Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3PgaI7gtQn

Overview

General Information

Sample Name:3PgaI7gtQn (renamed file extension from none to dll)
Analysis ID:492089
MD5:8a6f4fe59b41d74501e04f1b451dc57d
SHA1:064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
SHA256:d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6272 cmdline: loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 2600 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 1444 cmdline: rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 900 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • bdeunlock.exe (PID: 3976 cmdline: C:\Windows\system32\bdeunlock.exe MD5: FAB70105E2075EEC9C249A4D499CAE7C)
        • bdeunlock.exe (PID: 2912 cmdline: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe MD5: FAB70105E2075EEC9C249A4D499CAE7C)
        • CameraSettingsUIHost.exe (PID: 6660 cmdline: C:\Windows\system32\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • CameraSettingsUIHost.exe (PID: 6744 cmdline: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • pwcreator.exe (PID: 1848 cmdline: C:\Windows\system32\pwcreator.exe MD5: BF33FA218E0B4F6AEC77616BE0F5DD9D)
        • pwcreator.exe (PID: 4984 cmdline: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe MD5: BF33FA218E0B4F6AEC77616BE0F5DD9D)
        • lpksetup.exe (PID: 5944 cmdline: C:\Windows\system32\lpksetup.exe MD5: 8E2C63E761A22724382338F349C55014)
        • lpksetup.exe (PID: 4732 cmdline: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe MD5: 8E2C63E761A22724382338F349C55014)
    • rundll32.exe (PID: 2824 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1572 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5184 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2872 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6116 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7164 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5560 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5568 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4100 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3416 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6764 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6704 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6700 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4200 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2464 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6832 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1492 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7040 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2124 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000024.00000002.812744317.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 21 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3PgaI7gtQn.dllVirustotal: Detection: 68%Perma Link
            Source: 3PgaI7gtQn.dllMetadefender: Detection: 54%Perma Link
            Source: 3PgaI7gtQn.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 3PgaI7gtQn.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\oobM\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\zshP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Machine Learning detection for sampleShow sources
            Source: 3PgaI7gtQn.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\oobM\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\zshP\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllJoe Sandbox ML: detected
            Source: 3PgaI7gtQn.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,35_2_00007FF647FBAD98
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,35_2_00007FF647FB0414
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,27_2_00007FF77B987818

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.812744317.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.703548461.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.776537982.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.726244001.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.666186606.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.802131007.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.756539402.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.822671536.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.839774355.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.673965568.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.681251793.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.783009139.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.688453025.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.741881097.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.794067616.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.760994382.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.718583222.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.749401860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.783658899.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.812206472.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.698430783.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400348700_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400352700_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC00_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C3400_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B800_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B00_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B00_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC00_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD400_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B00_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F300_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400690100_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400010100_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400660200_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F8400_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D8500_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400640800_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400108800_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A00_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D00_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D00_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400161000_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D1000_