms
            Source: DUI70.dll0.4.drStatic PE information: section name: .vqqm
            Source: DUI70.dll0.4.drStatic PE information: section name: .cbwb
            Source: DUI70.dll0.4.drStatic PE information: section name: .cti
            Source: DUI70.dll0.4.drStatic PE information: section name: .ktfjac
            Source: DUI70.dll0.4.drStatic PE information: section name: .hvmici
            Source: DUI70.dll0.4.drStatic PE information: section name: .bvyyd
            Source: DUI70.dll0.4.drStatic PE information: section name: .qhjn
            Source: DUI70.dll0.4.drStatic PE information: section name: .bsvkca
            Source: DUI70.dll0.4.drStatic PE information: section name: .nvpgx
            Source: DUI70.dll0.4.drStatic PE information: section name: .yaa
            Source: DUI70.dll0.4.drStatic PE information: section name: .qsimby
            Source: DUI70.dll0.4.drStatic PE information: section name: .dibg
            Source: DUI70.dll0.4.drStatic PE information: section name: .odxfk
            Source: DUI70.dll0.4.drStatic PE information: section name: .zczpdd
            Source: DUI70.dll0.4.drStatic PE information: section name: .iceycz
            Source: DUI70.dll0.4.drStatic PE information: section name: .lwp
            Source: DUI70.dll0.4.drStatic PE information: section name: .ejt
            Source: DUI70.dll0.4.drStatic PE information: section name: .gzpi
            Source: DUI70.dll0.4.drStatic PE information: section name: .oima
            Source: DUI70.dll0.4.drStatic PE information: section name: .cltwqt
            Source: XmlLite.dll.4.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.4.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.4.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.4.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.4.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.4.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.4.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.4.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.4.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .pjf
            Source: XmlLite.dll.4.drStatic PE information: section name: .favk
            Source: XmlLite.dll.4.drStatic PE information: section name: .vhtukj
            Source: XmlLite.dll.4.drStatic PE information: section name: .hmbyox
            Source: XmlLite.dll.4.drStatic PE information: section name: .txms
            Source: XmlLite.dll.4.drStatic PE information: section name: .vqqm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cbwb
            Source: XmlLite.dll.4.drStatic PE information: section name: .cti
            Source: XmlLite.dll.4.drStatic PE information: section name: .ktfjac
            Source: XmlLite.dll.4.drStatic PE information: section name: .hvmici
            Source: XmlLite.dll.4.drStatic PE information: section name: .bvyyd
            Source: XmlLite.dll.4.drStatic PE information: section name: .qhjn
            Source: XmlLite.dll.4.drStatic PE information: section name: .bsvkca
            Source: XmlLite.dll.4.drStatic PE information: section name: .nvpgx
            Source: XmlLite.dll.4.drStatic PE information: section name: .yaa
            Source: XmlLite.dll.4.drStatic PE information: section name: .qsimby
            Source: XmlLite.dll.4.drStatic PE information: section name: .dibg
            Source: XmlLite.dll.4.drStatic PE information: section name: .odxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .zczpdd
            Source: XmlLite.dll.4.drStatic PE information: section name: .iceycz
            Source: XmlLite.dll.4.drStatic PE information: section name: .lwp
            Source: XmlLite.dll.4.drStatic PE information: section name: .ejt
            Source: XmlLite.dll.4.drStatic PE information: section name: .gzpi
            Source: XmlLite.dll.4.drStatic PE information: section name: .oima
            Source: XmlLite.dll.4.drStatic PE information: section name: .yhjpr
            Source: MFC42u.dll.4.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.4.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.4.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.4.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.4.drStatic PE information: section name: .fltwtj
            Source: MFC42u.dll.4.drStatic PE information: section name: .sfplio
            Source: MFC42u.dll.4.drStatic PE information: section name: .rpg
            Source: MFC42u.dll.4.drStatic PE information: section name: .bewzc
            Source: MFC42u.dll.4.drStatic PE information: section name: .vksvaw
            Source: MFC42u.dll.4.drStatic PE information: section name: .wmhg
            Source: MFC42u.dll.4.drStatic PE information: section name: .kswemc
            Source: MFC42u.dll.4.drStatic PE information: section name: .kaxfk
            Source: MFC42u.dll.4.drStatic PE information: section name: .pjf
            Source: MFC42u.dll.4.drStatic PE information: section name: .favk
            Source: MFC42u.dll.4.drStatic PE information: section name: .vhtukj
            Source: MFC42u.dll.4.drStatic PE information: section name: .hmbyox
            Source: MFC42u.dll.4.drStatic PE information: section name: .txms
            Source: MFC42u.dll.4.drStatic PE information: section name: .vqqm
            Source: MFC42u.dll.4.drStatic PE information: section name: .cbwb
            Source: MFC42u.dll.4.drStatic PE information: section name: .cti
            Source: MFC42u.dll.4.drStatic PE information: section name: .ktfjac
            Source: MFC42u.dll.4.drStatic PE information: section name: .hvmici
            Source: MFC42u.dll.4.drStatic PE information: section name: .bvyyd
            Source: MFC42u.dll.4.drStatic PE information: section name: .qhjn
            Source: MFC42u.dll.4.drStatic PE information: section name: .bsvkca
            Source: MFC42u.dll.4.drStatic PE information: section name: .nvpgx
            Source: MFC42u.dll.4.drStatic PE information: section name: .yaa
            Source: MFC42u.dll.4.drStatic PE information: section name: .qsimby
            Source: MFC42u.dll.4.drStatic PE information: section name: .dibg
            Source: MFC42u.dll.4.drStatic PE information: section name: .odxfk
            Source: MFC42u.dll.4.drStatic PE information: section name: .zczpdd
            Source: MFC42u.dll.4.drStatic PE information: section name: .iceycz
            Source: MFC42u.dll.4.drStatic PE information: section name: .lwp
            Source: MFC42u.dll.4.drStatic PE information: section name: .ejt
            Source: MFC42u.dll.4.drStatic PE information: section name: .gzpi
            Source: MFC42u.dll.4.drStatic PE information: section name: .oima
            Source: MFC42u.dll.4.drStatic PE information: section name: .hpnemo
            Source: VERSION.dll.4.drStatic PE information: section name: .qkm
            Source: VERSION.dll.4.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.4.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.4.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.4.drStatic PE information: section name: .fltwtj
            Source: VERSION.dll.4.drStatic PE information: section name: .sfplio
            Source: VERSION.dll.4.drStatic PE information: section name: .rpg
            Source: VERSION.dll.4.drStatic PE information: section name: .bewzc
            Source: VERSION.dll.4.drStatic PE information: section name: .vksvaw
            Source: VERSION.dll.4.drStatic PE information: section name: .wmhg
            Source: VERSION.dll.4.drStatic PE information: section name: .kswemc
            Source: VERSION.dll.4.drStatic PE information: section name: .kaxfk
            Source: VERSION.dll.4.drStatic PE information: section name: .pjf
            Source: VERSION.dll.4.drStatic PE information: section name: .favk
            Source: VERSION.dll.4.drStatic PE information: section name: .vhtukj
            Source: VERSION.dll.4.drStatic PE information: section name: .hmbyox
            Source: VERSION.dll.4.drStatic PE information: section name: .txms
            Source: VERSION.dll.4.drStatic PE information: section name: .vqqm
            Source: VERSION.dll.4.drStatic PE information: section name: .cbwb
            Source: VERSION.dll.4.drStatic PE information: section name: .cti
            Source: VERSION.dll.4.drStatic PE information: section name: .ktfjac
            Source: VERSION.dll.4.drStatic PE information: section name: .hvmici
            Source: VERSION.dll.4.drStatic PE information: section name: .bvyyd
            Source: VERSION.dll.4.drStatic PE information: section name: .qhjn
            Source: VERSION.dll.4.drStatic PE information: section name: .bsvkca
            Source: VERSION.dll.4.drStatic PE information: section name: .nvpgx
            Source: VERSION.dll.4.drStatic PE information: section name: .yaa
            Source: VERSION.dll.4.drStatic PE information: section name: .qsimby
            Source: VERSION.dll.4.drStatic PE information: section name: .dibg
            Source: VERSION.dll.4.drStatic PE information: section name: .odxfk
            Source: VERSION.dll.4.drStatic PE information: section name: .zczpdd
            Source: VERSION.dll.4.drStatic PE information: section name: .iceycz
            Source: VERSION.dll.4.drStatic PE information: section name: .lwp
            Source: VERSION.dll.4.drStatic PE information: section name: .ejt
            Source: VERSION.dll.4.drStatic PE information: section name: .gzpi
            Source: VERSION.dll.4.drStatic PE information: section name: .oima
            Source: VERSION.dll.4.drStatic PE information: section name: .wgfpbw
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qkm
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cvjb
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .tlmkv
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .wucsxe
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .fltwtj
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .sfplio
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .rpg
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bewzc
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vksvaw
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .wmhg
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .kswemc
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .kaxfk
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .pjf
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .favk
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vhtukj
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .hmbyox
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .txms
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vqqm
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cbwb
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cti
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ktfjac
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .hvmici
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bvyyd
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qhjn
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bsvkca
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .nvpgx
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .yaa
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qsimby
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .dibg
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .odxfk
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .zczpdd
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .iceycz
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .lwp
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ejt
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .gzpi
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .oima
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ajokiy
            Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,34_2_00007FF7D5C84858
            Source: ACTIVEDS.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2158d9
            Source: WTSAPI32.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20a536
            Source: DUI70.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x256371
            Source: UxTheme.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x207aff
            Source: wer.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2121a1
            Source: XmlLite.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20c257
            Source: VERSION.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x21343c
            Source: DUI70.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x256c7c
            Source: WINMM.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2111d5
            Source: X5C9EzCB7A.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x207a12
            Source: dpx.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20f2f8
            Source: UxTheme.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20c755
            Source: MFC42u.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x21abc9
            Source: wermgr.exe.4.drStatic PE information: 0xA7D9A170 [Fri Mar 28 06:15:12 2059 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.59477523886

            Persistence and Installation Behavior:

            barindex
            Windows Update Standalone Installer command line found (may be used to bypass UAC)Show sources
            Source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmpMemory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\0Nty\recdisc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2vl\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.ExeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\gxzS7\credui.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\B8nn\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Nom\mblctr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\8FwY\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\8FwY\wusa.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Bun\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\LnjKLu\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Mnd\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QEkvVts\WFS.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\h1G\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\gxzS7\perfmon.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\iU8z5\wermgr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QEkvVts\WINMM.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Mnd\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\0Nty\ReAgent.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Nom\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\byYs\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\B8nn\Dxpserver.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\iU8z5\wer.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\byYs\wlrmdr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\M5A\wer.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\M5A\wermgr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2vl\LicensingUI.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C74CD4 FindWindowW,#2906,SetForegroundWindow,SendMessageW,GetCommandLineW,memset,IsWindowVisible,#4124,GetLastError,SetForegroundWindow,SendMessageW,#6610,GetLastError,#6632,IsWindowVisible,PostMessageW,GetLastActivePopup,#2906,IsIconic,#6632,SetForegroundWindow,PostMessageW,PostMessageW,PostMessageW,34_2_00007FF7D5C74CD4
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll64.exe TID: 5420Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\recdisc.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.ExeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Nom\mblctr.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\gxzS7\perfmon.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\ReAgent.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\Dxpserver.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\wlrmdr.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\LicensingUI.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF740977CE0h31_2_00007FF740977BC4
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,31_2_00007FF740981BA0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,31_2_00007FF74097BE54
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,34_2_00007FF7D5C871B0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,34_2_00007FF7D5CA30D8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,34_2_00007FF7D5C7F0AC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,34_2_00007FF7D5CB89BC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,34_2_00007FF7D5C85B40
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,40_2_00007FF6EE1F1BC0
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,40_2_00007FF6EE1F8D04
            Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: explorer.exe, 00000004.00000000.265986163.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
            Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
            Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000004.00000000.268458783.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
            Source: explorer.exe, 00000004.00000000.298268024.0000000008C73000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF7409749DC GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,31_2_00007FF7409749DC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,34_2_00007FF7D5C84858
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740976BC0 WaitForSingleObjectEx,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,31_2_00007FF740976BC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,0_2_0000000140048AC0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740983140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF740983140
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740982B00 SetUnhandledExceptionFilter,31_2_00007FF740982B00
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD48F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00007FF7D5CD48F4
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD4CF0 SetUnhandledExceptionFilter,34_2_00007FF7D5CD4CF0
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE206AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,40_2_00007FF6EE206AA4
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE206830 SetUnhandledExceptionFilter,40_2_00007FF6EE206830

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: wer.dll.4.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\loaddll64.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\loaddll64.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute readJump to behavior
            Source: C:\Windows\System32\loaddll64.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute readJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFFAE1CEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFFAE1CE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFFAC2B2A20 protect: page execute and read and write
            DLL side loading technique detectedShow sources
            Source: C:\Windows\explorer.exeSection loaded: C:\Windows\System32\wer.dllJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\loaddll64.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\loaddll64.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBD58C memset,memset,CredUIParseUserNameW,LogonUserW,GetLastError,DuplicateToken,GetLastError,CloseHandle,34_2_00007FF7D5CBD58C
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1Jump to behavior
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097AE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle,31_2_00007FF74097AE50
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981750 AllocateAndInitializeSid,CheckTokenMembership,RegOpenKeyExW,RegCloseKey,FreeSid,31_2_00007FF740981750
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000004.00000000.263442469.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
            Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: #1568,GetLocaleInfoW,GetLastError,#1471,PostMessageW,#1567,#626,#2846,34_2_00007FF7D5CA5814
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: GetLocaleInfoEx,34_2_00007FF7D5C7E120
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,free,34_2_00007FF7D5C7DA70
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: #2846,GetNumberFormatW,GetLastError,GetLocaleInfoW,GetLastError,wcsstr,memset,#2846,34_2_00007FF7D5C84934
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime,RegSetValueExW,GetLastError,RegCloseKey,31_2_00007FF740977BC4
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C748FC GetVersion,#1441,LoadIconW,GetLastError,#1471,PostMessageW,ShellAboutW,#1471,#337,#626,memset,memset,#1471,PostMessageW,#1471,#1443,#2517,#1040,#852,34_2_00007FF7D5C748FC

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2Command and Scripting Interpreter12Valid Accounts2Valid Accounts2Masquerading1OS Credential DumpingSystem Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Windows Service1Access Token Manipulation21Valid Accounts2LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1DLL Side-Loading1Windows Service1Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Access Token Manipulation21NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptDLL Side-Loading1Process Injection312LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery35Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing2/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronDLL Side-Loading1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492086 Sample: X5C9EzCB7A Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 signatures4 54 Changes memory attributes in foreign processes to executable or writable 8->54 56 Uses Atom Bombing / ProGate to inject into other processes 8->56 58 Queues an APC in another process (thread injection) 8->58 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 14 other processes 8->18 process5 signatures6 60 Changes memory attributes in foreign processes to executable or writable 11->60 62 Uses Atom Bombing / ProGate to inject into other processes 11->62 20 explorer.exe 2 97 11->20 injected 24 rundll32.exe 16->24         started        process7 file8 34 C:\Users\user\AppData\Local\...\SLC.dll, PE32+ 20->34 dropped 36 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 20->36 dropped 38 C:\Users\user\AppData\Local\...\WINMM.dll, PE32+ 20->38 dropped 40 41 other files (9 malicious) 20->40 dropped 50 Benign windows process drops PE files 20->50 52 DLL side loading technique detected 20->52 26 wermgr.exe 20->26         started        28 wermgr.exe 20->28         started        30 WFS.exe 20->30         started        32 3 other processes 20->32 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            X5C9EzCB7A.dll65%VirustotalBrowse
            X5C9EzCB7A.dll57%MetadefenderBrowse
            X5C9EzCB7A.dll76%ReversingLabsWin64.Infostealer.Dridex
            X5C9EzCB7A.dll100%AviraHEUR/AGEN.1114452
            X5C9EzCB7A.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\8FwY\dpx.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\0Nty\ReAgent.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\M5A\wer.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\B8nn\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\QEkvVts\WINMM.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\Nom\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\8FwY\dpx.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\0Nty\ReAgent.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\M5A\wer.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\B8nn\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\QEkvVts\WINMM.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Nom\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\0Nty\recdisc.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\0Nty\recdisc.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\0Nty\recdisc.exe0%ReversingLabs
            C:\Users\user\AppData\Local\2vl\LicensingUI.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\2vl\LicensingUI.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\2vl\LicensingUI.exe0%ReversingLabs
            C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            31.2.wermgr.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            14.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            29.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            40.2.wusa.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            23.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.WFS.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            35.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            25.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            28.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.268276705.0000000006870000.00000004.00000001.sdmpfalse
              		high