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A1100_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D9100_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400151200_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B1200_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F9400_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400391400_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400231400_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400579500_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E1700_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400029800_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A00_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A00_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A00_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B00_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D00_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F00_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA000_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A000_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B2200_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A400_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A500_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A600_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC00_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E00_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B000_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400183000_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB200_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400313400_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400223400_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B400_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB400_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB600_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400053700_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB800_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B3900_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA00_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB00_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C00_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C00_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD00_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F00_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF00_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4240_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4360_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400244400_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C400_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4460_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F4900_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D000_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400355200_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D200_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400305300_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400235300_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400315400_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400335400_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD500_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400785700_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400195800_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A00_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB00_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC00_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C00_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE00_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF00_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF00_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400016200_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400186300_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400326500_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E800_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E800_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA00_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B00_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB00_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C00_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC00_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED00_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E00_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F200_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400227300_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400297800_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F800_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB00_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B00_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D00_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE00_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF427_2_00007FF77B972EF4
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B98885027_2_00007FF77B988850
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B988E2C27_2_00007FF77B988E2C
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B97139C27_2_00007FF77B97139C
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F7493835_2_00007FF647F74938
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB7CE035_2_00007FF647FB7CE0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD9835_2_00007FF647FBAD98
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB8DD835_2_00007FF647FB8DD8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F73ED435_2_00007FF647F73ED4
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBDEC835_2_00007FF647FBDEC8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9F7035_2_00007FF647FB9F70
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F81FC035_2_00007FF647F81FC0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F94FE035_2_00007FF647F94FE0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F8816835_2_00007FF647F88168
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBB27435_2_00007FF647FBB274
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F9232435_2_00007FF647F92324
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB53A035_2_00007FF647FB53A0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC650D35_2_00007FF647FC650D
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC063435_2_00007FF647FC0634
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F9B64035_2_00007FF647F9B640
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB563C35_2_00007FF647FB563C
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB67F035_2_00007FF647FB67F0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC17EC35_2_00007FF647FC17EC
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC587535_2_00007FF647FC5875
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647F72AC0 appears 86 times
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647FBEA7C appears 78 times
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647F758F8 appears 101 times
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647F726CC appears 146 times
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,0_2_0000000140046C90
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,0_2_000000014006A4B0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBBA40 NtQuerySystemInformation,35_2_00007FF647FBBA40
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB0C64 RtlInitUnicodeString,memset,NtOpenSymbolicLinkObject,memset,NtQuerySymbolicLinkObject,_wcsnicmp,NtClose,NtClose,_CxxThrowException,35_2_00007FF647FB0C64
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,35_2_00007FF647FBAD98
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB8DD8 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,35_2_00007FF647FB8DD8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9DF8 NtReadFile,35_2_00007FF647FB9DF8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9E3C memset,CreateFileW,NtClose,35_2_00007FF647FB9E3C
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9F70 GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,35_2_00007FF647FB9F70
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB50C8 NtClose,35_2_00007FF647FB50C8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB90D8 RtlInitUnicodeString,NtOpenFile,NtCreateEvent,NtDeviceIoControlFile,NtWaitForSingleObject,NtClose,NtClose,35_2_00007FF647FB90D8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F990E8 memset,NtQuerySystemInformation,_CxxThrowException,35_2_00007FF647F990E8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F993BC CreateFileW,NtQueryVolumeInformationFile,CloseHandle,_CxxThrowException,_CxxThrowException,35_2_00007FF647F993BC
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB94F0 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,35_2_00007FF647FB94F0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC17EC GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlDeleteBoundaryDescriptor,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,35_2_00007FF647FC17EC
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB97EC GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,35_2_00007FF647FB97EC
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC1CDC: GetFileAttributesW,SetFileAttributesW,CreateFileW,DeviceIoControl,GetLastError,CloseHandle,GetLastError,GetProcessHeap,HeapFree,SetLastError,SetLastError,35_2_00007FF647FC1CDC
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: pwcreator.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: pwcreator.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Netplwiz.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Netplwiz.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Netplwiz.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DUI70.dll0.4.drStatic PE information: Number of sections : 39 > 10
            Source: DUI70.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: NETPLWIZ.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: 3PgaI7gtQn.dllStatic PE information: Number of sections : 38 > 10
            Source: XmlLite.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: WINBRAND.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: dpx.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: VERSION.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: MFC42u.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: 3PgaI7gtQn.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINBRAND.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dpx.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: NETPLWIZ.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 3PgaI7gtQn.dllVirustotal: Detection: 68%
            Source: 3PgaI7gtQn.dllMetadefender: Detection: 54%
            Source: 3PgaI7gtQn.dllReversingLabs: Detection: 75%
            Source: 3PgaI7gtQn.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariantJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariantJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStoreJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariantJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfxJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormatJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtypeJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallbackJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueueJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueExJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollectionJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRateJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFileJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByNameJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSExJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSSJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSizeJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSizeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBEBE0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,35_2_00007FF647FBEBE0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB3CDC GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,35_2_00007FF647FB3CDC
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F79EB8 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,35_2_00007FF647F79EB8
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@69/17@0/1
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B988420 CoCreateInstance,ShellExecuteW,?NeedsDiscoveryVolumeUpdate@BuiVolume@@QEAAJPEAH@Z,?LaunchUpdate@BuiVolume@@QEAAJXZ,27_2_00007FF77B988420
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B9724D8 FormatMessageW,GetLastError,27_2_00007FF77B9724D8
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{01c2b0c1-24c0-5263-91b2-55fa644b5b53}