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:492086
              Start date:28.09.2021
              Start time:10:48:48
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 15m 46s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:X5C9EzCB7A (renamed file extension from none to dll)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:40
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@91/45@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 45.6% (good quality ratio 43.1%)
              • Quality average: 91.3%
              • Quality standard deviation: 25.6%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.50.102.62, 209.197.3.8, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 131.253.33.200, 13.107.22.200, 20.82.210.154
              • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtEnumerateKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\0Nty\ReAgent.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.564329528703889
              Encrypted:false
              SSDEEP:12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:0F2CD68909E4CA4CB2925A2D530E611D
              SHA1:C797BFE2EB15E848B6F88E55873C03656F2399F1
              SHA-256:8E807BDF55D7676C4D761950196962D65D9202DE71C74542CA46C30DF3EA85C8
              SHA-512:0CEF9556A0802A23CEE42E76E2A749A7530E7B72F5F1E64462AEF6B9C5ADA48E02353910A2820CB7A64D72763A16094B0AB73335997BEEA8F77C19691F78073D
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\0Nty\recdisc.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):192512
              Entropy (8bit):6.154101271794163
              Encrypted:false
              SSDEEP:3072:H4SpDkUbgEHxW3BIovAuegPO8evTq2VC:H4/3BdFegEv+2V
              MD5:D2AEFB37C329E455DC2C17D3AA049666
              SHA1:69C5182FDC8A86009113EE721C8F1632F7B3D2DB
              SHA-256:A65F86E8EC62BEB3019E368E506DAB21FF872097EBF3FAEB4A3B23F2A08DFCE9
              SHA-512:DD5D63D79FD9E43560291687E0B41B71D6ECA55F033FE94BAA4FAF4CB967F6480CAC4F5481B3102F0589A65AFA473F5637B1C31C522329A275461F3D8C4353A3
              Malicious:false
              Antivirus:
              • Antivirus: Virustotal, Detection: 0%, Browse
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e_...1...1...1..|....1..`5...1..`2...1..`4...1..`0...1...0...1..`8...1..`...1..`3...1.Rich..1.................PE..d...+38..........."............................@.............................@............`.......... .......................................|....... ..0....................0......0m..T....................9..(....8...............9...............................text............................... ..`.rdata...f...0...h..................@..@.data...`a.......Z..................@....pdata..............................@..@.rsrc...0.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\2vl\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2404352
              Entropy (8bit):4.094137841436053
              Encrypted:false
              SSDEEP:12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1T:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:B6247D6791F82E58D5D33122BD0F7C54
              SHA1:CC03732CEC968973E9F1AF26AFBEEB5D0F55FC3F
              SHA-256:7AD71B0114C68798E5B61F406FCEDEA1F12F3BD2C70EDC0C35C35A4EADAF9F7C
              SHA-512:889B7AD402B8A162EC9C277BD08F227AEE9AB566B28721964F38A50D8A1DADA3FC4F99ECF361167586B4269D935BFD6A2A8465FDE6514E95F08528016CE268D9
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................P .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\2vl\LicensingUI.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):146776
              Entropy (8bit):6.610587238297347
              Encrypted:false
              SSDEEP:3072:bjUURMlqPDQJX08E16Oa1bwcdnaevk2i2tMZd:39ilq7AxE4OaR1aymv
              MD5:BA2B32F8E3717F4A9CA3D400410E539A
              SHA1:87FFA0CBBE8B528E2263EE7121264011D1F5C5A4
              SHA-256:EC53F4520A49115D6E6CEE8CF896BCCA84E425BFB76E3FA904665F2A2F957BC8
              SHA-512:FC5DA9B26C395CA2191C4FDC0F06F37D75D67404D49C38EF75189ACC0817D02CED290559848C687DD74DD33F62DC36F1AD15A017E4977014CFE83025D22F596A
              Malicious:false
              Antivirus:
              • Antivirus: Virustotal, Detection: 0%, Browse
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5T..[...[...[......[...X...[..._...[...^...[...Z...[...Z...[...R...[.......[...Y...[.Rich..[.........................PE..d......Y.........."..........x................@.............................p......9................ ...............................................P..H....@..@.......X'...`..P.......T.......................(....................................................text...,........................... ..`.imrsiv..................................rdata..rV.......X..................@..@.data........0......................@....pdata..@....@......................@..@.rsrc...H....P......................@..@.reloc..P....`......................@..B................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):232960
              Entropy (8bit):5.805361894084464
              Encrypted:false
              SSDEEP:6144:v4J/ihC4Tb5//JfI+QL+ooODUwq306Q/:v4khC4h/qiooT06Q/
              MD5:BEAB16FEFCB7F62BBC135FB87DF7FDF2
              SHA1:EAF18190494496329573CAA3F95CACA6EF0FB6F6
              SHA-256:E3C66F68737611DFD051F1D6EEB371FDE89B129925A85695B9F90CDE3E04BD96
              SHA-512:FF4E756B1D928C97523ADE2B30FAB56219659AA22E7F5D71CB3238A2C39E1C704C6A046C2DC14FA5207CE8E8C75CD7EF5416B36A1452D97D929A5686C75D2C83
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).I.H...H...H...,...H...,...H...,...H...,...H...H...K...,...H...,...H...,...H..Rich.H..................PE..d.....3..........."............................@.....................................0....`.......... ..................................................h1...`..........................T....................c..(....b...............d...............................text...~........................... ..`.rdata....... ......................@..@.data........@.......&..............@....pdata.......`.......6..............@..@.rsrc...h1.......2...N..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\4DETSU\MFC42u.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2146304
              Entropy (8bit):3.60023617437132
              Encrypted:false
              SSDEEP:12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K47:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnbK
              MD5:44E6F4AE82E198545E40858C95CB304A
              SHA1:64799A505F32C595AB858A3F0DA66C69CC9C19DE
              SHA-256:A469E652E33BA0D7E248176ABCB460912B7EF9AFEE0B976D6ADB0BB26601D353
              SHA-512:B042C71C2B6DF38EF60A6371610699A5EBA0CE85CF5E894E82F3F3B352FC4D61E78BD1B3BC0E06768BBAA1CCA8B4A52AD2B2A8B801B6E6054A840509EB9B44B3
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." ................p..........@.............................. .....@lx}..b..........................................P ..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\8FwY\dpx.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5583371704739357
              Encrypted:false
              SSDEEP:12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:84A402DFBA64739AF98A797BFF68AB60
              SHA1:C5734661A0BA49350157E021989BDB768178E607
              SHA-256:6AC1496F60796CA15B0DBB61A0C2D81D6CD406B4A273BC2E036EE2CC94C7A333
              SHA-512:127438FE3F4D1570234EC12CBA62994CBB5ED94D5519BAE69E9A993E59C58FC91FA6C6F97CA24E2320F94AF0481F039652926E5F0B8276F1B798C8D104BB7D53
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\8FwY\wusa.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):308736
              Entropy (8bit):6.55894801361276
              Encrypted:false
              SSDEEP:6144:TozDd3UafMCFoMVclxM8cVM49UApxyN90vE:ToXd33MCFoqSxM5MmUAy90
              MD5:04CE745559916B99248F266BBF5F9ED9
              SHA1:76FA00103A89C735573D1D8946D8787A839475B6
              SHA-256:1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
              SHA-512:B4D2EF6B90164E17258F53BCAF954076D02EDB7F496F4F79B2CF7848B90614F6160C8EB008BA5904521DD8B1449840B2D7EE368860E58E01FBEAB9873B654B3A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..-..~..~..~v./~}.~....}.~....i.~....{.~....d.~..~w.~....k.~..C~~.~....~.~Rich..~................PE..d.....TS.........."......`...X.......f.........@....................................g.....`.......... .......................................I...........T...p..................`....?..T...................Pq..(...Pp..............xq..@............................text...3^.......`.................. ..`.rdata..^....p.......d..............@..@.data........`.......T..............@....pdata.......p.......X..............@..@.rsrc....T.......V...^..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5609800893226784
              Encrypted:false
              SSDEEP:12288:XVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:efP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:2A0973FA588371BB4A19B6CC0C7E00ED
              SHA1:B441B28BA295D9223EEB4CCC6660177EEA7FEED7
              SHA-256:C063B7251B7AB553053CFCCE861C04C285D08830127403E2D0C888A48F71453D
              SHA-512:548B9DB967268DD17727AABD4A7A2A739236D4674C76A13D78C0ADAA4F74EBFDE7A0D755A0D2CA3B1559C9EB68EF24C3124363687FF8D33F806E8F3B67DCC5E5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .y....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):577024
              Entropy (8bit):7.365924302927238
              Encrypted:false
              SSDEEP:12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
              MD5:809E11DECADAEBE2454EFEDD620C4769
              SHA1:A121B9FC2010247C65CE8975FE4D88F5E9AC953E
              SHA-256:8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
              SHA-512:F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\B8nn\Dxpserver.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):304640
              Entropy (8bit):5.920357039114308
              Encrypted:false
              SSDEEP:6144:SidsFxbUPoT/FPrriCEe+oiXoGJm7JwQ9oWxDEHZwj:xaFxbFDBsBo6maPWxDcwj
              MD5:DCCB1D350193BE0A26CEAFF602DB848E
              SHA1:02673E7070A589B5BF6F217558A06067B388A350
              SHA-256:367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
              SHA-512:ECD3C32E2BED31FC6328CA4B171B5D2503A2795324667F67FF48A67DF7C8B88760A62C0119A173487B9886E6AF3994025A85E42B064BEA38A466A6848AF65541
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9. E}.N.}.N.}.N...M.~.N...J.d.N...K.{.N...O.X.N.}.O.F.N...G.[.N....|.N...L.|.N.Rich}.N.........PE..d....z............".................`..........@..........................................`.......... ..........................................|....0..H....... ...............p...`...T............................<...............=...............................text...<........................... ..`.rdata..6...........................@..@.data...............................@....pdata.. ...........................@..@.rsrc...H....0......................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\B8nn\XmlLite.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5589287422510516
              Encrypted:false
              SSDEEP:12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:CF749BC5C2122F394AF6B2AA66EF71CD
              SHA1:0369F942C144F4B33B596FD0EBB58F71B2F6D26B
              SHA-256:14375D79237DA8A731ED43252FBFC4B53EED438945A2097C14FB4160EFAA2D73
              SHA-512:97E95B61EBAE640C6C8752859093671B81C7F49DBCE10035D956EB147A207D4390F767472CFE9CE710B611E63CBE9F484D135496AFE6B34DD4C954118A5B98C6
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):92160
              Entropy (8bit):5.664138088677901
              Encrypted:false
              SSDEEP:1536:D/BmrFjio5/vzDSPwiEKi3xGyibqZ3qOT3:9mp5SwiEKWZiTo3
              MD5:E23643C785D498FF73B5C9D7EA173C3D
              SHA1:56296F1D29FC2DCBFAA1D991C87B10968C6D3882
              SHA-256:40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4
              SHA-512:22E29A06F19E2DA941A707B8DA7115E0F5962617295CC36395A8E9B2A98F0239B6519B4BF4AB1DC671DEF8CD558E8F59F4E50C63130D392D1E085BBF6B710914
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a...h...o......b......r......i......j...a..........c.....j.`......`...Richa...................PE..d...x.1".........."......\...........b.........@.....................................H....`.......... ..............................................................................|..T...........................`r..............`s..8............................text....[.......\.................. ..`.rdata...-...p.......`..............@..@.data... ...........................@....pdata..............................@..@.rsrc...............................@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Bun\MFC42u.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2146304
              Entropy (8bit):3.5999443255720154
              Encrypted:false
              SSDEEP:12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:B8583BCD3646915D6FA965A033928155
              SHA1:A8A80A042BFB3F23980F78B5695411BE670C1DC0
              SHA-256:13BC74B3E5A8341A886C3C0F444783F611803D73BAA20202F18340FA5E48CA0D
              SHA-512:243E32A0A7FA8278CFD8EB838A8C6BB240043F21CAD1E33D20DA54CF2E3E3A5899BF45A23E6D4A7E1D7F2FADA7016E5F22AE9FE5A2D42651BD243C5EA16A68AB
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." ................p..........@.............................. .....@lx}..b..........................................P ..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\LnjKLu\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2404352
              Entropy (8bit):4.094232719670622
              Encrypted:false
              SSDEEP:12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1bT:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:BA00B1255006B5B8A6F65DC6D2A59DAE
              SHA1:8CEC4C49EDF68431C794817D93C0FFCE933B4E2B
              SHA-256:095A00A6D3B5FDF367B389858F6F7CE9ED2483D26B878681DEEE96CE6F9EB1E6
              SHA-512:051D058BCBF12614CB08E393FEB4E938AC21A7EA4098157394BB962E4DA01EBD1C00DB28F0A51A17F439B5B62A415569B3B417DD1BDED5D702CC141A5E86BB1A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................P .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):264480
              Entropy (8bit):6.478365286411354
              Encrypted:false
              SSDEEP:6144:xSt+s2GFGbqEuzhJONjx9UVuCuHpwqr/vt9r+ULJBaBpcIFz:xStzFGbGhoPgMHpwqrHthUB6IF
              MD5:E7F0E9B3779E54CD271959C600A2A531
              SHA1:8006E2D1AA91798E48D8BFDE1EBF94A2D6BA6C0A
              SHA-256:155CE33E0E145314FE9D8911BE69B8CBBD2AC09B7B6D98363F9BAA277C71954E
              SHA-512:E10C3FD9C5F34260323CEC9E8EEDF2290F40254F0FFDCA582DB57D113B32871793CDFFF03D55941EF5E79FA8141803AB353BA4938357A4555233F2D090045338
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..B..B..K.`.&..-..A..-...U..-...K..-..U..B..t..-...]..-...C..-..C..RichB..........PE..d...;.*Q.........."............................@............................. ......&................ ..................................................H.......T....... +..........Pa..T...................p3..(...p2...............3...............................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...x...........................@....pdata..T...........................@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\M5A\wer.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2125824
              Entropy (8bit):3.5693057153343792
              Encrypted:false
              SSDEEP:12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:5F5B4F0BE7EDE9E5A344DF47CE0CDB88
              SHA1:25DA7FA0704227C2CA6F0F54EF5C73DF862198B2
              SHA-256:B582E1DF3773DD2B0345F7CFD286B8F8B18975849320C1EE87D827AB590CAA82
              SHA-512:7DB53F0BAE6E8E5F1499512097A6CBED579B98973A555AC5C590E720CA30FA241D7EC63FFDF565B5B8000127172EF21B110DCEEF3FFF7FDA3DB977C4ABF26F68
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................P .W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\M5A\wermgr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):209312
              Entropy (8bit):6.796289498157116
              Encrypted:false
              SSDEEP:6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw
              MD5:FF214585BF10206E21EA8EBA202FACFD
              SHA1:1ED4AE92D235497F62610078D51105C4634AFADE
              SHA-256:C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
              SHA-512:24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(j.jI..jI..jI..c1...I...-..iI...-..qI..jI...H...-..mI...-..`I...-..KI...-..kI...-..kI..RichjI..................PE..d...p............"......,..........`(.........@.............................p.......................`......................................... .... ..0:...............!...`..\...@...T...........................`Q..............`R.. ...t........................text...++.......,.................. ..`.imrsiv......@...........................rdata.......P.......0..............@..@.data...X...........................@....pdata..............................@..@.didat..@...........................@....rsrc...0:... ...<..................@..@.reloc..\....`......................@..B................................................................................................................................................................................
              C:\Users\user\AppData\Local\Mnd\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.559794578495645
              Encrypted:false
              SSDEEP:12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:1AE7DB0FD99F869562057B3685B4419F
              SHA1:B403937ABF171D7B76725FBDC003872D45C67502
              SHA-256:4FC37EF78A0B1F816556CF10A9942939832F72EF321F24B6BAF0152EDEB45D48
              SHA-512:55EFF618F7B54BEB965B7BFCC615351D00D9988504E9166E371EC9FDA7F4D9A9B305D2CC01EA2E9D4D70888403AF1AD5833DDB9DEA31DF8B5A6AD97E5032DCD6
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\Mnd\wextract.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):143872
              Entropy (8bit):6.942627183104786
              Encrypted:false
              SSDEEP:3072:0BuGag041hcWp1icKAArDZz4N9GhbkUNEk95l:5hudp0yN90vE
              MD5:ED93B350C8EEFC442758A00BC3EEDE2D
              SHA1:ADD14417939801C555BBBFFAF7388BD13DE2DE42
              SHA-256:ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
              SHA-512:7BA8D1411D9AEE3447494E248005A43F522CA684839FCD4C4592946B12DC4E73B1FF86D8E843B25A73E3F2463955815470304E4F219B36DBC94870BEBF700581
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............`.......`.......`.......`..........,....`.......`0......`......Rich............................PE..d...._.{.........."......r...........w.........@.....................................R....`.......... .......................................................................... .......T............................................... ............................text....q.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............0..............@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Nom\WTSAPI32.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5662350439042503
              Encrypted:false
              SSDEEP:12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:6AABBD46074D1F4BA508D5F48258EEEF
              SHA1:0D326013154DD896F67F2808340896E6B886DEE6
              SHA-256:CFD9A093AB4005696F5B11CD2599CED5A3DBC69F30E704BD5136B4B500FD140F
              SHA-512:0B975F80B2D713F97E5344B8702F888F97511967C93C9487E286A40B228AD0DF293094E0E2CB5D5FB1E7D5223BF15F919D86B6D689CFFF52B25646CCAA9EC629
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\Nom\mblctr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):799744
              Entropy (8bit):6.62164167843942
              Encrypted:false
              SSDEEP:12288:y9Pyqz1mcI6upViTf8+RrhGi51qviizQBODAKylkm5ZUxXrc5Zh5ZG5Ze:yHz1m9dpVQRhL5kRzAKcjY8poA
              MD5:0CE1C2D873D151A19FB993139D19E68B
              SHA1:269BDAE3FBF1BE67FCC779720EF5C647AF98DC16
              SHA-256:DCDE80BC80BAD4FCEA64567B14C23595C407705E94EC2D1D39C8944039292904
              SHA-512:93D0ACC3C24D8E9388B7428320F4D16624E276B912914AF3D0ECBEC720491E546A619D000DF41C53DBB37F84B4CB1DF11C291908B05086BB49916E7F2BF90891
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;.4.Zag.Zag.Zag.".g.Zag.>bf.Zag.>ef.Zag.>df.Zag.>`f.Zag.Z`g.[ag.>hf.Zag.>.g.Zag.>cf.ZagRich.Zag........................PE..d....7>.........."..........t.................@....................................%o....`.......... .......................................S..p............................p...... 0..T............................................................................text...Q........................... ..`.rdata..>...........................@..@.data................l..............@....pdata...............x..............@..@.rsrc...............................@..@.reloc.......p.......0..............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.55979090810396
              Encrypted:false
              SSDEEP:12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:17E3E019DB12FE19F8993A2A664B0AF1
              SHA1:8436E71B27FF8EAF67D07D4F9BECB8175253F604
              SHA-256:54F90A3391C70E1C1D51E347C3BBFFD8146814C3B9098DCE738680F1CFFFB1CD
              SHA-512:D86F9AC95D1326CED1F9C43F5008BB121A52515C8BB503181634CDA3A961DDE3103CCA5FC78BB7C8561DF18F5C3CAEE3D13152E87DD673E8FCC8A0EAC7F6741A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):92672
              Entropy (8bit):5.749238064237604
              Encrypted:false
              SSDEEP:1536:7oIXq0f2yF9sDb/RjxgnvkmVUqAVnKUMjbWg+I/87BM/Z4j8Qi1Yv9V:0Izw/RooolWIk7BM/ZNQi1EV
              MD5:2A9828E0C405422D166E0141054A04B3
              SHA1:84AA48946D4F9A9DFE4C1AF6F96C44B643229A73
              SHA-256:94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F
              SHA-512:B9B0472706C11D3AECDAB055D4CF319EDD50E8C97B7099D1DC7B768812E804975392E327A1E62301077AB92C1CA97E706628B07172892AB09753FBDD9A07277D
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....X...X...X...Y...X...Y...X...Y...X...Y...X...XQ..X...Y...X...X...X...Y...XRich...X................PE..d....mg..........."............................@..........................................`.......... .......................................M...............p..................X....B..T...............................................H............................text............................... ..`.rdata.."l.......n..................@..@.data........`.......R..............@....pdata.......p.......T..............@..@.rsrc................Z..............@..@.reloc..X............h..............@..B........................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\QEkvVts\WFS.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):930304
              Entropy (8bit):5.99262413442194
              Encrypted:false
              SSDEEP:12288:YVpcWBIX7oU/HEx5a/DTROFJTl7XjY5uUMUd1vLf1k+xt4vFe:spnBUoR5AfREllTjY5umjz1ivFe
              MD5:CD6ACF3B997099B6CFB2417D3942F755
              SHA1:7376A8000CB7B5CE0F5DA783BAF9F9C2C36F1670
              SHA-256:B699695F47AA8E8B70A21267BA1648B59B33BD677E29D334BC73EBB1A4B81F3E
              SHA-512:F301F0D87CB5FFFFB88AB0B86035DA7705DED1121107D2FDF7A9132F8DFBDEFFAFBE452E3BC7ACEAD1A0E368815127942B2E642B214EA83D90E97B015C766DE0
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OR...3.,.3.,.3.,dW.-.3.,dW.-.3.,dW.-.3.,dW.-$3.,.3.,o7.,dW.-q3.,dW.,.3.,dW.-.3.,Rich.3.,................PE..d...d.D..........."..................F.........@..........................................`.......... .......................................`.......0...%......@A...........`..D ..`@..T....................Y..(... ................Y..8... W.......................text...2........................... ..`.rdata..............................@..@.data..../....... ..................@....pdata..@A.......B..................@..@.didat....... ......................@....rsrc....%...0...&..................@..@.reloc..D ...`..."..................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\QEkvVts\WINMM.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2125824
              Entropy (8bit):3.568769494855891
              Encrypted:false
              SSDEEP:12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:852F5FE3F15F82DBD91A3A5FFE27C781
              SHA1:E6E7BE15DE046D247F7FCBAF62825E9DD0E93390
              SHA-256:85AAB65BC8DC5D02ACF566A14555F5544EE15550506660CCD240DA786AAB04F3
              SHA-512:C69C2777FDC4E94F549D0E686B77A1D6F9F18664E6ED8A58D478D7299CF88A99A831D2209F054A4555F84CBAF6E796656F3C04AD26650E3862DCB64AEABF0C70
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................P .h....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):62976
              Entropy (8bit):5.750635515620841
              Encrypted:false
              SSDEEP:768:LqMH7HUyeCtu1URDrYxfxyLzkd0S2B3ZEI1yfdc9X1vV09SOI9HiEiOpF1QtNcEd:L3RtZkNxCk61BW6901I9HDF1QH8ST
              MD5:E2C775244B3951A401A9083DD742029A
              SHA1:B4DC87649038B7A4E86B5D6AEBAAD975ECE2F477
              SHA-256:80CC3FB17D8CBB4A68F27C607A8D1C0208CEE892F6D2A2E222E18B23D4E0FC76
              SHA-512:CCFABD50BF7F1F9D2DBF3D0F7FFC5A9C862F623472F9AE51A2F4EDB88EF06BCE23731A925405ACF5BF4BB466EA862413EA01B23177C710CA5FE97EA97E6B832C
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5`..q.b.q.b.q.b..ea.r.b..ef.d.b..eg.y.b..ec.b.b.q.c...b..ek.~.b..e..p.b..e`.p.b.Richq.b.........PE..d...=..~.........."..........d.................@.............................@............`.......... ............................................... ..8....................0......p...T...........................p...............p...@............................text.............................. ..`.rdata..8B.......D..................@..@.data...............................@....pdata..............................@..@.rsrc...8.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5684926622805717
              Encrypted:false
              SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:158C1DF1885FC864E485F6ACE03E43AA
              SHA1:874621AD6CC12CA767A8693033BBEA1EEDEE25C1
              SHA-256:0CDC4C9C52D67E9FAB9EBDC2C39F0D1D1D1042776B2CAA9C5AF3833817526427
              SHA-512:CF090C69481BF910DF5EF588B6AE59BB75479083EFD37113EFFCAEEB5E4576390E04F2C5D758599090C7A51C7FF87DCDE40B7FDFC97B83486F8DDCACA53FC9F9
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5626898520741004
              Encrypted:false
              SSDEEP:12288:IVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1l1:dfP7fWsK5z9A+WGAW+V5SB6Ct4bnbl1
              MD5:9B62B394C76C05624097101E4F503CF9
              SHA1:82B5529C75A10E3DFF42DB4B241071ACECDCB071
              SHA-256:D606489B4DD836A90E668FB799E13EC617BA7F12CE5EED969E6B887AF1551B47
              SHA-512:231E2B9A2C9CD9EE4C8BEA451214745CD050D0FBA355254BBFBDC1700C18BE156A09EDD9A55353F9F861DD1F960F295E17170CCA07112D7396940D03638B762E
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .3....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):445952
              Entropy (8bit):6.661655128700218
              Encrypted:false
              SSDEEP:6144:q++gR8ZWU7WZ1rpvJw1DouE71kL3qY/W5R02qO7VKCyWQp:MgzKWZ1VJwEmDq3nyR
              MD5:96A8EF9387619D17BB30B024DDF52BF3
              SHA1:02DFA07143911500925C6298864477296F414AB0
              SHA-256:ECC41BB93E0E1EA63A1027D551BA0FCE503E53EF1BA2E70944FD7E7C7C9A9B8A
              SHA-512:01701BCFB3D3F09DF86CAF75ED76DC82A4B1480A284AB68FB4B7E4941466DB1ED23187B4D2E51B63C7526123EB4647FB5D155F31832E9ED7F4DBADF78F1F94EA
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.rMn.rMn.rMg..Mr.rM..qLm.rM..vLx.rM..wLj.rM..sL{.rMn.sM..rM..|Lv.rM...Mo.rM..pLo.rMRichn.rM........................PE..d...O.h{.........."..........0.................@............................. ............`.......... .......................................-...............`..........................T.......................(....................................................text...&........................... ..`.rdata..............................@..@.data........P.......*..............@....pdata.......`.......0..............@..@.rsrc................J..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\byYs\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2404352
              Entropy (8bit):4.0941855774712055
              Encrypted:false
              SSDEEP:12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ19Z:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:27B08379E48FF2EA436796B3BA872FB3
              SHA1:7F0271B8E7D0C7004998024591713132F9C7F449
              SHA-256:0A5AC48F07DD100A1BF602A1D8B0FD6ED3B31315BCD6CED03FA7A9A8B55C5551
              SHA-512:41D34A6B0BD2F36365D0C71D5E8D35C83AA55F3C3D82EACE7C2898CC69665C13AE998FD72BACFC8747D1309B4B10DE90323D084D38ED4C64AB511C3797BB8ABE
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................P .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\byYs\wlrmdr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):65704
              Entropy (8bit):5.834154867756865
              Encrypted:false
              SSDEEP:1536:B14+6gGQ7ubZiQ+KytHIyObsvqr9PxDt8PcPs:QgGIu1iFtHJLu9ZDt8kU
              MD5:4849E997AF1274DD145672A2F9BC0827
              SHA1:D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3
              SHA-256:B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
              SHA-512:FB9227F0B758496DE1F1D7CEB3B7A5E847C6846ADD360754CFB900358A71422994C4904333AD51852DC169113ACE4FF3349520C816E7EE796E0FBE6106255AEF
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.s... ... ... .s\ ... .o.!... .o.!... .o.!... .o.!... ... t.. .o.!... .o0 ... .o.!... Rich... ........PE..d....2............"......4...........:.........@.............................@......b................P..................................................xg...............$...0.......y..T............................f...............g..x............................text....3.......4.................. ..`.imrsiv......P...........................rdata..J2...`...4...8..............@..@.data...h............l..............@....pdata...............n..............@..@.rsrc...xg.......h...r..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\gxzS7\credui.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5615439297314184
              Encrypted:false
              SSDEEP:12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:D8BF7ED579BFB7A50E4A529F70CF3992
              SHA1:AFD198A7352054DF47F147F47ED0CC2F136284FD
              SHA-256:CC7BF835073F601CE20178DE8B86547E4D481735D22E35AB94FF7A18B24B3262
              SHA-512:8530CFD8BDBC0B1B20EAA392A1977FCC5F3F12E022570287612CA4BE2AE6622B8B236D460EF5420ABF115AEAC237BBFFF7453337DF9E5DDFFAB13085AA83F345
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\gxzS7\perfmon.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):175616
              Entropy (8bit):6.895507339523819
              Encrypted:false
              SSDEEP:3072:uVt2h5auVI9cMHFO+ZyGghtYIo9piswTogiqQKy349:uVMzVIOMHFhyhqIo9s37iTK24
              MD5:BD9ABDEA680B56534CE7627E39270A7C
              SHA1:24FCF3E615F5E7F434244D90AE5C4EB90F7C5EB5
              SHA-256:EB9FF0CDA3E15147BB0FE00984B75C5F7B04644957CCAC135996AC18C1FD3EED
              SHA-512:CEFA87534CB62E705EEE00CE5FA7C73083562A6B97E5D9D0106A3BCB3499A1F7FE997376DB22F73BB4F19DA66E6CE65FE85E2DF1FD06051CC19C006B59082427
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H....f..f..f.c...f.c...f.c...f.c...f..f..f.c...f.c. ..f.c...f.Rich.f.........PE..d.....i6.........."..........$......P..........@.....................................9....`.......... ......................................D........@......0......................p...T...........................`...............`................................text............................... ..`.rdata..:x.......z..................@..@.data........ ......................@....pdata.......0......................@..@.rsrc.......@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5609838856348315
              Encrypted:false
              SSDEEP:12288:nVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:OfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:B5AADBED0CF9FCBC4DF667183EBCF3CC
              SHA1:BE5445DE7B7CFC449DB9EE4AA01B4EF85EC46F6C
              SHA-256:0EDAE1B408B6ABCDF430CED04BE928D26B007F50BF8AD0DA8D2D95F029682CA4
              SHA-512:9828D153CEC7FF5F61EEF3E480196854170EE8101FEDC14DC63517578601DCCB7C83627F7843A6FC57CA4DEF4D46A43FF899DB3379E43272828F1B3DFBC91704
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .y....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\h1G\AgentService.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1189376
              Entropy (8bit):6.169931271903684
              Encrypted:false
              SSDEEP:24576:+pL4Q4y94x7ZWe6b1B5I2M62kM0s1vt2txc/viVO1IORNfLc:uL4Q3S9b6b1UA9MPwOR5c
              MD5:F7E36C20DB953DFF4FDDB817904C0E48
              SHA1:8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5
              SHA-256:2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
              SHA-512:32333A33DECD1AF0915FFDC48DA99831DA345010A91630C5245F2548939E33157F6151F596C09D0BEEAC3F15F08F79D4EEF4FAA4158BA023DEDFC4F6F6F56DF8
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:K..[%M.[%M.[%M.?&L.[%M.? L.[%M.?!L.[%M.?$L.[%M.[$M.Z%M.?,L.[%M.?.M.[%M.?'L.[%MRich.[%M........................PE..d...m.>l.........."..........B.................@.....................................=....`.......... ...............................................P.. ........x...........`..`...p-..T...................pI..(...pH...............I...............................text...L........................... ..`.rdata..| ......."..................@..@.data...@....@...r..."..............@....pdata...x.......z..................@..@.rsrc... ....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\iU8z5\wer.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2125824
              Entropy (8bit):3.5692811602312817
              Encrypted:false
              SSDEEP:12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:0F2F06886BBAF597A92F52E906C4CE03
              SHA1:CFDCD31E7AE917F24C94DAFD832E2AABC846AE15
              SHA-256:DBF19D0AF4D465C1C986B3CAD125C54A3204DF84007D1104F583035F8B622B46
              SHA-512:2226AF343434512F1DFA11910678A3E99EC3A0F022D43CD3FE8C4AED85834FBCA8C16F28E547FE7F014056B6F84A16489A84752259AEB3AC7185F3DA44F5E8DB
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................P .W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\iU8z5\wermgr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):209312
              Entropy (8bit):6.796289498157116
              Encrypted:false
              SSDEEP:6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw
              MD5:FF214585BF10206E21EA8EBA202FACFD
              SHA1:1ED4AE92D235497F62610078D51105C4634AFADE
              SHA-256:C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
              SHA-512:24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(j.jI..jI..jI..c1...I...-..iI...-..qI..jI...H...-..mI...-..`I...-..KI...-..kI...-..kI..RichjI..................PE..d...p............"......,..........`(.........@.............................p.......................`......................................... .... ..0:...............!...`..\...@...T...........................`Q..............`R.. ...t........................text...++.......,.................. ..`.imrsiv......@...........................rdata.......P.......0..............@..@.data...X...........................@....pdata..............................@..@.didat..@...........................@....rsrc...0:... ...<..................@..@.reloc..\....`......................@..B................................................................................................................................................................................
              C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):3292160
              Entropy (8bit):4.311007815185121
              Encrypted:false
              SSDEEP:24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
              MD5:9012F9C6AC7F3F99ECDD37E24C9AC3BB
              SHA1:7B8268C1B847301C0B5372C2A76CCE326C74991E
              SHA-256:4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
              SHA-512:B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..|.....2......82.............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.564430230982269
              Encrypted:false
              SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:1DF68F7322A2C246D8E8E030719ABADD
              SHA1:25A86D132BFC21D4890018962C3578365E8C0757
              SHA-256:AED0A6E8AC8AB86A2EB2888077512E0615DCF2820C45464A227384E7B02A735A
              SHA-512:247971E464A8F5939FC1C9478A8E3F44D6218503E0E4187CC630727C6D7BF546151429EBD627573C5FB39F4F924FDABA1719633EE23B4540B4B42EB4D60CE72F
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5597998659110672
              Encrypted:false
              SSDEEP:12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:EA53E60CCD953EACD6E4EC1A093544CF
              SHA1:3DFF3F21F3A31769BB487A8F34207F629CC6F2A9
              SHA-256:6224FA0A9E564D0859E1D6951AAD9B2E5CC0BFA867E10085F9FF669424E54D94
              SHA-512:D8E91C06007B40F244EA5E27692362964056501EA78CDAE2120A0E232716DC4EDA850766218FE6B8DACADBCC3748C11DAB790EC996C99D32279F6D22B71809C9
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):163840
              Entropy (8bit):5.729539450068024
              Encrypted:false
              SSDEEP:1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
              MD5:9A68ADD12EB50DDE7586782C3EB9FF9C
              SHA1:2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
              SHA-256:62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
              SHA-512:156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):259904
              Entropy (8bit):5.955701055747905
              Encrypted:false
              SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
              MD5:CDD7C7DF2D0859AC3F4088423D11BD08
              SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
              SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
              SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................
              C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5685074321676984
              Encrypted:false
              SSDEEP:12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:268ECB8D07BC2F31469FF3C825FCAF4C
              SHA1:ECCC90BBF20D68C77BAD0C39E75F6467FE1EC101
              SHA-256:C337124A0D68D9356040E1F5C514934208901DE875459FA463C232F306FB16C2
              SHA-512:8603B6E4DEA1B0C56D9C8A4AA943B0696723063F495DB74E6D4FF8C85FCBFD4D71DE885520523F935391B2AACE4E86FEB2D3BB4CCCA78054EB4B7870D9A40CE0
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Windows\explorer.exe
              File Type:data
              Category:dropped
              Size (bytes):4462
              Entropy (8bit):5.480575242471079
              Encrypted:false
              SSDEEP:96:edCYIIR00Oj1NZ7BuyPvYVQx6dCYiLaefYWtGzOY6GzD:eIInC1Nn2JuJQWYzZ6G/
              MD5:D94FDB48B116A14A2F2563F7E1AA8183
              SHA1:44E8DD08F074C105FD001FEFF961C42E4BCDB7F6
              SHA-256:0AC6FF1517064A3976B4B1951CA95A302C7FDE49080C5DB4C8DC278C444DC7B1
              SHA-512:96A4F43372E69D652FC7F776D65EC598B19699923C4E2F12076690104B40CADFAB2CC4FF297E11BA63D4F78FA5A4FB35EE037DC27E538DA75AE75265E95DAE4A
              Malicious:false
              Reputation:unknown
              Preview: ........................................user.........................................user.....................RSA1.....................W$s66.o.4......wK8tY...l...'..}q...?.9..vFr...7x..0..[b.(..J...x...iM:.A}.Z...5nM{.......[....z..'.3}{..<."......!X......................z..O.......F.M.6.K./.v.......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....z9o$au.7..aF&..h. ..l\..[&Y.aM............ ...8....PB......(.]..E.vh..u...........=...M..rs.C....1./iw.}.!i[|.k?..C.p...2.Q..._....-.......-.W..tW.a.(&.T.......dJ...{KE.C.....KU.bqO../t..a/=.^.PRgsG,.c.I........?.7z..e..U..uE0(K._.:Q.P....KZ..7..z<...7.%g.c.v..T.f...[.....5..g...33...?..JC-.;d..N<.E..,..........0.^.Qa:I.........7s.&..P...O.t.=.!....~...+l..e..>..<J...~.d...1b..b...m..4!..h...ZKr..J....`z..c..%.DB..s...M.....@....4..y.........r...f.......M.7t..n.!$".%... ..-..9.....'....8.j.-f....n.0.....VN...|...>2.........{...4...{.....rVL.,q..KA................/)...T.t...V.t_..o.1.