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeMutant created: \Sessions\1\BaseNamedObjects\{65fc1c27-4504-7567-4300-8c5ca8b0c4c0}
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F73AF4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,EnterCriticalSection,LeaveCriticalSection,35_2_00007FF647F73AF4
            Source: pwcreator.exeString found in binary or memory: //IMAGE[@INDEX='%u']/WINDOWS/INSTALLATIONTYPE
            Source: 3PgaI7gtQn.dllStatic PE information: More than 224 > 100 exports found
            Source: 3PgaI7gtQn.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 3PgaI7gtQn.dllStatic file information: File size 2121728 > 1048576
            Source: 3PgaI7gtQn.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .qkm
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .cvjb
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .tlmkv
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .wucsxe
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .fltwtj
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .sfplio
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .rpg
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .bewzc
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .vksvaw
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .wmhg
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .kswemc
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .kaxfk
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .pjf
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .favk
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .vhtukj
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .hmbyox
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .djv
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .hpern
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .czzwqg
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .jxjvn
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .jfsnsk
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .nzvifv
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .tops
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .lrjye
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .qwdob
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .xcq
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .ifxvj
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .fgpyt
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .tgzhe
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .oocus
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .ybtor
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .gxixek
            Source: bdeunlock.exe.4.drStatic PE information: section name: .imrsiv
            Source: CameraSettingsUIHost.exe.4.drStatic PE information: section name: .imrsiv
            Source: mmc.exe.4.drStatic PE information: section name: .didat
            Source: DUI70.dll.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll.4.drStatic PE information: section name: .favk
            Source: DUI70.dll.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll.4.drStatic PE information: section name: .djv
            Source: DUI70.dll.4.drStatic PE information: section name: .hpern
            Source: DUI70.dll.4.drStatic PE information: section name: .czzwqg
            Source: DUI70.dll.4.drStatic PE information: section name: .jxjvn
            Source: DUI70.dll.4.drStatic PE information: section name: .jfsnsk
            Source: DUI70.dll.4.drStatic PE information: section name: .nzvifv
            Source: DUI70.dll.4.drStatic PE information: section name: .tops
            Source: DUI70.dll.4.drStatic PE information: section name: .lrjye
            Source: DUI70.dll.4.drStatic PE information: section name: .qwdob
            Source: DUI70.dll.4.drStatic PE information: section name: .xcq
            Source: DUI70.dll.4.drStatic PE information: section name: .ifxvj
            Source: DUI70.dll.4.drStatic PE information: section name: .fgpyt
            Source: DUI70.dll.4.drStatic PE information: section name: .tgzhe
            Source: DUI70.dll.4.drStatic PE information: section name: .oocus
            Source: DUI70.dll.4.drStatic PE information: section name: .ybtor
            Source: DUI70.dll.4.drStatic PE information: section name: .gxixek
            Source: DUI70.dll.4.drStatic PE information: section name: .bcdsk
            Source: DUI70.dll0.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll0.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll0.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll0.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll0.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll0.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll0.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll0.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll0.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll0.4.drStatic PE information: section name: .favk
            Source: DUI70.dll0.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll0.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll0.4.drStatic PE information: section name: .djv
            Source: DUI70.dll0.4.drStatic PE information: section name: .hpern
            Source: DUI70.dll0.4.drStatic PE information: section name: .czzwqg
            Source: DUI70.dll0.4.drStatic PE information: section name: .jxjvn
            Source: DUI70.dll0.4.drStatic PE information: section name: .jfsnsk
            Source: DUI70.dll0.4.drStatic PE information: section name: .nzvifv
            Source: DUI70.dll0.4.drStatic PE information: section name: .tops
            Source: DUI70.dll0.4.drStatic PE information: section name: .lrjye
            Source: DUI70.dll0.4.drStatic PE information: section name: .qwdob
            Source: DUI70.dll0.4.drStatic PE information: section name: .xcq
            Source: DUI70.dll0.4.drStatic PE information: section name: .ifxvj
            Source: DUI70.dll0.4.drStatic PE information: section name: .fgpyt
            Source: DUI70.dll0.4.drStatic PE information: section name: .tgzhe
            Source: DUI70.dll0.4.drStatic PE information: section name: .oocus
            Source: DUI70.dll0.4.drStatic PE information: section name: .ybtor
            Source: DUI70.dll0.4.drStatic PE information: section name: .gxixek
            Source: DUI70.dll0.4.drStatic PE information: section name: .rupume
            Source: WINBRAND.dll.4.drStatic PE information: section name: .qkm
            Source: WINBRAND.dll.4.drStatic PE information: section name: .cvjb
            Source: WINBRAND.dll.4.drStatic PE information: section name: .tlmkv
            Source: WINBRAND.dll.4.drStatic PE information: section name: .wucsxe
            Source: WINBRAND.dll.4.drStatic PE information: section name: .fltwtj
            Source: WINBRAND.dll.4.drStatic PE information: section name: .sfplio
            Source: WINBRAND.dll.4.drStatic PE information: section name: .rpg
            Source: WINBRAND.dll.4.drStatic PE information: section name: .bewzc
            Source: WINBRAND.dll.4.drStatic PE information: section name: .vksvaw
            Source: WINBRAND.dll.4.drStatic PE information: section name: .wmhg
            Source: WINBRAND.dll.4.drStatic PE information: section name: .kswemc
            Source: WINBRAND.dll.4.drStatic PE information: section name: .kaxfk
            Source: WINBRAND.dll.4.drStatic PE information: section name: .pjf
            Source: WINBRAND.dll.4.drStatic PE information: section name: .favk
            Source: WINBRAND.dll.4.drStatic PE information: section name: .vhtukj
            Source: WINBRAND.dll.4.drStatic PE information: section name: .hmbyox
            Source: WINBRAND.dll.4.drStatic PE information: section name: .djv
            Source: WINBRAND.dll.4.drStatic PE information: section name: .hpern
            Source: WINBRAND.dll.4.drStatic PE information: section name: .czzwqg
            Source: WINBRAND.dll.4.drStatic PE information: section name: .jxjvn
            Source: WINBRAND.dll.4.drStatic PE information: section name: .jfsnsk
            Source: WINBRAND.dll.4.drStatic PE information: section name: .nzvifv
            Source: WINBRAND.dll.4.drStatic PE information: section name: .tops
            Source: WINBRAND.dll.4.drStatic PE information: section name: .lrjye
            Source: WINBRAND.dll.4.drStatic PE information: section name: .qwdob
            Source: WINBRAND.dll.4.drStatic PE information: section name: .xcq
            Source: WINBRAND.dll.4.drStatic PE information: section name: .ifxvj
            Source: WINBRAND.dll.4.drStatic PE information: section name: .fgpyt
            Source: WINBRAND.dll.4.drStatic PE information: section name: .tgzhe
            Source: WINBRAND.dll.4.drStatic PE information: section name: .oocus
            Source: WINBRAND.dll.4.drStatic PE information: section name: .ybtor
            Source: WINBRAND.dll.4.drStatic PE information: section name: .gxixek
            Source: WINBRAND.dll.4.drStatic PE information: section name: .bbmsy
            Source: dpx.dll.4.drStatic PE information: section name: .qkm
            Source: dpx.dll.4.drStatic PE information: section name: .cvjb
            Source: dpx.dll.4.drStatic PE information: section name: .tlmkv
            Source: dpx.dll.4.drStatic PE information: section name: .wucsxe
            Source: dpx.dll.4.drStatic PE information: section name: .fltwtj
            Source: dpx.dll.4.drStatic PE information: section name: .sfplio
            Source: dpx.dll.4.drStatic PE information: section name: .rpg
            Source: dpx.dll.4.drStatic PE information: section name: .bewzc
            Source: dpx.dll.4.drStatic PE information: section name: .vksvaw
            Source: dpx.dll.4.drStatic PE information: section name: .wmhg
            Source: dpx.dll.4.drStatic PE information: section name: .kswemc
            Source: dpx.dll.4.drStatic PE information: section name: .kaxfk
            Source: dpx.dll.4.drStatic PE information: section name: .pjf
            Source: dpx.dll.4.drStatic PE information: section name: .favk
            Source: dpx.dll.4.drStatic PE information: section name: .vhtukj
            Source: dpx.dll.4.drStatic PE information: section name: .hmbyox
            Source: dpx.dll.4.drStatic PE information: section name: .djv
            Source: dpx.dll.4.drStatic PE information: section name: .hpern
            Source: dpx.dll.4.drStatic PE information: section name: .czzwqg
            Source: dpx.dll.4.drStatic PE information: section name: .jxjvn
            Source: dpx.dll.4.drStatic PE information: section name: .jfsnsk
            Source: dpx.dll.4.drStatic PE information: section name: .nzvifv
            Source: dpx.dll.4.drStatic PE information: section name: .tops
            Source: dpx.dll.4.drStatic PE information: section name: .lrjye
            Source: dpx.dll.4.drStatic PE information: section name: .qwdob
            Source: dpx.dll.4.drStatic PE information: section name: .xcq
            Source: dpx.dll.4.drStatic PE information: section name: .ifxvj
            Source: dpx.dll.4.drStatic PE information: section name: .fgpyt
            Source: dpx.dll.4.drStatic PE information: section name: .tgzhe
            Source: dpx.dll.4.drStatic PE information: section name: .oocus
            Source: dpx.dll.4.drStatic PE information: section name: .ybtor
            Source: dpx.dll.4.drStatic PE information: section name: .gxixek
            Source: MFC42u.dll.4.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.4.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.4.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.4.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.4.drStatic PE information: section name: .fltwtj
            Source: MFC42u.dll.4.drStatic PE information: section name: .sfplio
            Source: MFC42u.dll.4.drStatic PE information: section name: .rpg
            Source: MFC42u.dll.4.drStatic PE information: section name: .bewzc
            Source: MFC42u.dll.4.drStatic PE information: section name: .vksvaw
            Source: MFC42u.dll.4.drStatic PE information: section name: .wmhg
            Source: MFC42u.dll.4.drStatic PE information: section name: .kswemc
            Source: MFC42u.dll.4.drStatic PE information: section name: .kaxfk
            Source: MFC42u.dll.4.drStatic PE information: section name: .pjf
            Source: MFC42u.dll.4.drStatic PE information: section name: .favk
            Source: MFC42u.dll.4.drStatic PE information: section name: .vhtukj
            Source: MFC42u.dll.4.drStatic PE information: section name: .hmbyox
            Source: MFC42u.dll.4.drStatic PE information: section name: .djv
            Source: MFC42u.dll.4.drStatic PE information: section name: .hpern
            Source: MFC42u.dll.4.drStatic PE information: section name: .czzwqg