              Static File Info

              General

              File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Entropy (8bit):3.5792852577015357
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:X5C9EzCB7A.dll
              File size:2117632
              MD5:dc4fca98a02c5cc7ee5f565c56915c86
              SHA1:4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
              SHA256:ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
              SHA512:4954ed3d7ac9fcca73623f1d24a8aaa4ca88727a58a45382e897966311909d0c8d43d709d828e0d3211f6c478ee1ca2bf5970c476c5485a949f5cfbf033e9875
              SSDEEP:12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x140041070
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:6668be91e2c948b183827f040944057f

              Entrypoint Preview

              Instruction
              dec eax
              xor eax, eax
              dec eax
              add eax, 5Ah
              dec eax
              mov dword ptr [00073D82h], ecx
              dec eax
              lea ecx, dword ptr [FFFFECABh]
              dec eax
              mov dword ptr [00073D7Ch], edx
              dec eax
              add eax, ecx
              dec esp
              mov dword ptr [00073D92h], ecx
              dec esp
              mov dword ptr [00073DA3h], ebp
              dec esp
              mov dword ptr [00073D7Ch], eax
              dec esp
              mov dword ptr [00073D85h], edi
              dec esp
              mov dword ptr [00073D86h], esi
              dec esp
              mov dword ptr [00073D8Fh], esp
              dec eax
              mov ecx, eax
              dec eax
              sub ecx, 5Ah
              dec eax
              mov dword ptr [00073D89h], esi
              dec eax
              test eax, eax
              je 00007FFA40DD635Fh
              dec eax
              mov dword ptr [00073D45h], esp
              dec eax
              mov dword ptr [00073D36h], ebp
              dec eax
              mov dword ptr [00073D7Fh], ebx
              dec eax
              mov dword ptr [00073D70h], edi
              dec eax
              test eax, eax
              je 00007FFA40DD633Eh
              jmp ecx
              dec eax
              add edi, ecx
              dec eax
              mov dword ptr [FFFFEC37h], ecx
              dec eax
              xor ecx, eax
              jmp ecx
              retn 0008h
              ud2
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push ebx
              dec eax
              sub esp, 00000080h
              mov eax, F957B016h
              mov byte ptr [esp+7Fh], 00000037h
              mov edx, dword ptr [esp+78h]
              inc ecx
              mov eax, edx
              inc ecx
              or eax, 5D262B0Ch
              inc esp
              mov dword ptr [esp+78h], eax
              dec eax
              mov dword ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [LNK] VS2012 UPD4 build 61030
              • [ASM] VS2013 UPD2 build 30501
              • [ C ] VS2012 UPD2 build 60315
              • [C++] VS2013 UPD4 build 31101
              • [RES] VS2012 UPD3 build 60610
              • [LNK] VS2017 v15.5.4 build 25834
              • [ C ] VS2017 v15.5.4 build 25834
              • [ASM] VS2010 build 30319
              • [EXP] VS2015 UPD1 build 23506
              • [IMP] VS2008 SP1 build 30729
              • [RES] VS2012 UPD4 build 61030
              • [LNK] VS2012 UPD2 build 60315
              • [C++] VS2015 UPD1 build 23506
              • [ C ] VS2013 UPD4 build 31101

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x2030100x1114.oima
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x420000x64fd00x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .pjf0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .favk0x1600000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vhtukj0x1610000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hmbyox0x1a70000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .txms0x1a80000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vqqm0x1a90000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cbwb0x1aa0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cti0x1ab0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ktfjac0x1ac0000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hvmici0x1ad0000xbe90x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bvyyd0x1ae0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qhjn0x1af0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bsvkca0x1b00000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .nvpgx0x1b10000x2a20x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .yaa0x1b20000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qsimby0x1b30000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .dibg0x1b50000x451c20x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .odxfk0x1fb0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .zczpdd0x1fd0000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .iceycz0x1fe0000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .lwp0x1ff0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ejt0x2000000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .gzpi0x2010000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .oima0x2030000x11240x2000False0.276733398438data3.64280372921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0xc00a00x370dataEnglishUnited States
              RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
              SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
              KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
              GDI32.dllCreateBitmapIndirect, GetPolyFillMode
              CRYPT32.dllCertGetCTLContextProperty
              ADVAPI32.dllAddAccessDeniedObjectAce
              SHLWAPI.dllChrCmpIW

              Exports

              NameOrdinalAddress
              AddGadgetMessageHandler70x14000bdcc
              AddLayeredRef80x14003a050
              AdjustClipInsideRef90x1400150cc
              AttachWndProcA100x14001b9a0
              AttachWndProcW110x14002db5c
              AutoTrace120x14002def0
              BeginHideInputPaneAnimation130x140020224
              BeginShowInputPaneAnimation140x140030b24
              BuildAnimation150x140028b2c
              BuildDropTarget160x140018814
              BuildInterpolation170x14000bd0c
              CacheDWriteRenderTarget180x140035b0c
              ChangeCurrentAnimationScenario190x14003c0c0
              ClearPushedOpacitiesFromGadgetTree200x14003c548
              ClearTopmostVisual210x14003cb58
              CreateAction220x14000ce18
              CreateGadget230x14001c7ac
              CustomGadgetHitTestQuery240x1400148c0
              DUserBuildGadget250x14001649c
              DUserCastClass260x14000e8a4
              DUserCastDirect270x1400114e0
              DUserCastHandle10x14000d1e0
              DUserDeleteGadget20x14002600c
              DUserFindClass280x14003c230
              DUserFlushDeferredMessages290x140038828
              DUserFlushMessages300x140036320
              DUserGetAlphaPRID310x140012a78
              DUserGetGutsData320x14003ef0c
              DUserGetRectPRID330x14002a4a0
              DUserGetRotatePRID340x14000f354
              DUserGetScalePRID350x1400113f0
              DUserInstanceOf360x140016060
              DUserPostEvent370x14002d4d8
              DUserPostMethod380x140013604
              DUserRegisterGuts390x140017e6c
              DUserRegisterStub400x1400393f8
              DUserRegisterSuper410x140012424
              DUserSendEvent420x1400341ec
              DUserSendMethod430x140022048
              DUserStopAnimation440x140001d04
              DUserStopPVLAnimation450x14003383c
              DeleteHandle460x14002faf8
              DestroyPendingDCVisuals470x14000a69c
              DetachGadgetVisuals480x1400102b8
              DetachWndProc490x14003c68c
              DisableContainerHwnd500x14001ab64
              DllMain510x140026d1c
              DrawGadgetTree520x140026ca4
              EndInputPaneAnimation530x14003e2bc
              EnsureAnimationsEnabled540x14003328c
              EnsureGadgetTransInitialized550x140041464
              EnumGadgets560x140035a0c
              FindGadgetFromPoint570x14002a254
              FindGadgetMessages580x14002e8cc
              FindGadgetTargetingInfo590x140025ce0
              FindStdColor600x14001760c
              FireGadgetMessages610x140014558
              ForwardGadgetMessage620x14003d298
              FreeGdiDxInteropStagingBuffer630x140014ef0
              GadgetTransCompositionChanged640x140032fbc
              GadgetTransSettingChanged650x140022ff0
              GetActionTimeslice660x140020ec4
              GetCachedDWriteRenderTarget670x1400035a0
              GetDUserModule680x140035e80
              GetDebug690x14003bed8
              GetFinalAnimatingPosition700x140028f84
              GetGadget710x14000f1b4
              GetGadgetAnimation720x140013578
              GetGadgetBitmap730x14003e63c
              GetGadgetBufferInfo740x14002b868
              GetGadgetCenterPoint750x14000d354
              GetGadgetFlags760x140026d18
              GetGadgetFocus770x14003130c
              GetGadgetLayerInfo780x1400123dc
              GetGadgetMessageFilter790x140010c00
              GetGadgetProperty800x140001bb0
              GetGadgetRect810x14002abb0
              GetGadgetRgn820x140007db8
              GetGadgetRootInfo830x140007810
              GetGadgetRotation840x14002a580
              GetGadgetScale850x140026790
              GetGadgetSize860x14003dabc
              GetGadgetStyle870x140038dc8
              GetGadgetTicket880x14000180c
              GetGadgetVisual890x14003f2ac
              GetMessageExA900x14002160c
              GetMessageExW910x14001d044
              GetStdColorBrushF30x14003e094
              GetStdColorBrushI920x14000efa8
              GetStdColorF40x1400096a8
              GetStdColorI930x14003a788
              GetStdColorName940x14002fd6c
              GetStdColorPenF50x1400408c8
              GetStdColorPenI950x140028664
              GetStdPalette960x1400303a8
              InitGadgetComponent970x140013910
              InitGadgets980x1400083b0
              InvalidateGadget990x14001b734
              InvalidateLayeredDescendants1000x140007738
              IsGadgetParentChainStyle1010x140017ee4
              IsInsideContext1020x1400231e8
              IsStartDelete1030x140026534
              LookupGadgetTicket1040x140039534
              MapGadgetPoints1050x140025ff8
              PeekMessageExA1060x140023ce0
              PeekMessageExW1070x1400063e8
              RegisterGadgetMessage1080x14003b26c
              RegisterGadgetMessageString1090x14002c864
              RegisterGadgetProperty1100x140039a60
              ReleaseDetachedObjects1110x14000ba5c
              ReleaseLayeredRef1120x140006a50
              ReleaseMouseCapture1130x1400238e4
              RemoveClippingImmunityFromVisual1140x140027aac
              RemoveGadgetMessageHandler1150x14003fa54
              RemoveGadgetProperty1160x14003f98c
              ResetDUserDevice1170x140007600
              ScheduleGadgetTransitions1180x140037634
              SetActionTimeslice1190x14003715c
              SetAtlasingHints1200x14002a6ec
              SetGadgetBufferInfo1210x140020594
              SetGadgetCenterPoint1220x1400112a8
              SetGadgetFillF1230x14003d270
              SetGadgetFillI1240x140022b50
              SetGadgetFlags1250x14001aa28
              SetGadgetFocus1260x1400412dc
              SetGadgetFocusEx1270x14003a8f4
              SetGadgetLayerInfo1280x14003469c
              SetGadgetMessageFilter1290x14000f13c
              SetGadgetOrder1300x140032d64
              SetGadgetParent1310x140029294
              SetGadgetProperty1320x14001bd70
              SetGadgetRect1330x140036d74
              SetGadgetRootInfo1340x140038f9c
              SetGadgetRotation1350x14000c780
              SetGadgetScale1360x140025684
              SetGadgetStyle1370x140001b58
              SetHardwareDeviceUsage1380x14003250c
              SetMinimumDCompVersion1390x1400240e0
              SetRestoreCachedLayeredRefFlag1400x140023884
              SetTransitionVisualProperties1410x1400365a0
              SetWindowResizeFlag1420x1400134cc
              UnregisterGadgetMessage1430x14003da10
              UnregisterGadgetMessageString1440x14000d0a4
              UnregisterGadgetProperty1450x140037bbc
              UtilBuildFont1460x140035e44
              UtilDrawBlendRect1470x14000a4a4
              UtilDrawOutlineRect60x14001870c
              UtilGetColor1480x140032964
              UtilSetBackground1490x140018510
              WaitMessageEx1500x14000e5d8