            Source: MFC42u.dll.4.drStatic PE information: section name: .jxjvn
            Source: MFC42u.dll.4.drStatic PE information: section name: .jfsnsk
            Source: MFC42u.dll.4.drStatic PE information: section name: .nzvifv
            Source: MFC42u.dll.4.drStatic PE information: section name: .tops
            Source: MFC42u.dll.4.drStatic PE information: section name: .lrjye
            Source: MFC42u.dll.4.drStatic PE information: section name: .qwdob
            Source: MFC42u.dll.4.drStatic PE information: section name: .xcq
            Source: MFC42u.dll.4.drStatic PE information: section name: .ifxvj
            Source: MFC42u.dll.4.drStatic PE information: section name: .fgpyt
            Source: MFC42u.dll.4.drStatic PE information: section name: .tgzhe
            Source: MFC42u.dll.4.drStatic PE information: section name: .oocus
            Source: MFC42u.dll.4.drStatic PE information: section name: .ybtor
            Source: MFC42u.dll.4.drStatic PE information: section name: .gxixek
            Source: MFC42u.dll.4.drStatic PE information: section name: .zlxpb
            Source: VERSION.dll.4.drStatic PE information: section name: .qkm
            Source: VERSION.dll.4.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.4.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.4.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.4.drStatic PE information: section name: .fltwtj
            Source: VERSION.dll.4.drStatic PE information: section name: .sfplio
            Source: VERSION.dll.4.drStatic PE information: section name: .rpg
            Source: VERSION.dll.4.drStatic PE information: section name: .bewzc
            Source: VERSION.dll.4.drStatic PE information: section name: .vksvaw
            Source: VERSION.dll.4.drStatic PE information: section name: .wmhg
            Source: VERSION.dll.4.drStatic PE information: section name: .kswemc
            Source: VERSION.dll.4.drStatic PE information: section name: .kaxfk
            Source: VERSION.dll.4.drStatic PE information: section name: .pjf
            Source: VERSION.dll.4.drStatic PE information: section name: .favk
            Source: VERSION.dll.4.drStatic PE information: section name: .vhtukj
            Source: VERSION.dll.4.drStatic PE information: section name: .hmbyox
            Source: VERSION.dll.4.drStatic PE information: section name: .djv
            Source: VERSION.dll.4.drStatic PE information: section name: .hpern
            Source: VERSION.dll.4.drStatic PE information: section name: .czzwqg
            Source: VERSION.dll.4.drStatic PE information: section name: .jxjvn
            Source: VERSION.dll.4.drStatic PE information: section name: .jfsnsk
            Source: VERSION.dll.4.drStatic PE information: section name: .nzvifv
            Source: VERSION.dll.4.drStatic PE information: section name: .tops
            Source: VERSION.dll.4.drStatic PE information: section name: .lrjye
            Source: VERSION.dll.4.drStatic PE information: section name: .qwdob
            Source: VERSION.dll.4.drStatic PE information: section name: .xcq
            Source: VERSION.dll.4.drStatic PE information: section name: .ifxvj
            Source: VERSION.dll.4.drStatic PE information: section name: .fgpyt
            Source: VERSION.dll.4.drStatic PE information: section name: .tgzhe
            Source: VERSION.dll.4.drStatic PE information: section name: .oocus
            Source: VERSION.dll.4.drStatic PE information: section name: .ybtor
            Source: VERSION.dll.4.drStatic PE information: section name: .gxixek
            Source: VERSION.dll.4.drStatic PE information: section name: .yjlrz
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .qkm
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .cvjb
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .tlmkv
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .wucsxe
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .fltwtj
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .sfplio
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .rpg
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .bewzc
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .vksvaw
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .wmhg
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .kswemc
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .kaxfk
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .pjf
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .favk
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .vhtukj
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .hmbyox
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .djv
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .hpern
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .czzwqg
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .jxjvn
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .jfsnsk
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .nzvifv
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .tops
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .lrjye
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .qwdob
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .xcq
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .ifxvj
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .fgpyt
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .tgzhe
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .oocus
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .ybtor
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .gxixek
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .uwdayb
            Source: XmlLite.dll.4.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.4.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.4.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.4.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.4.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.4.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.4.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.4.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.4.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .pjf
            Source: XmlLite.dll.4.drStatic PE information: section name: .favk
            Source: XmlLite.dll.4.drStatic PE information: section name: .vhtukj
            Source: XmlLite.dll.4.drStatic PE information: section name: .hmbyox
            Source: XmlLite.dll.4.drStatic PE information: section name: .djv
            Source: XmlLite.dll.4.drStatic PE information: section name: .hpern
            Source: XmlLite.dll.4.drStatic PE information: section name: .czzwqg
            Source: XmlLite.dll.4.drStatic PE information: section name: .jxjvn
            Source: XmlLite.dll.4.drStatic PE information: section name: .jfsnsk
            Source: XmlLite.dll.4.drStatic PE information: section name: .nzvifv
            Source: XmlLite.dll.4.drStatic PE information: section name: .tops
            Source: XmlLite.dll.4.drStatic PE information: section name: .lrjye
            Source: XmlLite.dll.4.drStatic PE information: section name: .qwdob
            Source: XmlLite.dll.4.drStatic PE information: section name: .xcq
            Source: XmlLite.dll.4.drStatic PE information: section name: .ifxvj
            Source: XmlLite.dll.4.drStatic PE information: section name: .fgpyt
            Source: XmlLite.dll.4.drStatic PE information: section name: .tgzhe
            Source: XmlLite.dll.4.drStatic PE information: section name: .oocus
            Source: XmlLite.dll.4.drStatic PE information: section name: .ybtor
            Source: XmlLite.dll.4.drStatic PE information: section name: .gxixek
            Source: XmlLite.dll.4.drStatic PE information: section name: .coe
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,35_2_00007FF647F77B00
            Source: DUI70.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2550c1
            Source: DUI70.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x25ac17
            Source: NETPLWIZ.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x215425
            Source: 3PgaI7gtQn.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x20c451
            Source: XmlLite.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x212a10
            Source: WINBRAND.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2146f9
            Source: dpx.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20bdd5
            Source: VERSION.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x212299
            Source: MFC42u.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2191ea
            Source: bdeunlock.exe.4.drStatic PE information: 0xFC085887 [Sat Dec 29 21:03:03 2103 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oobM\mmc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zshP\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\43ip\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oobM\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zshP\sigverif.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,GetLastError,memset,memset,FreeLibrary,memset,memcpy,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap27_2_00007FF77B972EF4
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll64.exe TID: 6324Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\mmc.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\sigverif.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4 rdtsc 27_2_00007FF77B972EF4
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,35_2_00007FF647FBAD98
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,35_2_00007FF647FB0414
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,27_2_00007FF77B987818
            Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.710454065.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.695007821.000000000A897000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAb
            Source: explorer.exe, 00000004.00000000.687261263.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000004.00000000.693652783.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: explorer.exe, 00000004.00000000.681280708.000000000FCDC000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e-1
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,35_2_00007FF647F77B00
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B993B04 GetProcessHeap,HeapAlloc,27_2_00007FF77B993B04
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4 rdtsc 27_2_00007FF77B972EF4
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,0_2_0000000140048AC0
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B994AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FF77B994AD8
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B994E40 SetUnhandledExceptionFilter,27_2_00007FF77B994E40
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeCode function: 31_2_00007FF7FD013330 SetUnhandledExceptionFilter,31_2_00007FF7FD013330
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeCode function: 31_2_00007FF7FD0135B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF7FD0135B4
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC2B48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_00007FF647FC2B48
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC2ED0 SetUnhandledExceptionFilter,35_2_00007FF647FC2ED0

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: DUI70.dll.4.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute readJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFABD58EFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFABD58E000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFABB012A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1Jump to behavior
            Source: explorer.exe, 00000004.00000000.685491455.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000004.00000000.671643095.0000000005E50000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLastError,GetLocaleInfoEx,??3@YAXPEAX@Z,27_2_00007FF77B993B98
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,35_2_00007FF647FC0634
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B994FD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,27_2_00007FF77B994FD0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC013C memset,GetVersionExW,GetVersionExW,35_2_00007FF647FC013C
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B97193C GetCurrentProcessId,AllowSetForegroundWindow,CoCreateInstance,CoCreateInstance,GetSystemMetrics,RegGetValueW,GetSystemMetrics,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?CreateInstance@CSafeElementProxy@@SAJPEAVElement@DirectUI@@PEAPEAV1@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,SetForegroundWindow,LocalFree,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,27_2_00007FF77B97193C