              Version Infos

              DescriptionData
              LegalCopyright Microsoft Corporation. All rights reserv
              InternalNamebitsp
              FileVersion7.5.7600.16385 (win7_rtm.090713-
              CompanyNameMicrosoft Corporati
              ProductNameMicrosoft Windows Operating S
              ProductVersion6.1.7600
              FileDescriptionBackground Intellig
              OriginalFilenamekbdy
              Translation0x0409 0x04b0

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 28, 2021 10:49:57.479717970 CEST5856253192.168.2.78.8.8.8
              Sep 28, 2021 10:49:57.527818918 CEST53585628.8.8.8192.168.2.7
              Sep 28, 2021 10:50:13.801300049 CEST5659053192.168.2.78.8.8.8
              Sep 28, 2021 10:50:13.832154989 CEST53565908.8.8.8192.168.2.7
              Sep 28, 2021 10:50:34.879651070 CEST6050153192.168.2.78.8.8.8
              Sep 28, 2021 10:50:34.899374008 CEST53605018.8.8.8192.168.2.7
              Sep 28, 2021 10:50:46.130552053 CEST5377553192.168.2.78.8.8.8
              Sep 28, 2021 10:50:46.175204992 CEST53537758.8.8.8192.168.2.7
              Sep 28, 2021 10:50:46.840352058 CEST5183753192.168.2.78.8.8.8
              Sep 28, 2021 10:50:46.862692118 CEST53518378.8.8.8192.168.2.7
              Sep 28, 2021 10:50:47.462280989 CEST5541153192.168.2.78.8.8.8
              Sep 28, 2021 10:50:47.486260891 CEST53554118.8.8.8192.168.2.7
              Sep 28, 2021 10:50:48.096184015 CEST6366853192.168.2.78.8.8.8
              Sep 28, 2021 10:50:48.152357101 CEST53636688.8.8.8192.168.2.7
              Sep 28, 2021 10:50:48.421366930 CEST5464053192.168.2.78.8.8.8
              Sep 28, 2021 10:50:48.447293997 CEST53546408.8.8.8192.168.2.7
              Sep 28, 2021 10:50:48.610698938 CEST5873953192.168.2.78.8.8.8
              Sep 28, 2021 10:50:48.628649950 CEST53587398.8.8.8192.168.2.7
              Sep 28, 2021 10:50:49.459156990 CEST6033853192.168.2.78.8.8.8
              Sep 28, 2021 10:50:49.479715109 CEST53603388.8.8.8192.168.2.7
              Sep 28, 2021 10:50:49.957967043 CEST5871753192.168.2.78.8.8.8
              Sep 28, 2021 10:50:50.001194954 CEST53587178.8.8.8192.168.2.7
              Sep 28, 2021 10:50:51.216317892 CEST5976253192.168.2.78.8.8.8
              Sep 28, 2021 10:50:51.235332966 CEST53597628.8.8.8192.168.2.7
              Sep 28, 2021 10:50:54.485519886 CEST5432953192.168.2.78.8.8.8
              Sep 28, 2021 10:50:54.510246992 CEST53543298.8.8.8192.168.2.7
              Sep 28, 2021 10:50:54.971585989 CEST5805253192.168.2.78.8.8.8
              Sep 28, 2021 10:50:55.018073082 CEST53580528.8.8.8192.168.2.7
              Sep 28, 2021 10:50:56.568748951 CEST5400853192.168.2.78.8.8.8
              Sep 28, 2021 10:50:56.612859011 CEST53540088.8.8.8192.168.2.7
              Sep 28, 2021 10:51:01.711642981 CEST5945153192.168.2.78.8.8.8
              Sep 28, 2021 10:51:01.734843016 CEST53594518.8.8.8192.168.2.7
              Sep 28, 2021 10:51:35.266832113 CEST5291453192.168.2.78.8.8.8
              Sep 28, 2021 10:51:35.293589115 CEST53529148.8.8.8192.168.2.7
              Sep 28, 2021 10:51:36.747045994 CEST6456953192.168.2.78.8.8.8
              Sep 28, 2021 10:51:36.774502039 CEST53645698.8.8.8192.168.2.7
              Sep 28, 2021 10:51:37.906775951 CEST5281653192.168.2.78.8.8.8
              Sep 28, 2021 10:51:37.941770077 CEST53528168.8.8.8192.168.2.7

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: loaddll64.exe PID: 2368 Parent PID: 4164

              General

              Start time:10:49:47
              Start date:28/09/2021
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll'
              Imagebase:0x7ff7f9830000
              File size:140288 bytes
              MD5 hash:A84133CCB118CF35D49A423CD836D0EF
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Chronological Activities

              Analysis Process: cmd.exe PID: 5760 Parent PID: 2368

              General

              Start time:10:49:47
              Start date:28/09/2021
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
              Imagebase:0x7ff7bf140000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: rundll32.exe PID: 2192 Parent PID: 2368

              General

              Start time:10:49:48
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.341553991.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Chronological Activities

              Analysis Process: rundll32.exe PID: 5356 Parent PID: 5760

              General

              Start time:10:49:48
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.249682229.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Chronological Activities

              Analysis Process: explorer.exe PID: 3292 Parent PID: 2192

              General

              Start time:10:49:49
              Start date:28/09/2021
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff662bf0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: rundll32.exe PID: 1596 Parent PID: 2368

              General

              Start time:10:49:51
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.256116400.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Chronological Activities

              Analysis Process: rundll32.exe PID: 2840 Parent PID: 2368

              General

              Start time:10:49:54
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.263669758.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Chronological Activities

              Analysis Process: rundll32.exe PID: 4156 Parent PID: 2368

              General

              Start time:10:49:58
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.270725525.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Chronological Activities

              Analysis Process: rundll32.exe PID: 2888 Parent PID: 2368

              General

              Start time:10:50:01
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.279755934.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 2916 Parent PID: 2368

              General

              Start time:10:50:05
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.287591369.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 1064 Parent PID: 2368

              General

              Start time:10:50:09
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6288 Parent PID: 2368

              General

              Start time:10:50:12
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.302760143.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6360 Parent PID: 2368

              General

              Start time:10:50:16
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.310372882.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6388 Parent PID: 2368

              General

              Start time:10:50:19
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.317261849.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6404 Parent PID: 2368

              General

              Start time:10:50:23
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6428 Parent PID: 2368

              General

              Start time:10:50:26
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6484 Parent PID: 2368

              General

              Start time:10:50:30
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.339544401.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6524 Parent PID: 2368

              General

              Start time:10:50:33
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.399487635.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: wermgr.exe PID: 6572 Parent PID: 3292

              General

              Start time:10:50:34
              Start date:28/09/2021
              Path:C:\Windows\System32\wermgr.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wermgr.exe
              Imagebase:0x7ff6251d0000
              File size:209312 bytes
              MD5 hash:FF214585BF10206E21EA8EBA202FACFD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: wermgr.exe PID: 6600 Parent PID: 3292

              General

              Start time:10:50:36
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\M5A\wermgr.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\M5A\wermgr.exe
              Imagebase:0x7ff740970000
              File size:209312 bytes
              MD5 hash:FF214585BF10206E21EA8EBA202FACFD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.353298117.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6620 Parent PID: 2368

              General

              Start time:10:50:37
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: WFS.exe PID: 6640 Parent PID: 3292

              General

              Start time:10:50:39
              Start date:28/09/2021
              Path:C:\Windows\System32\WFS.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WFS.exe
              Imagebase:0x7ff7eb8a0000
              File size:930304 bytes
              MD5 hash:CD6ACF3B997099B6CFB2417D3942F755
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: WFS.exe PID: 6652 Parent PID: 3292

              General

              Start time:10:50:40
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\QEkvVts\WFS.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\QEkvVts\WFS.exe
              Imagebase:0x7ff7d5c70000
              File size:930304 bytes
              MD5 hash:CD6ACF3B997099B6CFB2417D3942F755
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.363607406.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: rundll32.exe PID: 6752 Parent PID: 2368

              General

              Start time:10:50:41
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.367587367.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Analysis Process: wusa.exe PID: 6888 Parent PID: 3292

              General

              Start time:10:50:43
              Start date:28/09/2021
              Path:C:\Windows\System32\wusa.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wusa.exe
              Imagebase:0x7ff6bc1b0000
              File size:308736 bytes
              MD5 hash:04CE745559916B99248F266BBF5F9ED9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: wusa.exe PID: 6912 Parent PID: 3292

              General

              Start time:10:50:44
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\8FwY\wusa.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\8FwY\wusa.exe
              Imagebase:0x7ff6ee1f0000
              File size:308736 bytes
              MD5 hash:04CE745559916B99248F266BBF5F9ED9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.370038497.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: loaddll64.exe PID: 2368 Parent PID: 4164 loaddll64.exeCOMMON

                Executed Functions

                Function 000000014003B220, Relevance: 9.6, APIs: 6, Instructions: 645nativethreadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: MemoryVirtual$Protect$QueueThread$Read
                • String ID:
                • API String ID: 3138245267-0
                • Opcode ID: f6a122e5a0c7e96bf91264a0e8524a765073fcc8a189ff787fc6cb133c1116ac
                • Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
                • Opcode Fuzzy Hash: f6a122e5a0c7e96bf91264a0e8524a765073fcc8a189ff787fc6cb133c1116ac
                • Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: }*$}*
                • API String ID: 0-2047341001
                • Opcode ID: 6697aeecdb68fb42317ab9b291e2ec49b2c03dd1d3fae150582e88cb637a97bd
                • Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
                • Opcode Fuzzy Hash: 6697aeecdb68fb42317ab9b291e2ec49b2c03dd1d3fae150582e88cb637a97bd
                • Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140025330, Relevance: 7.6, APIs: 5, Instructions: 146nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Section$DuplicateObjectView$CreateUnmap
                • String ID:
                • API String ID: 1515463610-0
                • Opcode ID: e5be61c62f007fe0c87b009fa3c80208fa28876a29be6125cc4cab0ee1c10f46
                • Instruction ID: 6ea610af3aad15a722227de53f58fc755bf5589833e20a3a6336a0b824f00b18
                • Opcode Fuzzy Hash: e5be61c62f007fe0c87b009fa3c80208fa28876a29be6125cc4cab0ee1c10f46
                • Instruction Fuzzy Hash: 60519072200B908AEB51EF76A4403DE37A5FB483A8F145629BF6A17BE9DF34C541C744
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003BC10, Relevance: 7.6, APIs: 5, Instructions: 136nativeCOMMON
                Download Yara Rule
                APIs
                • CreateFileMappingW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 000000014003BC83
                • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 000000014003BD15
                • NtUnmapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 000000014003BD5F
                • NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 000000014003BD9B
                • NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 000000014003BDF5
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: DuplicateObjectSectionView$CreateFileMappingUnmap
                • String ID:
                • API String ID: 640117302-0
                • Opcode ID: 8b68e015f025e620e3111e66b38b8eb77cb60825d7616833b9f3ea8bb15e10a3
                • Instruction ID: 97bab26611acbccf347e89dce627ee74573061b4f08abbeb6aa7e5c1b2439112
                • Opcode Fuzzy Hash: 8b68e015f025e620e3111e66b38b8eb77cb60825d7616833b9f3ea8bb15e10a3
                • Instruction Fuzzy Hash: FE51707220578085EB229B66A4513DBB791F7887F4F184729BFAA07BE9DF38C445CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ConsoleEntryFreePoint
                • String ID: )8GV$d
                • API String ID: 3550414006-3589632123
                • Opcode ID: fe20530f5345ba72b4c3c26f23670b444fbc9397446e4b65b2db6ca5e518deea
                • Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
                • Opcode Fuzzy Hash: fe20530f5345ba72b4c3c26f23670b444fbc9397446e4b65b2db6ca5e518deea
                • Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003C240, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110processthreadCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateFirstProcessSnapshotThread32Toolhelp32
                • String ID: o[3
                • API String ID: 3863306361-2433638242
                • Opcode ID: 30b4b48dcd20332912629fb6d2fafe97cea8a35b3592a943cf7f542e7425148a
                • Instruction ID: 6b656326b3cfd36c159c16489b8953d1e753318a0e65c4e5b5943f1364c61235
                • Opcode Fuzzy Hash: 30b4b48dcd20332912629fb6d2fafe97cea8a35b3592a943cf7f542e7425148a
                • Instruction Fuzzy Hash: E041603222464186EB67A726E4417EF6391E7D87C0F588021BB8E876FADE38CA15C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: InfoSystem
                • String ID: sy;$sy;
                • API String ID: 31276548-3660992706
                • Opcode ID: 1db69e5c6a2fa1cac3d2c6387e923f4e3e8e68fe53d81e6539ea6aae1d25b48c
                • Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
                • Opcode Fuzzy Hash: 1db69e5c6a2fa1cac3d2c6387e923f4e3e8e68fe53d81e6539ea6aae1d25b48c
                • Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: }*$}*
                • API String ID: 0-2047341001
                • Opcode ID: 570e83c95cfecc6244280b325a776d27e7aceb4d0cecf71a9f187de0f2500ec3
                • Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
                • Opcode Fuzzy Hash: 570e83c95cfecc6244280b325a776d27e7aceb4d0cecf71a9f187de0f2500ec3
                • Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileFindFirst
                • String ID: .
                • API String ID: 1974802433-248832578
                • Opcode ID: e958f93a5fcf6cb94ac768b3e8d83ea7c0edd390af320006111d29d5ee77d296
                • Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
                • Opcode Fuzzy Hash: e958f93a5fcf6cb94ac768b3e8d83ea7c0edd390af320006111d29d5ee77d296
                • Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003A2E0, Relevance: 3.5, APIs: 2, Instructions: 521COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateFirstProcessSnapshotThread32Toolhelp32
                • String ID:
                • API String ID: 3863306361-0
                • Opcode ID: e29adbc328a6ec80d2b600d23635cfe2806513ee30cfe43e4a52add3b57ca7a5
                • Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
                • Opcode Fuzzy Hash: e29adbc328a6ec80d2b600d23635cfe2806513ee30cfe43e4a52add3b57ca7a5
                • Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003C560, Relevance: 3.1, APIs: 2, Instructions: 55nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CloseDuplicateObject
                • String ID:
                • API String ID: 2007153175-0
                • Opcode ID: 3664000a17a618f287ba65d315e5fb6fe7665b2e238d272514eb4a69d710ba6d
                • Instruction ID: b0677a23519d847690f614bdee7ff237efeab822132d9f5fc20c75057965f53a
                • Opcode Fuzzy Hash: 3664000a17a618f287ba65d315e5fb6fe7665b2e238d272514eb4a69d710ba6d
                • Instruction Fuzzy Hash: E411E171614B8482EA12AB57A0003AFB350F7C8BE0F444225FFAE57BE9CF38C4418740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003BF70, Relevance: 3.0, APIs: 2, Instructions: 34nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CloseDuplicateObject
                • String ID:
                • API String ID: 2007153175-0
                • Opcode ID: 3adf9e4970dc08f2815358081a06768dbb4e6790a36fc9c1977ffc79afaa0b14
                • Instruction ID: de252f6c848ccf9c7fa87751aefa6420c26b9501a63d7168f36492cc426c02ed
                • Opcode Fuzzy Hash: 3adf9e4970dc08f2815358081a06768dbb4e6790a36fc9c1977ffc79afaa0b14
                • Instruction Fuzzy Hash: D4F0A4B160964485EE169B52B51039EA751EB8C3F4F189738BB7E477E8DA78C8808B41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: )8GV$)8GV
                • API String ID: 0-993736920
                • Opcode ID: 455dcab159815151b483dd90444d880cd56fe8305f2867c25188b82d162fa92f
                • Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
                • Opcode Fuzzy Hash: 455dcab159815151b483dd90444d880cd56fe8305f2867c25188b82d162fa92f
                • Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014004E440, Relevance: 1.9, APIs: 1, Instructions: 435nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: DelayExecution
                • String ID:
                • API String ID: 1249177460-0
                • Opcode ID: aa0a31988ed536e5df6eb08679adadcdc5e93a30f135be4fb5cef38a6a5fabe1
                • Instruction ID: b7d685cc54adafa083af8fb044c8efc032ee96fe2de405b85deabb13dc9f4555
                • Opcode Fuzzy Hash: aa0a31988ed536e5df6eb08679adadcdc5e93a30f135be4fb5cef38a6a5fabe1
                • Instruction Fuzzy Hash: 0112C031205BC482EB669F12E5503EE77A1F74DBC4F5A4425EB8A277A6DB38C941C348
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: InformationQuerySystem
                • String ID:
                • API String ID: 3562636166-0
                • Opcode ID: 8b3085294147da014757eb81cb2784757fe4747c04c946838a366f1cc33c577d
                • Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
                • Opcode Fuzzy Hash: 8b3085294147da014757eb81cb2784757fe4747c04c946838a366f1cc33c577d
                • Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileFindLoadNext
                • String ID:
                • API String ID: 50669962-0
                • Opcode ID: 0d2011e157ca307849b04fd2c02c1d5ee821d20d241f31af804c7ef73ff3177d
                • Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
                • Opcode Fuzzy Hash: 0d2011e157ca307849b04fd2c02c1d5ee821d20d241f31af804c7ef73ff3177d
                • Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CloseExitProcess
                • String ID:
                • API String ID: 3487036407-0
                • Opcode ID: da35a4be8f8d642f7b3bb733c4659acb0c0e12b571fb1336731f84041ac91657
                • Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
                • Opcode Fuzzy Hash: da35a4be8f8d642f7b3bb733c4659acb0c0e12b571fb1336731f84041ac91657
                • Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003AF90, Relevance: 1.6, APIs: 1, Instructions: 76nativethreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 000000014003BE30: AddAtomA.KERNEL32(?,?,?,?,?,?,00000000,0000000140038EF7,?,?,00000000,00000000,00000000,00000001400390B3), ref: 000000014003BE65
                • NtQueueApcThread.NTDLL(?,?,00000000,?,00000000,000000014003B18B), ref: 000000014003B020
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AtomQueueThread
                • String ID:
                • API String ID: 3451544018-0
                • Opcode ID: f1c5a824c965ebfbbfcea23e76c45ea12e41a2e3863dc7c858a7d3a27fd3ac79
                • Instruction ID: 4df6d11bc0c865b84816851863f622d72c4025d6af3533ea7908fbcc00f5a55e
                • Opcode Fuzzy Hash: f1c5a824c965ebfbbfcea23e76c45ea12e41a2e3863dc7c858a7d3a27fd3ac79
                • Instruction Fuzzy Hash: 712196357047A146EA2AEA3768513FF93C5AB8DBC8F4804267F9947BEADE38C4025744
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140039F50, Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON
                Download Yara Rule
                APIs
                • NtReadVirtualMemory.NTDLL(?,?,?,?,?,?,?,00000000,00000000,0000000140039124), ref: 0000000140039FB9
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: MemoryReadVirtual
                • String ID:
                • API String ID: 2834387570-0
                • Opcode ID: d4c0f601f8173e084435b8149a1abc3bb2284ebee1e2e9985b7c4484076de972
                • Instruction ID: fde8a12fbb61b002c14bb9aa4d6a3374e7fc4ac9a6d687e2194feb1a663f083e
                • Opcode Fuzzy Hash: d4c0f601f8173e084435b8149a1abc3bb2284ebee1e2e9985b7c4484076de972
                • Instruction Fuzzy Hash: BE11707270478095EA12EB23B4417EBA795BBD8BC0F584421BF8A87BBADE38C141D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003BFF0, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 000000014003BF70: NtDuplicateObject.NTDLL ref: 000000014003BFBA
                  • Part of subcall function 000000014003BF70: NtClose.NTDLL(?,?,?,?,?,?,00000000,000000014003C017), ref: 000000014003BFDC
                • NtDuplicateObject.NTDLL ref: 000000014003C065
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: DuplicateObject$Close
                • String ID:
                • API String ID: 2370448515-0
                • Opcode ID: e8072ffe7d08897ea38b82df7349dc16abc6d1b82219edb7c879ebc355597d4f
                • Instruction ID: b6756aa9ca613f3cc4770f98daba670050dbaed777927283fbe2876511f6ba89
                • Opcode Fuzzy Hash: e8072ffe7d08897ea38b82df7349dc16abc6d1b82219edb7c879ebc355597d4f
                • Instruction Fuzzy Hash: BF116071614B84C6EA12AB12A40079FA361F788BE4F184615BFA9177E8CF38C461C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140025280, Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: DuplicateObject
                • String ID:
                • API String ID: 3677547684-0
                • Opcode ID: 9dca3ee2062fe1f913b7e8c42e8c2e96c4a71af36250ec3512346e978522e050
                • Instruction ID: aa6844e22d3f9e6d35e21b0d9ea05fd8394aacc775aec4ddea9131e5352aeb64
                • Opcode Fuzzy Hash: 9dca3ee2062fe1f913b7e8c42e8c2e96c4a71af36250ec3512346e978522e050
                • Instruction Fuzzy Hash: 30113072605B8086EB11AB56E44038E77A1F7887E0F284625EFAD477E8DF38C945CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 23ebd781f4ddcec8dae99ecbb66e9838265fbab51397d8ca81fcc772d40db4ae
                • Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
                • Opcode Fuzzy Hash: 23ebd781f4ddcec8dae99ecbb66e9838265fbab51397d8ca81fcc772d40db4ae
                • Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c92ba9cc1f643eec3bc892b3914b0673571a32121aaa1f2146e05905406c794a
                • Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
                • Opcode Fuzzy Hash: c92ba9cc1f643eec3bc892b3914b0673571a32121aaa1f2146e05905406c794a
                • Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b78e24fa11fb21ab2dbf36836fb557937f9aecbde3c7dad107f32d7e6443b5d
                • Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
                • Opcode Fuzzy Hash: 9b78e24fa11fb21ab2dbf36836fb557937f9aecbde3c7dad107f32d7e6443b5d
                • Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140034870, Relevance: .2, Instructions: 170COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ec340284a025695408b33a33a90c1c522abcfd30b0e0b7c8adaac6887e8be65
                • Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
                • Opcode Fuzzy Hash: 5ec340284a025695408b33a33a90c1c522abcfd30b0e0b7c8adaac6887e8be65
                • Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON
                Download Yara Rule
                APIs
                • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
                • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
                • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
                • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Close$EnumOpen
                • String ID:
                • API String ID: 138425441-0
                • Opcode ID: 7f1946d4b08319e1c62c28563017fc3328e89765a6c2f23e6eebc3ec532142e7
                • Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
                • Opcode Fuzzy Hash: 7f1946d4b08319e1c62c28563017fc3328e89765a6c2f23e6eebc3ec532142e7
                • Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001D7BB492252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452389502.000001D7BB490000.00000040.00000001.sdmp, Offset: 000001D7BB490000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 76112907dc387cb8593ad870e578bf14640648a33f3a172f5ef34daedb40786d
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 89B13576618BC48AD770CB1AE440BDEB7A1F7C9B90F108126EEC957B98DB79C8518F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003C0B0, Relevance: 4.6, APIs: 3, Instructions: 107COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Module$BaseEnumInformationModulesNameProcess
                • String ID:
                • API String ID: 2890305978-0
                • Opcode ID: b5e56d5ab57eb5bfda66dc32dfb24ac4d1dfbb684de4c56c8ef48e79162c7ba5
                • Instruction ID: 851ad7b83b597ddfdb79a0dc34dee4392ee97374595a9e9e24644ed8688053a5
                • Opcode Fuzzy Hash: b5e56d5ab57eb5bfda66dc32dfb24ac4d1dfbb684de4c56c8ef48e79162c7ba5
                • Instruction Fuzzy Hash: BD418E32B116509AEB16EBB2D8517EE2361BB89788F854426FF0D67BAADF34C505C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140069E90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CloseCodeExitProcess
                • String ID: 0
                • API String ID: 1252061823-4108050209
                • Opcode ID: ac0152bb9a39477004ccd3e7b720b84d3940deba95619d64bbd669a457f01710
                • Instruction ID: d031ce7f07ee6264b1b565cfdef1d6a1f9d4b56e34334f0c0aade15f2326fe9a
                • Opcode Fuzzy Hash: ac0152bb9a39477004ccd3e7b720b84d3940deba95619d64bbd669a457f01710
                • Instruction Fuzzy Hash: 0131623220478186EB729F26A4403DE7365F798394F654935FB9E87BE5EF38C8458B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: DescriptorSecurity$ConvertString
                • String ID: 4aX
                • API String ID: 3907675253-4042356595
                • Opcode ID: 0b711e615e8be0e2b12272892a189f9629344f3b322a46c804b9aa2ee471bc5a
                • Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
                • Opcode Fuzzy Hash: 0b711e615e8be0e2b12272892a189f9629344f3b322a46c804b9aa2ee471bc5a
                • Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9401b7d481fa84f399dcd3aedf6ecaa48b1ecbcbbf608e1c6fa818b9c389716f
                • Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
                • Opcode Fuzzy Hash: 9401b7d481fa84f399dcd3aedf6ecaa48b1ecbcbbf608e1c6fa818b9c389716f
                • Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$PointerRead
                • String ID:
                • API String ID: 3154509469-0
                • Opcode ID: 906419aa2d81ede4dc4edd291715969e1c2a58f52923961ccd039826449e5ccb
                • Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
                • Opcode Fuzzy Hash: 906419aa2d81ede4dc4edd291715969e1c2a58f52923961ccd039826449e5ccb
                • Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$CreateTime
                • String ID:
                • API String ID: 1043708186-0
                • Opcode ID: e0f3c25c1433618cdc4797ff666a8e785f21fef8d93edc3608467ce275388496
                • Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
                • Opcode Fuzzy Hash: e0f3c25c1433618cdc4797ff666a8e785f21fef8d93edc3608467ce275388496
                • Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$CreateTime
                • String ID:
                • API String ID: 1043708186-0
                • Opcode ID: b0d3cb4549c2e7320966efb25e068ceb88471a892c5721df2f93a7cc650a8fa0
                • Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
                • Opcode Fuzzy Hash: b0d3cb4549c2e7320966efb25e068ceb88471a892c5721df2f93a7cc650a8fa0
                • Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$CreateTime
                • String ID:
                • API String ID: 1043708186-0
                • Opcode ID: 050d020af5b5a43ec8cd0a43f52f9feec77bcbc6d6a2736fe7b7b3c910fe36c5
                • Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
                • Opcode Fuzzy Hash: 050d020af5b5a43ec8cd0a43f52f9feec77bcbc6d6a2736fe7b7b3c910fe36c5
                • Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
                • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: 19f2086c07ff306753045cf5abc9bd2fa96ffa14dada4427a8af091e3c35177d
                • Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
                • Opcode Fuzzy Hash: 19f2086c07ff306753045cf5abc9bd2fa96ffa14dada4427a8af091e3c35177d
                • Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
                • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$CreateTime
                • String ID:
                • API String ID: 1043708186-0
                • Opcode ID: 8ef76ef7c0d7ddc3b1a1d8003eaca85c562126416698a57894288b8950d85237
                • Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
                • Opcode Fuzzy Hash: 8ef76ef7c0d7ddc3b1a1d8003eaca85c562126416698a57894288b8950d85237
                • Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ComputerName
                • String ID:
                • API String ID: 3545744682-0
                • Opcode ID: a66a83b9981f793a22abcda871f8b55496a9f7657841f824eb67549980af41b1
                • Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
                • Opcode Fuzzy Hash: a66a83b9981f793a22abcda871f8b55496a9f7657841f824eb67549980af41b1
                • Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: b226cef49f2cfb3f61ab646f377e993bd6338a42c14ebc2a87c9534da943db90
                • Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
                • Opcode Fuzzy Hash: b226cef49f2cfb3f61ab646f377e993bd6338a42c14ebc2a87c9534da943db90
                • Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006A170, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FullImageNameProcessQuery
                • String ID:
                • API String ID: 3578328331-0
                • Opcode ID: 2dcbe1e13f94c8e14b3d0ab23f2cd1a62668453b2244aef25f131f70ec54b43c
                • Instruction ID: f986e24af5111b4d6037bf98cb7a0fa0abb6044720ce6c1a21b40d8b569112f6
                • Opcode Fuzzy Hash: 2dcbe1e13f94c8e14b3d0ab23f2cd1a62668453b2244aef25f131f70ec54b43c
                • Instruction Fuzzy Hash: 71419332204B4586EB56EF36D4503DA2362EB997D8F500526FB4E477E9EF39C851CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003BE30, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • AddAtomA.KERNEL32(?,?,?,?,?,?,00000000,0000000140038EF7,?,?,00000000,00000000,00000000,00000001400390B3), ref: 000000014003BE65
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Atom
                • String ID:
                • API String ID: 2154973765-0
                • Opcode ID: 6c0567354e7ee9da18afaf3d2b3089facd07b7dea19fffed0255cc404462c4a7
                • Instruction ID: 76f3dd51b3dfcf2c00839118f4471cf1fcfd122f63009da98cc00f65b36b4b2c
                • Opcode Fuzzy Hash: 6c0567354e7ee9da18afaf3d2b3089facd07b7dea19fffed0255cc404462c4a7
                • Instruction Fuzzy Hash: AE118161B0479046EA13AB6BA0503FFA391AB9C7D4F484425BBCE477EADE3CC9019740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileFindNext
                • String ID:
                • API String ID: 2029273394-0
                • Opcode ID: 95c28fe704aa870f12444e8f90bd6212872869de3839847842a7aa4a814b218a
                • Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
                • Opcode Fuzzy Hash: 95c28fe704aa870f12444e8f90bd6212872869de3839847842a7aa4a814b218a
                • Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnumValue
                • String ID:
                • API String ID: 2814608202-0
                • Opcode ID: f09f88297d29af25c3c9fad4feea13acc269b39cdd3c4aba18371d5feb17aff9
                • Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
                • Opcode Fuzzy Hash: f09f88297d29af25c3c9fad4feea13acc269b39cdd3c4aba18371d5feb17aff9
                • Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateHeap
                • String ID:
                • API String ID: 10892065-0
                • Opcode ID: 0259cd0d410adb129ac7588157576669aae5f2ccad6a182df938e37cc279a953
                • Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
                • Opcode Fuzzy Hash: 0259cd0d410adb129ac7588157576669aae5f2ccad6a182df938e37cc279a953
                • Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: BoundaryDeleteDescriptor
                • String ID:
                • API String ID: 3203483114-0
                • Opcode ID: e7a17700271681b97e1fa4260b19801d2fa8f2a1431a6b429a697cd6600adb5a
                • Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
                • Opcode Fuzzy Hash: e7a17700271681b97e1fa4260b19801d2fa8f2a1431a6b429a697cd6600adb5a
                • Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001D7BB492057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001D7BB4929A8), ref: 000001D7BB4920A7
                Memory Dump Source
                • Source File: 00000000.00000002.452389502.000001D7BB490000.00000040.00000001.sdmp, Offset: 000001D7BB490000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 28233256d8b9314473832a43b5923bb6ece7d4852770723e202fd9ca4f4d4e66
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 72312B76615B9086D790DF1AE45479A7BA0F389BD4F205026EF8D87B58DF3AC446CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: 0020$0020$3050$3050$4040$GNOP
                • API String ID: 0-829999343
                • Opcode ID: ceb7028f1240289a919e33511f2583c792be0c0d6e82a0c9dd89227fa254fbe2
                • Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
                • Opcode Fuzzy Hash: ceb7028f1240289a919e33511f2583c792be0c0d6e82a0c9dd89227fa254fbe2
                • Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: ERCP$VUUU$VUUU$VUUU
                • API String ID: 0-2165971703
                • Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
                • Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
                • Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
                • Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: SW$SW$SW$SW
                • API String ID: 0-1120820918
                • Opcode ID: a936443f3efe73889e366fc6945cf437e259ea4a033722658e994d2a32170f94
                • Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
                • Opcode Fuzzy Hash: a936443f3efe73889e366fc6945cf437e259ea4a033722658e994d2a32170f94
                • Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: GC,$GC,$GC,$GC,
                • API String ID: 0-2774350030
                • Opcode ID: 0b4643082cbcf64182ecb4943f9f91664f39e41d7b5a94e8cbbc5a6c3cce18b2
                • Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
                • Opcode Fuzzy Hash: 0b4643082cbcf64182ecb4943f9f91664f39e41d7b5a94e8cbbc5a6c3cce18b2
                • Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: }*$}*
                • API String ID: 0-2047341001
                • Opcode ID: ee41e772f786da0e52809bc7b3ed3736b8892bf3de248059fd860a26ac002c6a
                • Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
                • Opcode Fuzzy Hash: ee41e772f786da0e52809bc7b3ed3736b8892bf3de248059fd860a26ac002c6a
                • Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: )8GV$)8GV$@
                • API String ID: 0-2802744955
                • Opcode ID: bf10a54bdf04319f0c9d99cd6ba399778f4eb5807b1d2053279e61110ede44b0
                • Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
                • Opcode Fuzzy Hash: bf10a54bdf04319f0c9d99cd6ba399778f4eb5807b1d2053279e61110ede44b0
                • Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: */*$GET$POST
                • API String ID: 0-3233530491
                • Opcode ID: f80e92f70eed1859ccf6ef1298a3adf2fa2fb169edebb978b9b3b00b0d95425b
                • Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
                • Opcode Fuzzy Hash: f80e92f70eed1859ccf6ef1298a3adf2fa2fb169edebb978b9b3b00b0d95425b
                • Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: GC,$GC,${QN
                • API String ID: 0-3150587038
                • Opcode ID: a270dd4cc6e19919ab11c13f5e24561610a72864f9645cbe779d4cc830d0f2f7
                • Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
                • Opcode Fuzzy Hash: a270dd4cc6e19919ab11c13f5e24561610a72864f9645cbe779d4cc830d0f2f7
                • Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140050E60, Relevance: 3.4, Strings: 2, Instructions: 880COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: $(
                • API String ID: 0-55695022
                • Opcode ID: 15f721d9e3898134c6b62aff05d60ca5d75bc9cca85c655c6e42c6e5e3439179
                • Instruction ID: 3ad5372d7c10455e87938aa43df51df811dd099c819a0e6d0243c0277852d4c0
                • Opcode Fuzzy Hash: 15f721d9e3898134c6b62aff05d60ca5d75bc9cca85c655c6e42c6e5e3439179
                • Instruction Fuzzy Hash: 5782AC32201B8482EB66DF27D4503ED67A1F78DBC8F995421EB4A477B6EB3AC945C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: 0$GC,
                • API String ID: 0-3557465234
                • Opcode ID: a240d17a35bbb8a983d9cf19b0a458ff5dc26464b321074ace8de2e44754f6cf
                • Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
                • Opcode Fuzzy Hash: a240d17a35bbb8a983d9cf19b0a458ff5dc26464b321074ace8de2e44754f6cf
                • Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: cLpS$cLpS
                • API String ID: 0-581437482
                • Opcode ID: 38ae86c07026fe9ae38b0b643c994d94b2ca26a0ee10e85ef486b1e160fa0490
                • Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
                • Opcode Fuzzy Hash: 38ae86c07026fe9ae38b0b643c994d94b2ca26a0ee10e85ef486b1e160fa0490
                • Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140079360, Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: $
                • API String ID: 0-227171996
                • Opcode ID: 95d439ec123ed9d5f8b3cc70e80092d764980e0cd9d520ecefbce1e0b8ab952b
                • Instruction ID: 6c213dc2afd611bac599ce04416581ee7b70472e28aa57329a8a019417624c17
                • Opcode Fuzzy Hash: 95d439ec123ed9d5f8b3cc70e80092d764980e0cd9d520ecefbce1e0b8ab952b
                • Instruction Fuzzy Hash: 94519EB3200A948BF7A5CF2AD888BAD37A8F749394F56811AEB55877E0D77DC441CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ModuleSectionView$BaseCreateDuplicateEnumFileInformationMappingModulesNameObjectProcessUnmap
                • String ID: D
                • API String ID: 3217726797-2746444292
                • Opcode ID: 060bbd7c30a2703ac75cfcf5c5e57b4e84d83b50dcf0a5e09b07a4a18756371c
                • Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
                • Opcode Fuzzy Hash: 060bbd7c30a2703ac75cfcf5c5e57b4e84d83b50dcf0a5e09b07a4a18756371c
                • Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: GET
                • API String ID: 0-1805413626
                • Opcode ID: aae13f32b186463ecc038d039869d9c540319f15d5632cb535c77be7175d0764
                • Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
                • Opcode Fuzzy Hash: aae13f32b186463ecc038d039869d9c540319f15d5632cb535c77be7175d0764
                • Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CloseEnvironmentExpandStrings
                • String ID:
                • API String ID: 1839112984-0
                • Opcode ID: f2cbe49b95be8604ca59d87ad75be4d6092a4fc473f5842bbc3c9af27565784d
                • Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
                • Opcode Fuzzy Hash: f2cbe49b95be8604ca59d87ad75be4d6092a4fc473f5842bbc3c9af27565784d
                • Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36286cfaebfc4f4bd78f9902e15129a4cb168d2de06fc67adfbd0afb51e27802
                • Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
                • Opcode Fuzzy Hash: 36286cfaebfc4f4bd78f9902e15129a4cb168d2de06fc67adfbd0afb51e27802
                • Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f48c14bef542a88d05d0787d40b1fb21a3e645436b86db75b35cb1b620af12c2
                • Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
                • Opcode Fuzzy Hash: f48c14bef542a88d05d0787d40b1fb21a3e645436b86db75b35cb1b620af12c2
                • Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: cLpS
                • API String ID: 0-2886372077
                • Opcode ID: 0dd25a4ff5effdb81c262167eaf4cead81274a34c8457ff2f5aa94fbbe3b3179
                • Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
                • Opcode Fuzzy Hash: 0dd25a4ff5effdb81c262167eaf4cead81274a34c8457ff2f5aa94fbbe3b3179
                • Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateMutex
                • String ID: m
                • API String ID: 1964310414-3775001192
                • Opcode ID: a8ebedd1b6a09308855571d9ca30b5c0a14146b51fa71b242b442342da4cf8ae
                • Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
                • Opcode Fuzzy Hash: a8ebedd1b6a09308855571d9ca30b5c0a14146b51fa71b242b442342da4cf8ae
                • Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: s( j
                • API String ID: 0-1450404818
                • Opcode ID: 62a8394b164e6c8e2eccec9bd7de0be74a3511c28c2be21a31e104823c826ede
                • Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
                • Opcode Fuzzy Hash: 62a8394b164e6c8e2eccec9bd7de0be74a3511c28c2be21a31e104823c826ede
                • Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CloseEnumValue
                • String ID: kw9b
                • API String ID: 858281747-837114885
                • Opcode ID: 4b8314713dccff32993f4feca4a72d730c1f0ad3396753ca8bfb82c26e33cd38
                • Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
                • Opcode Fuzzy Hash: 4b8314713dccff32993f4feca4a72d730c1f0ad3396753ca8bfb82c26e33cd38
                • Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 87b4c5b4f4448d3893119f480d9c05f7a650b29b20e16cc7ca871af91547ceaf
                • Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
                • Opcode Fuzzy Hash: 87b4c5b4f4448d3893119f480d9c05f7a650b29b20e16cc7ca871af91547ceaf
                • Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: Content-Type
                • API String ID: 0-2058190213
                • Opcode ID: edbb7f2c81902c8b2b7458f1d24c97abfa501046b49ea7b17cba4fef13fac781
                • Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
                • Opcode Fuzzy Hash: edbb7f2c81902c8b2b7458f1d24c97abfa501046b49ea7b17cba4fef13fac781
                • Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140078EBB, Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: d0fe163027e34e7fec8cb7a5ca1a9258698c9fba023c4617cc73a7ffd335cb98
                • Instruction ID: b75ce7ff5a94b0b0263430880d2f632f6ca5857cf95f5f8fb87830e36c7d93b6
                • Opcode Fuzzy Hash: d0fe163027e34e7fec8cb7a5ca1a9258698c9fba023c4617cc73a7ffd335cb98
                • Instruction Fuzzy Hash: 67F1A1722003988BFBA6CF1AC088BAE3BE9FB48B84F154519EF49577A1DB79C541C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Close
                • String ID: 0
                • API String ID: 3535843008-4108050209
                • Opcode ID: 3a85cca733ff0cb81061b304306623688203c3edde9a2a61c002386a3b8cbd46
                • Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
                • Opcode Fuzzy Hash: 3a85cca733ff0cb81061b304306623688203c3edde9a2a61c002386a3b8cbd46
                • Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 430a90575dc62f1e3865439875608f0273212fccf348ad0cef14e9f08f95b036
                • Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
                • Opcode Fuzzy Hash: 430a90575dc62f1e3865439875608f0273212fccf348ad0cef14e9f08f95b036
                • Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 01caba0fb72d42195d4f9d7627b646e19d084b6616b09bf42b5acae7910c4a4a
                • Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
                • Opcode Fuzzy Hash: 01caba0fb72d42195d4f9d7627b646e19d084b6616b09bf42b5acae7910c4a4a
                • Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: tI*k
                • API String ID: 0-257501792
                • Opcode ID: 573345dd2f6657342a2939d2e085719826f9d845647526dfc8eaa92a36d24e6c
                • Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
                • Opcode Fuzzy Hash: 573345dd2f6657342a2939d2e085719826f9d845647526dfc8eaa92a36d24e6c
                • Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014007D5F0, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 47c5edbaa6653b64326f1798768104b1a0bf11e3002b00d59b08ef19bde092d0
                • Instruction ID: e92971729d7bdff29630ad54575dc54f552d1fc9bd87f3effd3f5ab6ac2f6454
                • Opcode Fuzzy Hash: 47c5edbaa6653b64326f1798768104b1a0bf11e3002b00d59b08ef19bde092d0
                • Instruction Fuzzy Hash: EE711D733341B48BE7664B1EA414BAA77A0F36A78DFD56105EBC647B41CA3EB900CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID: ERCP
                • API String ID: 0-1384759551
                • Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
                • Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
                • Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
                • Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014004F940, Relevance: .9, Instructions: 873COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 555dc8ee287fb380805d29ab7fd7a8dd4eec758af40476a2a6fef70b8d40159a
                • Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
                • Opcode Fuzzy Hash: 555dc8ee287fb380805d29ab7fd7a8dd4eec758af40476a2a6fef70b8d40159a
                • Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62db6075bdeb3020b45dc264bf7a1dc6dd5da76094a907a67125920e78fb308b
                • Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
                • Opcode Fuzzy Hash: 62db6075bdeb3020b45dc264bf7a1dc6dd5da76094a907a67125920e78fb308b
                • Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cee05c67d7a11222fe71ee9cbd277fd30eda5da1fb3283b1c97de21d1395027d
                • Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
                • Opcode Fuzzy Hash: cee05c67d7a11222fe71ee9cbd277fd30eda5da1fb3283b1c97de21d1395027d
                • Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$PointerRead
                • String ID:
                • API String ID: 3154509469-0
                • Opcode ID: 290284c5a24d7ccb3d38e0c88b5e8e3a1afa0950ba72e114d31239697084b9bd
                • Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
                • Opcode Fuzzy Hash: 290284c5a24d7ccb3d38e0c88b5e8e3a1afa0950ba72e114d31239697084b9bd
                • Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140079681, Relevance: .7, Instructions: 735COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 274968c8ba36a5bd2d21743935f1cb3ee72fd8aa297ca413f492129fefee32e3
                • Instruction ID: 9fe0ac49808608bc574ab8d841a100943ad7ea40e850b84749b946defadb11c8
                • Opcode Fuzzy Hash: 274968c8ba36a5bd2d21743935f1cb3ee72fd8aa297ca413f492129fefee32e3
                • Instruction Fuzzy Hash: 2B52C6736106A48BEBA9CF2AD498FAD3BE9F788784F414119EB4687790D73DC845CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a4b40e94b15e07ae06440d989f28090e729b07637545e8c50f470564c3f7df6
                • Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
                • Opcode Fuzzy Hash: 6a4b40e94b15e07ae06440d989f28090e729b07637545e8c50f470564c3f7df6
                • Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
                • Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
                • Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
                • Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140024440, Relevance: .6, Instructions: 566COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a2e085b3420f28daa90716ff8bd7c5fb829fef5403f238dd544e1e3c6d05c9b
                • Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
                • Opcode Fuzzy Hash: 5a2e085b3420f28daa90716ff8bd7c5fb829fef5403f238dd544e1e3c6d05c9b
                • Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140018630, Relevance: .6, Instructions: 558COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f08b02c7e3050929ce667df8edd022423f2dc58d0f76c95469c069cc661aeb6
                • Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
                • Opcode Fuzzy Hash: 9f08b02c7e3050929ce667df8edd022423f2dc58d0f76c95469c069cc661aeb6
                • Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 320f96fcac8ecb2870f72c1d98b05ceca8d6986e851353246f78d32aaccb89d9
                • Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
                • Opcode Fuzzy Hash: 320f96fcac8ecb2870f72c1d98b05ceca8d6986e851353246f78d32aaccb89d9
                • Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d171226c06409462c8f58c4d3fc3bd79dc7d5e486bc2aa00355c9e9c098cd767
                • Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
                • Opcode Fuzzy Hash: d171226c06409462c8f58c4d3fc3bd79dc7d5e486bc2aa00355c9e9c098cd767
                • Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014000B120, Relevance: .5, Instructions: 531COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de422122dc44029e26e1fe1231c22e931644db4df85816541c49705558980b44
                • Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
                • Opcode Fuzzy Hash: de422122dc44029e26e1fe1231c22e931644db4df85816541c49705558980b44
                • Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateFirstProcessSnapshotThread32Toolhelp32
                • String ID:
                • API String ID: 3863306361-0
                • Opcode ID: 5f332e4899cd4fb6856a8357ce1188863c927022b5df4cfc520795c11a5b0b89
                • Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
                • Opcode Fuzzy Hash: 5f332e4899cd4fb6856a8357ce1188863c927022b5df4cfc520795c11a5b0b89
                • Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B390, Relevance: .5, Instructions: 458COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
                • Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
                • Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
                • Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c27ef29cf7a383a5640c294bc176d573c60119d9e9f59cb3b02ca7e2679ae095
                • Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
                • Opcode Fuzzy Hash: c27ef29cf7a383a5640c294bc176d573c60119d9e9f59cb3b02ca7e2679ae095
                • Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10716999cb8b100f8d2b968f052eeb6a9cd2a9d2a6ab792cad33766cf243f72c
                • Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
                • Opcode Fuzzy Hash: 10716999cb8b100f8d2b968f052eeb6a9cd2a9d2a6ab792cad33766cf243f72c
                • Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5cda5b0dc4ce27a4e878b152f30c01bf4647f9f89338a2cfb758c2969f1b403
                • Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
                • Opcode Fuzzy Hash: b5cda5b0dc4ce27a4e878b152f30c01bf4647f9f89338a2cfb758c2969f1b403
                • Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3565ac7e1128feb6b35327beb8e3b6962dc7990129458b61df7042fb36bd0e10
                • Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
                • Opcode Fuzzy Hash: 3565ac7e1128feb6b35327beb8e3b6962dc7990129458b61df7042fb36bd0e10
                • Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140069010, Relevance: .4, Instructions: 431COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$ClosePointerRead
                • String ID:
                • API String ID: 2610616218-0
                • Opcode ID: a70efcc47101b4f9867800df5459bf756424d222a235b85729f1529e29c6512c
                • Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
                • Opcode Fuzzy Hash: a70efcc47101b4f9867800df5459bf756424d222a235b85729f1529e29c6512c
                • Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014001E170, Relevance: .4, Instructions: 401COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$PointerRead
                • String ID:
                • API String ID: 3154509469-0
                • Opcode ID: adeab9f7e7f78403b85c855fd21233eb2fcc788708205b266e71bb44e59354bb
                • Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
                • Opcode Fuzzy Hash: adeab9f7e7f78403b85c855fd21233eb2fcc788708205b266e71bb44e59354bb
                • Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f8859a21c92a50fc50c9c3b59b540db7ffe00dd4e7aca0f337d9411d2c2afc2
                • Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
                • Opcode Fuzzy Hash: 4f8859a21c92a50fc50c9c3b59b540db7ffe00dd4e7aca0f337d9411d2c2afc2
                • Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140002980, Relevance: .4, Instructions: 389COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$PointerRead
                • String ID:
                • API String ID: 3154509469-0
                • Opcode ID: 3c3238336b7836bc605bb1ca3c21c9ace8557c61e0ea40ebdea97789c82cf131
                • Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
                • Opcode Fuzzy Hash: 3c3238336b7836bc605bb1ca3c21c9ace8557c61e0ea40ebdea97789c82cf131
                • Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 032db3c177222689b3cb165eb9820b825e4add1c79b08513d691f586493b54cf
                • Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
                • Opcode Fuzzy Hash: 032db3c177222689b3cb165eb9820b825e4add1c79b08513d691f586493b54cf
                • Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140010880, Relevance: .4, Instructions: 372COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb6850b808dae2f05f4d514f9adb72f413fb074b7d3812d5726eebe3e0aaebc4
                • Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
                • Opcode Fuzzy Hash: eb6850b808dae2f05f4d514f9adb72f413fb074b7d3812d5726eebe3e0aaebc4
                • Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014001D910, Relevance: .4, Instructions: 369COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$ClosePointerRead
                • String ID:
                • API String ID: 2610616218-0
                • Opcode ID: 1e3c99be0bbb8b9cddeb87ea5924abe37f1dd24247ac75f275b4732b803fbd8c
                • Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
                • Opcode Fuzzy Hash: 1e3c99be0bbb8b9cddeb87ea5924abe37f1dd24247ac75f275b4732b803fbd8c
                • Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140033540, Relevance: .4, Instructions: 364COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 97d1b65fd668e47c37e3b93309aaea0815a33984ecc86ce6baefcba50f0a003a
                • Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
                • Opcode Fuzzy Hash: 97d1b65fd668e47c37e3b93309aaea0815a33984ecc86ce6baefcba50f0a003a
                • Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014007C9D0, Relevance: .4, Instructions: 360COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e7d6ad12fe771e3fb0e62b5c0ce684f245e9bc75093a7fac8d5e6e5abd284cd
                • Instruction ID: ec2bdace8cb5aa7cd9fe391d2c10ac813495e702e278ed0717e669742b73ea21
                • Opcode Fuzzy Hash: 5e7d6ad12fe771e3fb0e62b5c0ce684f245e9bc75093a7fac8d5e6e5abd284cd
                • Instruction Fuzzy Hash: E6D137736186A44BD32A8F2AD9447AD7FA1F3897C4F04811AFF8A87B95E67DC944C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3932bc7d11068b9b3e964e0e78a5dbb4a294ab21960687a867641021fc9381ec
                • Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
                • Opcode Fuzzy Hash: 3932bc7d11068b9b3e964e0e78a5dbb4a294ab21960687a867641021fc9381ec
                • Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b3a14ef683f6a1b529798f0227a44c8e4ee96ff6b73ee571ca12d733448c9104
                • Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
                • Opcode Fuzzy Hash: b3a14ef683f6a1b529798f0227a44c8e4ee96ff6b73ee571ca12d733448c9104
                • Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92ab05dbc9cd2669b5091d33ab29015e320e28aba61bb6c5a215332d421c4615
                • Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
                • Opcode Fuzzy Hash: 92ab05dbc9cd2669b5091d33ab29015e320e28aba61bb6c5a215332d421c4615
                • Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateFirstProcessSnapshotThread32Toolhelp32
                • String ID:
                • API String ID: 3863306361-0
                • Opcode ID: f63e507ad0f670f6d227250d20854b79a9666114e126b38ab60c57a9a4d82c7a
                • Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
                • Opcode Fuzzy Hash: f63e507ad0f670f6d227250d20854b79a9666114e126b38ab60c57a9a4d82c7a
                • Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140064080, Relevance: .3, Instructions: 304COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0270318e08597e2e21cf764f03c3736452a73c2b2232c3c3be281bde6b64a216
                • Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
                • Opcode Fuzzy Hash: 0270318e08597e2e21cf764f03c3736452a73c2b2232c3c3be281bde6b64a216
                • Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c3acd9d67896ec1d7277f678e3d6cb7aa4aa90bf0c0d5f081581cdb7c28fe18
                • Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
                • Opcode Fuzzy Hash: 0c3acd9d67896ec1d7277f678e3d6cb7aa4aa90bf0c0d5f081581cdb7c28fe18
                • Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140030530, Relevance: .3, Instructions: 294COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8db64074ebcce5c4dedd81bf9a2ff3a17ff457e1b0e69909b8832a31f48dcc24
                • Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
                • Opcode Fuzzy Hash: 8db64074ebcce5c4dedd81bf9a2ff3a17ff457e1b0e69909b8832a31f48dcc24
                • Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002A110, Relevance: .3, Instructions: 291COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileFindNext
                • String ID:
                • API String ID: 2029273394-0
                • Opcode ID: 31c27e1ea347175595e1b47a87fc37266f85764352a9cac77830d9bef605244d
                • Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
                • Opcode Fuzzy Hash: 31c27e1ea347175595e1b47a87fc37266f85764352a9cac77830d9bef605244d
                • Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005F490, Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94412bf05a29f61181b2e4034e816670070f54bace09b2deb2311064dd936af0
                • Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
                • Opcode Fuzzy Hash: 94412bf05a29f61181b2e4034e816670070f54bace09b2deb2311064dd936af0
                • Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3eccf9dbb754c8c1deb778ee241c3eae318dad50ac8f899c590b382fcb751032
                • Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
                • Opcode Fuzzy Hash: 3eccf9dbb754c8c1deb778ee241c3eae318dad50ac8f899c590b382fcb751032
                • Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140031540, Relevance: .3, Instructions: 274COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51e5056caafc31b1fdea8fa1367bf17cd905dfe19a5a8576ed405fd061e2331c
                • Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
                • Opcode Fuzzy Hash: 51e5056caafc31b1fdea8fa1367bf17cd905dfe19a5a8576ed405fd061e2331c
                • Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9146d3ec8acd4a0a16badc939892ed415462ce44b8d6697839496ea76bcf16cc
                • Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
                • Opcode Fuzzy Hash: 9146d3ec8acd4a0a16badc939892ed415462ce44b8d6697839496ea76bcf16cc
                • Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
                • Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
                • Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
                • Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140066020, Relevance: .3, Instructions: 255COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13cd253e28557d48eb967980bc40ec236e9f52ccf7452c857af388ee758dedba
                • Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
                • Opcode Fuzzy Hash: 13cd253e28557d48eb967980bc40ec236e9f52ccf7452c857af388ee758dedba
                • Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88950e2a047467484e40da33e2a50cf3179a38bc66ed9cb9708db634e5ac509a
                • Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
                • Opcode Fuzzy Hash: 88950e2a047467484e40da33e2a50cf3179a38bc66ed9cb9708db634e5ac509a
                • Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                • Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
                • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                • Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B424, Relevance: .2, Instructions: 248COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                • Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
                • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                • Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                • Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
                • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                • Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B436, Relevance: .2, Instructions: 248COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                • Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
                • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                • Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014006B446, Relevance: .2, Instructions: 248COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                • Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
                • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                • Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b4d13f183862926d15fcaebb204046f6745d54ffd6cbbb9ffc65029fdc37e38
                • Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
                • Opcode Fuzzy Hash: 3b4d13f183862926d15fcaebb204046f6745d54ffd6cbbb9ffc65029fdc37e38
                • Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140001010, Relevance: .2, Instructions: 229COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0af1ab6944b9c95d384e5c763ce43f7700ad0a4da2107de65402dffef6791e8
                • Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
                • Opcode Fuzzy Hash: f0af1ab6944b9c95d384e5c763ce43f7700ad0a4da2107de65402dffef6791e8
                • Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e3bb54c1d3781abc041ea2688e8adf80f171d77c463efdf6130cd4a63bf2c18f
                • Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
                • Opcode Fuzzy Hash: e3bb54c1d3781abc041ea2688e8adf80f171d77c463efdf6130cd4a63bf2c18f
                • Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140018300, Relevance: .2, Instructions: 211COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0f148d79263bf7e5703b7ed02d3c0ec0aeec1694e4f0e71e98438d1cd47b617
                • Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
                • Opcode Fuzzy Hash: c0f148d79263bf7e5703b7ed02d3c0ec0aeec1694e4f0e71e98438d1cd47b617
                • Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: b643eebf8cfdcbca1c24120d95c497d1e92753d760f3673094a755a1d43c655f
                • Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
                • Opcode Fuzzy Hash: b643eebf8cfdcbca1c24120d95c497d1e92753d760f3673094a755a1d43c655f
                • Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140078D3F, Relevance: .2, Instructions: 209COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
                • Instruction ID: 302e0acc29a7fbf9f737c4cea472cb5ac6117c3e2197e7ce8d7e2b3b8a4308b8
                • Opcode Fuzzy Hash: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
                • Instruction Fuzzy Hash: FB81AC762002948BE7B6CF2AD488B9E3BE9F749784F11811AEF09877A1D739D841CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
                • Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
                • Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
                • Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac17b7f8efb39180ca085efcba47c4faab79178312bead101a55b4df0259caf7
                • Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
                • Opcode Fuzzy Hash: ac17b7f8efb39180ca085efcba47c4faab79178312bead101a55b4df0259caf7
                • Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4eeaffe3981247762c957c6acf30eeba5d154f64fe543e8f6d268b260df3122f
                • Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
                • Opcode Fuzzy Hash: 4eeaffe3981247762c957c6acf30eeba5d154f64fe543e8f6d268b260df3122f
                • Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140016100, Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6fafa594bebd016ff093bcd40dbc3b299e67e6ae2dbcb0f1b476c0a9e99f0752
                • Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
                • Opcode Fuzzy Hash: 6fafa594bebd016ff093bcd40dbc3b299e67e6ae2dbcb0f1b476c0a9e99f0752
                • Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140032650, Relevance: .2, Instructions: 183COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 6359fc6c8adbc9ee0a4df078384a14a933ee973784e4289550e1af18ea66abce
                • Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
                • Opcode Fuzzy Hash: 6359fc6c8adbc9ee0a4df078384a14a933ee973784e4289550e1af18ea66abce
                • Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7ecffd41c0fe5ad563f5e8500295759dfaa014df9cdef5b833e3ce016bf046c
                • Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
                • Opcode Fuzzy Hash: f7ecffd41c0fe5ad563f5e8500295759dfaa014df9cdef5b833e3ce016bf046c
                • Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014005D850, Relevance: .2, Instructions: 169COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76605c97bce8a76887b4862afcf60b4024f3fb59332a59e125214e96f9b00564
                • Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
                • Opcode Fuzzy Hash: 76605c97bce8a76887b4862afcf60b4024f3fb59332a59e125214e96f9b00564
                • Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140001620, Relevance: .2, Instructions: 166COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f00fb5a394a9709f8ec685fd76e5bad2177d274e767363132ebaa392af2dcbb3
                • Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
                • Opcode Fuzzy Hash: f00fb5a394a9709f8ec685fd76e5bad2177d274e767363132ebaa392af2dcbb3
                • Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 0b858b198d386bc76422145a4e6a62148db9986f9b000de7872fc4125e6447c7
                • Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
                • Opcode Fuzzy Hash: 0b858b198d386bc76422145a4e6a62148db9986f9b000de7872fc4125e6447c7
                • Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$ClosePointerRead
                • String ID:
                • API String ID: 2610616218-0
                • Opcode ID: 495388888e503168c51a03706843391f4f1b5ece365a42c5472d8fa5200a3a31
                • Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
                • Opcode Fuzzy Hash: 495388888e503168c51a03706843391f4f1b5ece365a42c5472d8fa5200a3a31
                • Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140022730, Relevance: .1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
                • Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
                • Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
                • Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140031340, Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 862d5a5a4ef1950740e6baf043931ca64864bfa2136d31a0fa3b672624132cd8
                • Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
                • Opcode Fuzzy Hash: 862d5a5a4ef1950740e6baf043931ca64864bfa2136d31a0fa3b672624132cd8
                • Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002F840, Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7add2078c0c64d4ce6d38928021543d813f1385f49b05fd632bedd2e22a0334
                • Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
                • Opcode Fuzzy Hash: d7add2078c0c64d4ce6d38928021543d813f1385f49b05fd632bedd2e22a0334
                • Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: File$PointerRead
                • String ID:
                • API String ID: 3154509469-0
                • Opcode ID: 3918994076228825f8559f4b782924f0ccd0ed6d35931adbf92e4a1434cd2df3
                • Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
                • Opcode Fuzzy Hash: 3918994076228825f8559f4b782924f0ccd0ed6d35931adbf92e4a1434cd2df3
                • Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 014a518b914a5908520cf3545f863bded32663d43aebd8128dfacd86afced284
                • Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
                • Opcode Fuzzy Hash: 014a518b914a5908520cf3545f863bded32663d43aebd8128dfacd86afced284
                • Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2114e707e4d9976738c501cde4f591cbf86df063e9824d1c0a10a7fc80c3f5e5
                • Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
                • Opcode Fuzzy Hash: 2114e707e4d9976738c501cde4f591cbf86df063e9824d1c0a10a7fc80c3f5e5
                • Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
                • Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
                • Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
                • Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 930cb5ebac7375e8549b241de908398dc52ca939a03b687a3e3547be053506b6
                • Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
                • Opcode Fuzzy Hash: 930cb5ebac7375e8549b241de908398dc52ca939a03b687a3e3547be053506b6
                • Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140022340, Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
                • Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
                • Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
                • Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe5bc19d690d06affea346ec3fe15e7514218099ba14f535359373f3909583b6
                • Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
                • Opcode Fuzzy Hash: fe5bc19d690d06affea346ec3fe15e7514218099ba14f535359373f3909583b6
                • Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140005370, Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
                • Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
                • Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
                • Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
                • Associated: 00000000.00000002.452030706.0000000140000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452148821.0000000140080000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.452171080.0000000140092000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.452183551.0000000140094000.00000002.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
                • Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
                • Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
                • Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: rundll32.exe PID: 2192 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001FE68022252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.342104276.000001FE68020000.00000040.00000001.sdmp, Offset: 000001FE68020000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 366cbdaf432bdf198938f45868f7e4c7c715f2b6c34432f1ea1964e15e4d88d3
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 34B179B6618BC586E770CB5AE4407DEB7A1F7D9B90F108026EEC993B58CB79C9418F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001FE68022057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001FE680229A8), ref: 000001FE680220A7
                Memory Dump Source
                • Source File: 00000002.00000002.342104276.000001FE68020000.00000040.00000001.sdmp, Offset: 000001FE68020000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: d95e451e04cca5e4d1bea3cf5b71f751d216693acef0f0ef3902f5885fcdab31
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 00315CB2715B8486D780DF1AE45479A7BA1F789BD4F204026EF8D87B68DF7AC442CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 5356 Parent PID: 5760 rundll32.exeCOMMON

                Executed Functions

                Function 000001E5DAF22252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.250046507.000001E5DAF20000.00000040.00000001.sdmp, Offset: 000001E5DAF20000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 22976f8ac8fcf68ffb4c1b44dfa2b2eb11f161b30590177e153f51a4431dbd94
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 2DB16376618BC586D730CB5AE440BDEB7A1F7C9B84F108126EE8993B59DB79C841CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001E5DAF22057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001E5DAF229A8), ref: 000001E5DAF220A7
                Memory Dump Source
                • Source File: 00000003.00000002.250046507.000001E5DAF20000.00000040.00000001.sdmp, Offset: 000001E5DAF20000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 6bbf4acbfdbdca17da575fa4c59665ec91838d50755737f4d243ffaa5fab200e
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 82317C76615B8086D780DF5AE45479E7BA1F389BC4F204026EF8D87B58DF3AC442CB04
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 1596 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001FCAA4D2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000006.00000002.256560001.000001FCAA4D0000.00000040.00000001.sdmp, Offset: 000001FCAA4D0000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: e14ee65dbcceffe8918d87148c48e0eb87fb669fa559554b77f6b2f9b9eca797
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: EFB14476618BC986D770CB1AE440BEEB7A1F7C9B80F108126EEC957B58DB79C8518F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001FCAA4D2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001FCAA4D29A8), ref: 000001FCAA4D20A7
                Memory Dump Source
                • Source File: 00000006.00000002.256560001.000001FCAA4D0000.00000040.00000001.sdmp, Offset: 000001FCAA4D0000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 6ef6b4e1bbc832c09f75cb508f81246d441687560d6ba59c05d7b1468df19e97
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: E3312872615B9486D790DF1AE45479A7BA0F389BD4F209026EF8D87B28DF3AC446CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 2840 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 0000025C37E12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.264369687.0000025C37E10000.00000040.00000001.sdmp, Offset: 0000025C37E10000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 99ebf426663829ace3c9e7b88220b8fd4c7664bf9535d04d33a73d657adcfc57
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: E7B16476618BC98AD770CB1AF84079EB7A1F7C9B80F108026EEC957B58DB79C9458F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000025C37E12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000025C37E129A8), ref: 0000025C37E120A7
                Memory Dump Source
                • Source File: 00000008.00000002.264369687.0000025C37E10000.00000040.00000001.sdmp, Offset: 0000025C37E10000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 88e4c07ea3c52572c2bc6d951737e903c0007f90465fc8d32696675cb2581f94
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 02315C76615B848AD780DF1AE45575A7BA0F389BC4F208026EF8D87B18DF3AC446CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 4156 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001E5D3C82252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.272051862.000001E5D3C80000.00000040.00000001.sdmp, Offset: 000001E5D3C80000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 40c7823b1282d651b177e2a33b7443178d8daab19cf4ec2954e062d0f7a67926
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: EAB14276619BC486D730CB5AE8407DEB7A1F7C9B84F108026EF8957B69CB79C9418F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001E5D3C82057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001E5D3C829A8), ref: 000001E5D3C820A7
                Memory Dump Source
                • Source File: 00000009.00000002.272051862.000001E5D3C80000.00000040.00000001.sdmp, Offset: 000001E5D3C80000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 5564ff8c782dff1cc1a2238b2b9e55e908c9ea489298548b766cb81032d0c11e
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: C6315C72715B8086D780DF1AE45479A7BA1F789BC4F204026EF8D87B28DF3AC442CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 2888 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001B657142252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.280331146.000001B657140000.00000040.00000001.sdmp, Offset: 000001B657140000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: dcae9543379c588ffb7465f5d8d3f3e2d508c252edad42fb7cff31328d2aa9da
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: BEB14276618AC486D7308B1AE440BEAB7A1F7D9B84F148026EEC957B58CB7DC8918F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001B657142057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001B6571429A8), ref: 000001B6571420A7
                Memory Dump Source
                • Source File: 0000000A.00000002.280331146.000001B657140000.00000040.00000001.sdmp, Offset: 000001B657140000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 63ab075e2e74d66ecf2ad0e97417b76ea718cca82b225a51399bf789ce735934
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 68313C72615B9086D790DF1AE45479A7BA1F389BD4F205026EF8D87B18DF3EC446CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 2916 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 00000223C3C12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.288148050.00000223C3C10000.00000040.00000001.sdmp, Offset: 00000223C3C10000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: babc046f1f0cff70a9bbb3ce157010fec6118426c0f7b78e41255e4b6c376615
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 9BB14376618BC486D770CB5AE44079EB7A1F7C9B80F108026EEC967B58DB7EC9918F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000223C3C12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000223C3C129A8), ref: 00000223C3C120A7
                Memory Dump Source
                • Source File: 0000000E.00000002.288148050.00000223C3C10000.00000040.00000001.sdmp, Offset: 00000223C3C10000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 9c1976a3a151d5dd6f8288dc85c4b90ba87ae9329bdbf491c9d548fa0a3cd119
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 27314972615B8086D780DF1AE45475A7BA0F389BC4F208026EF8D97B28DF3EC482CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 1064 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 0000021AC00B2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.294911662.0000021AC00B0000.00000040.00000001.sdmp, Offset: 0000021AC00B0000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 5b721d3c770cc4512b08583f087003093bf275d2519dab53e5c23ef453a7b778
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 3AB143B6619BC486D730CB1AE440BDAB7A1F7D9B90F118026EFC957B58CB79C8418F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021AC00B2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000021AC00B29A8), ref: 0000021AC00B20A7
                Memory Dump Source
                • Source File: 00000013.00000002.294911662.0000021AC00B0000.00000040.00000001.sdmp, Offset: 0000021AC00B0000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: c6920f996a53925bc778fbb58fd1c0414f517f5eb99241b05d474ae943010fdb
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 2E314B76615B8086D780DF1AE45579A7BA0F389BD4F614026EF8D87B18DF3AC442CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6288 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 00000265880E2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000015.00000002.303720348.00000265880E0000.00000040.00000001.sdmp, Offset: 00000265880E0000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 4f6678d089d7f7086ba9e9c7036590c9650bbcef41758ceaed4e58139a2283a9
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 8EB143B6619BD486D770CB1AE44079EB7A1F7C9B80F108026EEC957B58DB7EC8818F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000265880E2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000265880E29A8), ref: 00000265880E20A7
                Memory Dump Source
                • Source File: 00000015.00000002.303720348.00000265880E0000.00000040.00000001.sdmp, Offset: 00000265880E0000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 7713af7553f3303f98b42ff516d064f0a4f7e70dc2f53e318fa8a95e5be0bb13
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 77312B72615B9086D790DF1AE45475A7BA1F389BD5F205026EF8D87B28DF3AC486CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6360 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001B10EBF2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000017.00000002.310816689.000001B10EBF0000.00000040.00000001.sdmp, Offset: 000001B10EBF0000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 18e82af9d82fc2b041cc3f9f3f87dd34471bcbe94ea2e79bfd351b92f2300872
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: B0B16577A18BC486D730CB1AE4507DEB7A1F7C9B80F518126EE8953B58DB7AC8818F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001B10EBF2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001B10EBF29A8), ref: 000001B10EBF20A7
                Memory Dump Source
                • Source File: 00000017.00000002.310816689.000001B10EBF0000.00000040.00000001.sdmp, Offset: 000001B10EBF0000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 920a0159a70e60021292e11b5271cbf1f9977eb363dddc2aae1d5a55677cec81
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: B9312B72615B9086D790DF1AE45479A7BA0F389BD4F619026FF8D87B18DF3AC486CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6388 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 00000258C5102252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000018.00000002.318031199.00000258C5100000.00000040.00000001.sdmp, Offset: 00000258C5100000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 284a781dfa2194077f16dc031985a0effe0756c1bfdc2ecf88a1c4d0c805f316
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 7CB14476618BC486DB70CB1AF440B9EB7A1F7C9B91F108026EEC967B58DB79C8418F44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000258C5102057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000258C51029A8), ref: 00000258C51020A7
                Memory Dump Source
                • Source File: 00000018.00000002.318031199.00000258C5100000.00000040.00000001.sdmp, Offset: 00000258C5100000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 5336f7a4460549005739466415d65e273f0254b97a726a6ad01b2195689a9545
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 67315C72615B8086DB80DF1AF85475A7BA0F389BD5F204026EF8E97B18DF7AC442CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6404 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 0000022CBC952252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000019.00000002.325171925.0000022CBC950000.00000040.00000001.sdmp, Offset: 0000022CBC950000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 66ce59c604db949413879cbd1152d24976c462ce7c49b587414e245625d633e1
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 78B15476618BC48AE770CB5AE44079EB7A1F7C9B84F108026EEC957B58DB79C942CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000022CBC952057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000022CBC9529A8), ref: 0000022CBC9520A7
                Memory Dump Source
                • Source File: 00000019.00000002.325171925.0000022CBC950000.00000040.00000001.sdmp, Offset: 0000022CBC950000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 744f34b30050efd2c9247937392c063190cb0ec829c000cae5f497f8c56707ee
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 4F315C72615B8086D780DF1AE45575A7BA0F389BC4F208026EF8D87B18DF3AC442CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6428 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001F9CF222252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001B.00000002.332556740.000001F9CF220000.00000040.00000001.sdmp, Offset: 000001F9CF220000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 7590737a0ca26908d07ec3baf1f4fc42d3868008b64f512d3ef3f1cea1503718
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 67B15676618BC586EB30CF1AE4407DEB7A0F7C9B94F108026EE8957B59CB79C8528F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001F9CF222057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001F9CF2229A8), ref: 000001F9CF2220A7
                Memory Dump Source
                • Source File: 0000001B.00000002.332556740.000001F9CF220000.00000040.00000001.sdmp, Offset: 000001F9CF220000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 2b3c36764f2473288eb1f0cf2654b9be01e29ef1f846db6638f9a8e830d4ba64
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: AA313C76615B9086DB90DF1AE45479A7BA0F389BD8F215026EF8D87B18DF3AC446CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6484 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 00000228FE152252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001C.00000002.339875862.00000228FE150000.00000040.00000001.sdmp, Offset: 00000228FE150000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 531c0bd8c9ca9d21338d8c67084b5382dc244f5f1c1e69e4c232f65d674b2234
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 9BB132B7619BC886D7708B5AE44079EB7A1F7C9B80F508026EE8D57B58DB79C881CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000228FE152057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000228FE1529A8), ref: 00000228FE1520A7
                Memory Dump Source
                • Source File: 0000001C.00000002.339875862.00000228FE150000.00000040.00000001.sdmp, Offset: 00000228FE150000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: ddb1d765399d765456a2d3a48f6f965bac2760b347d322abb9c1186621ad76b5
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 6B315A72715B9486D780DF1AE45475A7BA0F389BC4F608026EF8D87B28DF3AC482CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: rundll32.exe PID: 6524 Parent PID: 2368 rundll32.exeCOMMON

                Executed Functions

                Function 000001F735C12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001D.00000002.401485703.000001F735C10000.00000040.00000001.sdmp, Offset: 000001F735C10000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: fa45a5f021dcd5cbe571b5c519698e2f139990dc5db213eb6e1fffb6552d68ed
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: E9B14277618BC686D770CB1AE4407EEB7A1F7C9B84F108026EE8957B98DB79C9418F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001F735C12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001F735C129A8), ref: 000001F735C120A7
                Memory Dump Source
                • Source File: 0000001D.00000002.401485703.000001F735C10000.00000040.00000001.sdmp, Offset: 000001F735C10000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 08b69619158c4023261f605b0b15da0e92195f420446508ed7fb5ccdbba79912
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: A1313C72715B9086D790DF1AE45479A7BA0F389BD4F205026EF8D87B58DF3AC446CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: wermgr.exe PID: 6600 Parent PID: 3292 wermgr.exeCOMMON

                Executed Functions

                Function 000001DAF8AD2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.353972146.000001DAF8AD0000.00000040.00000001.sdmp, Offset: 000001DAF8AD0000, based on PE: true
                Similarity
                • API ID: ProtectVirtual$NodeRemove
                • String ID:
                • API String ID: 3879549435-0
                • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction ID: 39c6562f4abe0e0475fb8c5875c3ed33f3574579a6755d9850d9ff918cf443da
                • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
                • Instruction Fuzzy Hash: 12B131B7618AD486D730CB1AE440BDEB7A1F789B80F518026EE8997B58DB7DC8518F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000001DAF8AD2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001DAF8AD29A8), ref: 000001DAF8AD20A7
                Memory Dump Source
                • Source File: 0000001F.00000002.353972146.000001DAF8AD0000.00000040.00000001.sdmp, Offset: 000001DAF8AD0000, based on PE: true
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction ID: 65dab2a311bbf1688de55e47b7bccefe3dc0888e43d9529b41c266988e07cf5c
                • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
                • Instruction Fuzzy Hash: 4E314BB3615B9086D780DF1AE45479A7BA0F789BC4F614426EF8D87B18DF3AC442CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00007FF740978404, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 61nativeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Print$InformationProcessQuery
                • String ID: WER/CrashAPI:%u: ERROR Invalid arg$WER/CrashAPI:%u: ERROR No PEB for process$WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed$WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read PebBaseAddress
                • API String ID: 213565265-363347543
                • Opcode ID: cc87ffb94302113c0fc6d39860d57220b0b156c19289a9ce809940e09f0b993a
                • Instruction ID: 3b97479b8290154328b39fee2578d1a0c0f8217276ddc5cf6713d373af86321c
                • Opcode Fuzzy Hash: cc87ffb94302113c0fc6d39860d57220b0b156c19289a9ce809940e09f0b993a
                • Instruction Fuzzy Hash: 0321A1A6B1C642C2F754B726E804B7AD251AF54B94FC44039CD5DDB7A4DE3CF1498320
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740981BA0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 212fileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$File_wcsicmp$CloseFirstNext
                • String ID: DeleteCorruptedReportFromStore
                • API String ID: 3999888431-1966130119
                • Opcode ID: 0c62acfc948d4e00e2b147cd201c1f84a0b5941cd8a40a4b5c25c67fb32ac295
                • Instruction ID: f0c46254a6b98720cf8de203edc99f57e929a8f9af3927db5096ad6b9c4b201d
                • Opcode Fuzzy Hash: 0c62acfc948d4e00e2b147cd201c1f84a0b5941cd8a40a4b5c25c67fb32ac295
                • Instruction Fuzzy Hash: 6FA18DA3A2CB42C6E750FB14E4502A9A3A5BBC4794F900531DA4EC2BE5DF7CF845C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740976BC0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorHeapLastMutexRelease$FreeObjectProcessSingleWait
                • String ID: wil::details::ReleaseMutex
                • API String ID: 3975950450-1086251647
                • Opcode ID: 0cd628fd7ef7d244036970d8e64cfe2d1c4e7ab9f9529be6c870cb5338ced5f1
                • Instruction ID: d445bc18b1d683087df82d83f9f96b86761bec8dcdb63fc719f41b3a62a49db8
                • Opcode Fuzzy Hash: 0cd628fd7ef7d244036970d8e64cfe2d1c4e7ab9f9529be6c870cb5338ced5f1
                • Instruction Fuzzy Hash: 50314162A1CA42C2E6957F65A858139E360EF45790FD84531EADEC77D5DF2CF4058320
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740977BC4, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82registrytimeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Time$CloseCreateErrorFileLastSystemValue
                • String ID: LastLiveReportFlushTime$LastQueueNoPesterTime$LastQueuePesterTime$LastResponsePesterTime
                • API String ID: 621416076-4033952892
                • Opcode ID: 6180c751c1142c0360f7243e523f64603b1215c6f5b16d9d90d201e22c255754
                • Instruction ID: 44348717c3f43e0afe56d351698118f555b4984bdd4e27825b23f14f4238d968
                • Opcode Fuzzy Hash: 6180c751c1142c0360f7243e523f64603b1215c6f5b16d9d90d201e22c255754
                • Instruction Fuzzy Hash: 2E318F67A1CA03C5EB55BB25D898B78E390FB88788F980435E94EC3794DF6CF5858320
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF7409749DC, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 245threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,onecore\windows\feedback\core\wermgr\lib\wermgr.cpp,00000000,00007FF740974D37,?,000007FF,00007FF740974E7C), ref: 00007FF740974AE7
                • memset.MSVCRT ref: 00007FF740974B30
                • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,onecore\windows\feedback\core\wermgr\lib\wermgr.cpp,00000000,00007FF740974D37,?,000007FF,00007FF740974E7C), ref: 00007FF740974BCF
                • OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?,onecore\windows\feedback\core\wermgr\lib\wermgr.cpp,00000000,00007FF740974D37,?,000007FF,00007FF740974E7C), ref: 00007FF740974C5C
                Strings
                • onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 00007FF7409749DE
                • LaunchEventReportingConsole::<lambda_ee853b4330cba43032664d6fd46aca6c>::operator (), xrefs: 00007FF7409749E5
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CurrentDebugDebuggerOutputPresentStringThreadmemset
                • String ID: LaunchEventReportingConsole::<lambda_ee853b4330cba43032664d6fd46aca6c>::operator ()$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
                • API String ID: 3402966819-2357862516
                • Opcode ID: 6664e0bc0d304994ad1f8d85215e856f9977658f63c528bf52f73378f9c16779
                • Instruction ID: 9c6fcacaa848c38655e80565b616d509bd8a7d9990d8fa8956de2428f0d5d29a
                • Opcode Fuzzy Hash: 6664e0bc0d304994ad1f8d85215e856f9977658f63c528bf52f73378f9c16779
                • Instruction Fuzzy Hash: B9B16C73A0DB82C6EA65BB15A844279B7A0FF85B80F884435DA8D87795DF3CF8448760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740981750, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103registrymemoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7409817B4
                • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7409817F6
                • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF74098185F
                • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF740981870
                • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7409818A8
                  • Part of subcall function 00007FF7409812E0: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000000,00007FF740981705), ref: 00007FF74098132D
                  • Part of subcall function 00007FF7409812E0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00007FF740981705), ref: 00007FF740981378
                  • Part of subcall function 00007FF7409812E0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00007FF740981705), ref: 00007FF7409813A6
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$AllocateCheckCloseCurrentFreeInitializeMembershipOpenThreadToken
                • String ID: SYSTEM\CurrentControlSet\Control\MiniNT
                • API String ID: 2458340890-2757998475
                • Opcode ID: a9ca4640fd1a094bb0b91877e7e649fc84f46279dcb71c3182820fa64d975231
                • Instruction ID: a84af8fb11ee3ba11481bde4840631f7182ab484c3f4de39d0e316b9d4c5f0e0
                • Opcode Fuzzy Hash: a9ca4640fd1a094bb0b91877e7e649fc84f46279dcb71c3182820fa64d975231
                • Instruction Fuzzy Hash: 6E4118B7A2C642C9EB60BF21D4512A9B3A8FF84748F900536EA0D83B94DF79F445C720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740978F2C, Relevance: 7.6, APIs: 5, Instructions: 123commemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageStringTrace$AllocCreateFreeInitializeInstanceUninitialize
                • String ID:
                • API String ID: 915162858-0
                • Opcode ID: 2972225db9ae11b9fc8471ca2efd071f6aa0784ccfa5f04867350870a7d2921f
                • Instruction ID: 9ac4278ff192daf8f4b643e99a8c1ce9aff994fafc9de2b4bc9f4d6887b3ba10
                • Opcode Fuzzy Hash: 2972225db9ae11b9fc8471ca2efd071f6aa0784ccfa5f04867350870a7d2921f
                • Instruction Fuzzy Hash: 34515E23A2CB47C1EB54FB15D454278A3A1FF81B44F944835DA0D877A4DE2DF906C360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740981F54, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86nativeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00007FF740982438: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7409824B1
                  • Part of subcall function 00007FF740982438: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7409824C9
                  • Part of subcall function 00007FF740982438: NtQueryLicenseValue.NTDLL ref: 00007FF7409824F5
                  • Part of subcall function 00007FF740982438: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF740982565
                • NtQueryLicenseValue.NTDLL ref: 00007FF740982011
                  • Part of subcall function 00007FF740982060: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00000004,00000000,00000000,?,00007FF740981F98), ref: 00007FF740982092
                  • Part of subcall function 00007FF740982060: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00000004,00000000,00000000,?,00007FF740981F98), ref: 00007FF7409820AA
                  • Part of subcall function 00007FF740982060: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00000004,00000000,00000000,?,00007FF740981F98), ref: 00007FF7409820BD
                  • Part of subcall function 00007FF740982060: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF740982202
                  • Part of subcall function 00007FF740981F00: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF740981F39
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Library$AddressProcValue$FreeLicenseLoadQuery
                • String ID: AllowTelemetry$Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
                • API String ID: 1629355636-1682735051
                • Opcode ID: 94a637690f267b20e178603f996873f2cb8d4dd294b0e422b29ef7c59ff3acfe
                • Instruction ID: d42d762dfbee79a4534c8117558235c38d902e78edb8ddda5eee8fb40484a5d1
                • Opcode Fuzzy Hash: 94a637690f267b20e178603f996873f2cb8d4dd294b0e422b29ef7c59ff3acfe
                • Instruction Fuzzy Hash: B631E4F3D1C612DAF314BE7084405A9A6A5FF84398F904035EF1E86B98DF39F985C2A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740972C14, Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 195fileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Close$ErrorFileHandleLastViewmemset$NamespacePrivateUnmap
                • String ID: CreateProcess failed$Failed to show the help content %ws$Invalid launch type passed$Invalid size passed in section$MapViewOfFile failed$ShellExecuteEx api not present$ShellExecuteEx failed$StartNonElevatedProcessInstance$UtilGetNonElevationInfo failed$explore$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp$open
                • API String ID: 3718369419-189962150
                • Opcode ID: 0d03773e0641e7e482c87ff2b25efe6aa9165e4a6020e670e8aa60f42b7bdb9a
                • Instruction ID: 0948f09e7abf65a205f1649a5a58a849d84cb9716ca8620beec2369058f5a396
                • Opcode Fuzzy Hash: 0d03773e0641e7e482c87ff2b25efe6aa9165e4a6020e670e8aa60f42b7bdb9a
                • Instruction Fuzzy Hash: F7914D73B2CA02CAE720BB64D8443A9B3A5FB84764F914136DA4D9B794EF3CE505C364
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF74097DBB0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 167fileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorFileLastmemset$CloseCreateHandleMappingMessageTraceView
                • String ID: -k -lcq
                • API String ID: 332472461-3937627094
                • Opcode ID: 50a7cb5f4c9042915af2814fdda8d6ea2fa102ce6cce58ad3d341d2557fe22f0
                • Instruction ID: 904fb447a56e026f123747106f8cb042c1634297b859acd086a28c342a78e8b4
                • Opcode Fuzzy Hash: 50a7cb5f4c9042915af2814fdda8d6ea2fa102ce6cce58ad3d341d2557fe22f0
                • Instruction Fuzzy Hash: 81816C63A1D782C5EB61BB2598583B9B2A0FB84B84FD44436C90E9B794DF7CF506C720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740975FC8, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 126COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseErrorHandleLastOpenSemaphore
                • String ID: _p0$wil$wil::details::CloseHandle$wil::details_abi::SemaphoreValue::TryGetValueInternal
                • API String ID: 3419097560-569441599
                • Opcode ID: a3021baa3df7971cf6f5342be2774763d4e5627f40bf338d95741551218cdbbb
                • Instruction ID: a6c46de7a1033882eea38a5103ed79ed81f51afc50d66c0b8f4ee2b09f8b615e
                • Opcode Fuzzy Hash: a3021baa3df7971cf6f5342be2774763d4e5627f40bf338d95741551218cdbbb
                • Instruction Fuzzy Hash: A5514D63A1CA86C6EB60FF61D8586B9A360FB84784FD44432EA4D8BB55DE3CF505C720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF74097E13C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 130fileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseErrorFileLast$CurrentHandleMappingNamespaceOpenPrivateProcessViewmemset
                • String ID: WerSvc\WerSvcNonElevationInfoSectionName%d
                • API String ID: 282122006-3649978101
                • Opcode ID: 848c8edb91fac9d3c457b2bcfb27dd0f428bd6fcca01b300de84ed8bd341a311
                • Instruction ID: 3beeb962e438e4156c323c284b8172965a146415a6a76ec28ee6794c972861c0
                • Opcode Fuzzy Hash: 848c8edb91fac9d3c457b2bcfb27dd0f428bd6fcca01b300de84ed8bd341a311
                • Instruction Fuzzy Hash: 44516862A1C683C2EB50BB15E4583B9E2A1FB89B84FD04432D94EC37A1DF7CF4468360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740971918, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 78COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00007FF740981750: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7409817B4
                  • Part of subcall function 00007FF740981750: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF74098185F
                  • Part of subcall function 00007FF740981750: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF740981870
                  • Part of subcall function 00007FF740981750: FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF7409818A8
                • WerpIsTransportAvailable.WER ref: 00007FF7409719D6
                  • Part of subcall function 00007FF7409714D0: memset.MSVCRT ref: 00007FF74097151A
                  • Part of subcall function 00007FF7409714D0: memset.MSVCRT ref: 00007FF740971528
                  • Part of subcall function 00007FF7409714D0: memset.MSVCRT ref: 00007FF740971539
                  • Part of subcall function 00007FF7409714D0: memset.MSVCRT ref: 00007FF740971548
                  • Part of subcall function 00007FF7409714D0: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF740971567
                  • Part of subcall function 00007FF7409714D0: IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 00007FF740971575
                  • Part of subcall function 00007FF7409714D0: Wow64DisableWow64FsRedirection.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 00007FF74097158A
                  • Part of subcall function 00007FF7409714D0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF740971594
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: memset$Wow64$Process$AllocateAvailableCloseCurrentDisableErrorFreeInitializeLastOpenRedirectionTransportWerp
                • String ID: DoQueueReporting$FlushLiveReports$FlushLiveReports failed$LaunchEventReportingConsole failed$Not launching reporting console: current process is not interactive or wer is disabled or not opted in$Not launching reporting console: transport is not available$UtilLaunchElevatedProcess for live kernel reporting failed.$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
                • API String ID: 173890828-3059153498
                • Opcode ID: 5ffedc9cfbd262f040fd2181df29ae06b798dce15102df8a4eceee2363bc4ff7
                • Instruction ID: 3fb9f513e9b262881336d03ad66e8838091d4c1a387f800b216c14b058de8d7d
                • Opcode Fuzzy Hash: 5ffedc9cfbd262f040fd2181df29ae06b798dce15102df8a4eceee2363bc4ff7
                • Instruction Fuzzy Hash: E8311D73A1D643C6EA24BB24E8951BAA360EF84344FD44436E54DCB765DE3CF545C720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF74097C548, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139registryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseMessageOpenTraceValue
                • String ID: Software\Microsoft\Windows\Windows Error Reporting$StorePath
                • API String ID: 1932785668-806903183
                • Opcode ID: 3d8b48dcc7f051ffcabb498af5335837fbbe738c1e41af2b94b9f1f637873e8e
                • Instruction ID: 6626818927fa24d2d2d560ac4b83f8f0dc85e4296c1a565fa7da8fda61834713
                • Opcode Fuzzy Hash: 3d8b48dcc7f051ffcabb498af5335837fbbe738c1e41af2b94b9f1f637873e8e
                • Instruction Fuzzy Hash: A5516DA3B2CB43C2EB58BB19E494379A290BB85B94F900539D95EC77E0DF6CF5058720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740975014, Relevance: 10.6, APIs: 7, Instructions: 65memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Heap$Process$Free$Allocmemcpy_s
                • String ID:
                • API String ID: 3852585984-0
                • Opcode ID: f48e67270c704f3a778cdf779586809e0505a78bef4d58a80b85713198d184eb
                • Instruction ID: 2cc85b7490feb4172a0554a3c40f455904e3ee3e4b2be957badd5543e3cb80d9
                • Opcode Fuzzy Hash: f48e67270c704f3a778cdf779586809e0505a78bef4d58a80b85713198d184eb
                • Instruction Fuzzy Hash: 66215A73A19B42C6EB85BF66E504368B3A0FF49F90F988135DA1D87794DF7CE0258250
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF7409777F8, Relevance: 9.2, APIs: 6, Instructions: 156fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorFileLastView$MessageTraceUnmap
                • String ID:
                • API String ID: 4108440488-0
                • Opcode ID: 0721d818d62012f1b63c03cdaefb4862081232a2242d09e4148a0f9b376d6b81
                • Instruction ID: 3b1b5a71ef3fb373b1e8fe977ad59fa5960bdc03f3a7188b7e1dd4bd31b6564a
                • Opcode Fuzzy Hash: 0721d818d62012f1b63c03cdaefb4862081232a2242d09e4148a0f9b376d6b81
                • Instruction Fuzzy Hash: C0718E33A0DB46C2EB54BB19E4947A9A3A1FB84B84FA04436CA4D87760DF7DF406C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740980004, Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
                • String ID:
                • API String ID: 3221859647-0
                • Opcode ID: 59b5d0588ca1c240cdda09ab10f7a5d61fc849955bfe83a8e6ad7c0ca40a0145
                • Instruction ID: 46c421deec6e564200b982772163a3fc5efc1abbb0a9a631e481d873a2eb5b19
                • Opcode Fuzzy Hash: 59b5d0588ca1c240cdda09ab10f7a5d61fc849955bfe83a8e6ad7c0ca40a0145
                • Instruction Fuzzy Hash: 71212EA3B2CA51D6EA95BF12A500279E351BB88FD0F884130ED4E97B54DF3CF5458224
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF7409787E0, Relevance: 7.7, APIs: 5, Instructions: 160registryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseMessageOpenQueryTraceValue
                • String ID:
                • API String ID: 3821667754-0
                • Opcode ID: 99e94018a152353f1cbaafb058d1b3e04500377dd9dee31da4397b36db63fb31
                • Instruction ID: eadcd58eec4faa2fdb9ef247d5d8c1d9e226bacef4dd25159980e25bc3a25d03
                • Opcode Fuzzy Hash: 99e94018a152353f1cbaafb058d1b3e04500377dd9dee31da4397b36db63fb31
                • Instruction Fuzzy Hash: 01717973A5C642C2EAA4BF05D44877AA2A1FB84750FA04136DA5DD3B94DF3CF885C722
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740980800, Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF74098084E
                • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF74098089F
                • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF740980875
                • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7409808DF
                • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF740980935
                  • Part of subcall function 00007FF740980414: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7409802BB), ref: 00007FF740980473
                  • Part of subcall function 00007FF740980414: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7409802BB), ref: 00007FF740980491
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExclusiveLock$Acquire$Release$memcpy_s
                • String ID:
                • API String ID: 565443268-0
                • Opcode ID: 9791c87c4fb4c809c549f74c3e8a026f4f00da93cf5778e38154aa648c821fbf
                • Instruction ID: aad8258c45a8421a0bc61d8ddcf227faee71741cdcff319b64eff48ccca41fd8
                • Opcode Fuzzy Hash: 9791c87c4fb4c809c549f74c3e8a026f4f00da93cf5778e38154aa648c821fbf
                • Instruction Fuzzy Hash: 773107A3A2CA47D0FA40BB11E8647B4A361EF85B94FC41531D91D837A6DE3CB549C370
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740976F48, Relevance: 7.5, APIs: 5, Instructions: 38fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseHandle$FileReportUnmapView
                • String ID:
                • API String ID: 3666915389-0
                • Opcode ID: 5504fe5ed105d4a8c737a301d62581bb531e911bc74a0ef0aa10469f9905c9f0
                • Instruction ID: ed2852422322f13597f1d69e6cb4f3ed6fe6c394b2d0c22d87e68bd4ab5e4e45
                • Opcode Fuzzy Hash: 5504fe5ed105d4a8c737a301d62581bb531e911bc74a0ef0aa10469f9905c9f0
                • Instruction Fuzzy Hash: EF110663A1AA41C1EB59BF70E45D3B8A261FF44B48F884535CA0E8A295CF6CA459C270
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF74097DB3C, Relevance: 7.5, APIs: 5, Instructions: 31threadtimeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ThreadpoolTimer$ErrorLast$CallbacksCloseWait
                • String ID:
                • API String ID: 3522076515-0
                • Opcode ID: 377ee3d72375b96e891f771b498d70f97d45db11643a920253b8dd6b3030fd26
                • Instruction ID: 40528dd73e8279404b4f337cf1ba59f187bbc10b9f5d816f1854263b3e6074a8
                • Opcode Fuzzy Hash: 377ee3d72375b96e891f771b498d70f97d45db11643a920253b8dd6b3030fd26
                • Instruction Fuzzy Hash: 6BF03166B1CA51C2E754BB62B444529B320EB88F90F944030DE4943B15DE3CE4568700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740974D9C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _vsnwprintf
                • String ID: %hs$LaunchEventReportingConsole::<lambda_ee853b4330cba43032664d6fd46aca6c>::operator ()$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
                • API String ID: 1036211903-4217687857
                • Opcode ID: 963f945ad34f2660eafc645d006a208bc9e3df48fe6e721f63c63f31d471503a
                • Instruction ID: c1d13b613b9017ca415be639708a5b14dadc338922e70da3b61706b3f3da69ad
                • Opcode Fuzzy Hash: 963f945ad34f2660eafc645d006a208bc9e3df48fe6e721f63c63f31d471503a
                • Instruction Fuzzy Hash: 6121626361C7C1C2E661BB41E84869AE354FB887A0F814431EE8C83B56DF7CE545CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF74097CDE0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageTrace
                • String ID: NewUserDefaultConsent$Software\Microsoft\Windows\Windows Error Reporting\Consent$v
                • API String ID: 471583391-3250182199
                • Opcode ID: df39af13bf08587453d4db1477ae9282a8fb70917d431dcba9aed416ba46e113
                • Instruction ID: e37289f93521d2ea1ca65791974ddea3344c7bdbc4eb9329763b8ca0806ab063
                • Opcode Fuzzy Hash: df39af13bf08587453d4db1477ae9282a8fb70917d431dcba9aed416ba46e113
                • Instruction Fuzzy Hash: 5FF01D72918B81C6D660BB14F44475AB3B4F794364FD00325D6ED42BA4DF3DD165CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740973F54, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 21COMMON
                Download Yara Rule
                APIs
                • Wow64RevertWow64FsRedirection.API-MS-WIN-CORE-WOW64-L1-1-0 ref: 00007FF740973F71
                Strings
                • onecore\windows\feedback\core\wermgr\lib\wermgr.cpp, xrefs: 00007FF740973F93
                • Wow64RevertWow64FsRedirection failed., xrefs: 00007FF740973F80
                • LaunchEventReportingConsole::<lambda_ee853b4330cba43032664d6fd46aca6c>::operator (), xrefs: 00007FF740973F87
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Wow64$RedirectionRevert
                • String ID: LaunchEventReportingConsole::<lambda_ee853b4330cba43032664d6fd46aca6c>::operator ()$Wow64RevertWow64FsRedirection failed.$onecore\windows\feedback\core\wermgr\lib\wermgr.cpp
                • API String ID: 949088015-771996154
                • Opcode ID: 058abf12418fa0a1783b1bf71b8397be3815cb97aac9d48b0d20e67d55eac4e2
                • Instruction ID: c31569b1cf9690424b6fa41b7b366f7156dbaf5ff58b0cfd3bce8c5566e2184f
                • Opcode Fuzzy Hash: 058abf12418fa0a1783b1bf71b8397be3815cb97aac9d48b0d20e67d55eac4e2
                • Instruction Fuzzy Hash: 05F0DA63A2C786C1EB11BB25D4053A9A760BB85B48FE04136D54D8B361DF3DE54AC361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF74097B924, Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • GetFinalPathNameByHandleW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,00007FF74097BBC3), ref: 00007FF74097B99C
                • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00007FF74097BBC3), ref: 00007FF74097B9A8
                  • Part of subcall function 00007FF74097A92C: EtwTraceMessage.NTDLL ref: 00007FF74097A972
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorFinalHandleLastMessageNamePathTracemalloc
                • String ID:
                • API String ID: 1555956524-0
                • Opcode ID: 3c0059398290d73663bace491a5dae70d7fcd8ab7531fb7a120405c01eff49c2
                • Instruction ID: ff182f8f7cf18549efee6242ac9ca13b2b6a9ad909ade880d54a0a386a727d31
                • Opcode Fuzzy Hash: 3c0059398290d73663bace491a5dae70d7fcd8ab7531fb7a120405c01eff49c2
                • Instruction Fuzzy Hash: 75517E62B0C743C1FA54BB16A4683B99381AF85B84F940835DE0EC77E5DFADF4458360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF740980F20, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ThreadpoolTimer$ErrorLast$CallbacksCloseWait
                • String ID: wil::details::ReleaseMutex
                • API String ID: 3522076515-1086251647
                • Opcode ID: 2a1669ebbe3a559c8cd8011fe23db2485be21c0e51fa7b68f33854c5c647f9ee
                • Instruction ID: 70120897c79fc8b25f63423c3ec59df73923217bf372417d6c18974299ea9d0f
                • Opcode Fuzzy Hash: 2a1669ebbe3a559c8cd8011fe23db2485be21c0e51fa7b68f33854c5c647f9ee
                • Instruction Fuzzy Hash: EA212C67B29B91D1EB95FF219540268A765FB84F84F894032DE4D97789CF28F882C360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF7409761D0, Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000001F.00000002.355458230.00007FF740971000.00000020.00020000.sdmp, Offset: 00007FF740970000, based on PE: true
                • Associated: 0000001F.00000002.355438821.00007FF740970000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355477999.00007FF740985000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355511512.00007FF74098E000.00000004.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355523982.00007FF740990000.00000002.00020000.sdmp Download File
                • Associated: 0000001F.00000002.355538678.00007FF740992000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Heap$FreeProcess
                • String ID:
                • API String ID: 3859560861-0
                • Opcode ID: 71a94c9b8ef526181a5c37f53356d63deb500d7b60bc2c68125a821e4c28994d
                • Instruction ID: 9e4431acfd88d4c27c87d20a4b79a99b2da198f96cdf7de4cbb11a471d50ecc9
                • Opcode Fuzzy Hash: 71a94c9b8ef526181a5c37f53356d63deb500d7b60bc2c68125a821e4c28994d
                • Instruction Fuzzy Hash: 760117A2A08B45C6DB40BF66E444059B3A0FB48FC4B988036EB8D43B18DF38E4A6C750
                Uniqueness

                Uniqueness Score: -1.00%