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Application Shimming1Access Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection312Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Application Shimming1Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery35VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492089 Sample: 3PgaI7gtQn Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 cmd.exe 1 8->15         started        17 16 other processes 8->17 signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 55 10->19 injected 24 rundll32.exe 15->24         started        process6 dnsIp7 42 192.168.2.1 unknown unknown 19->42 34 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\oobM\MFC42u.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\dpx.dll, PE32+ 19->38 dropped 40 13 other files (4 malicious) 19->40 dropped 52 Benign windows process drops PE files 19->52 26 bdeunlock.exe 19->26         started        28 bdeunlock.exe 19->28         started        30 CameraSettingsUIHost.exe 19->30         started        32 3 other processes 19->32 file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            3PgaI7gtQn.dll69%VirustotalBrowse
            3PgaI7gtQn.dll54%MetadefenderBrowse
            3PgaI7gtQn.dll76%ReversingLabsWin64.Infostealer.Dridex
            3PgaI7gtQn.dll100%AviraHEUR/AGEN.1114452
            3PgaI7gtQn.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\oobM\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\zshP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\oobM\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\zshP\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe0%ReversingLabs
            C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe0%ReversingLabs
            C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe0%ReversingLabs
            C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            30.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            7.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            16.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            13.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            17.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            11.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            23.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            35.2.pwcreator.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            31.2.CameraSettingsUIHost.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            15.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.bdeunlock.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            28.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492089
            Start date:28.09.2021
            Start time:10:50:55
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 14m 56s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:3PgaI7gtQn (renamed file extension from none to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winDLL@69/17@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 15.8% (good quality ratio 13.4%)
            • Quality average: 77.9%
            • Quality standard deviation: 37.1%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 204.79.197.200, 13.107.21.200, 20.49.157.6
            • Excluded domains from analysis (whitelisted): www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, a-0001.a-afdentry.net.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):32104
            Entropy (8bit):6.224595599643794
            Encrypted:false
            SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
            MD5:34F32BC06CDC7AF56607D351B155140D
            SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
            SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
            SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\43ip\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2408448
            Entropy (8bit):4.088464785484027
            Encrypted:false
            SSDEEP:12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1ymulOt:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnbMK
            MD5:4121EE4C9F38EE65D7E1D3F39CE327A4
            SHA1:D85D7FBF8CDD63C2D7D2024C22EA63423D9292BB
            SHA-256:2E195E740BA535D55EFA59E4342EA5D76F2DAD519494BD8F6AA7BB715AA308B0
            SHA-512:A4F246AD5BCB81B9730C7B8814DD2F6B4E62CC839A177B4CDE98DADC09401C1E027AC696C06C01676C7F47F7FB9C03426938006F2C5CE0EC7B278C60A6A469CB
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................` .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5527133641756206
            Encrypted:false
            SSDEEP:12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:7C2DFAC0CE010C8A44E593D1103BDA97
            SHA1:406EE28D9C04ED4F287A4792BD201668CF8CBC1D
            SHA-256:4FDB143C3627C8EA9C51899CA42246922F08A4873E8B2ED2BA11BD5AAE8221C8
            SHA-512:6FE9C8618DE0338E993AC4744E7DB6B0F55C4B96271205E96A7A7CC720F9914EDFE7D019B98AB70EC3479FB83AE41BBAB818A238CD249E195BDCE4D338305DD4
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):39424
            Entropy (8bit):5.640119387300135
            Encrypted:false
            SSDEEP:768:Sm6uxIL0DPeyQvEsNN6hU2hGGalaQkQcryUJU3fUrh6WeENiJDBPrxZt4W:p6MMD6hlBBjrywUKeWSDBPrxZaW
            MD5:A513A767CC9CC3E694D8C9D53B90B73E
            SHA1:F10B719117D26DAFCC9DBE54E9F9D78A0F80EE2A
            SHA-256:C9F7AC4322504D7EC8305973951A66FBE34E55E34A59409B5B574D627A474369
            SHA-512:03BBBC076D3497E35952143085B9DCC83EDE855A00A190F05712FC91F0C0C4301995D0123EBDCA75A59B93C51358EAD5C4030F8EE9C33F9D1BF1A0EDBC52FD64
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.K.U.K.U.K.U.B..G.U.$.P.J.U.$.V.H.U.$.Q.Y.U.$.T.F.U.K.T...U.$.\.J.U.$...J.U.$.W.J.U.RichK.U.........................PE..d...v............."..........n......@6.........@..........................................`.......... .......................................L...........F...p..................4....F..T............................@...............A...............................text....-.......................... ..`.rdata..t....@.......2..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc....F.......H...P..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5537457737561593
            Encrypted:false
            SSDEEP:12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:0FA8A4183C28C71FE734D6065497ADDE
            SHA1:D22C41D6DF53577BD9013BB5AD02074576800F6C
            SHA-256:43DE8467A04ED6F74B09C66F09EE6FEF2BE1A5120C9B20C792B1CA98B117E400
            SHA-512:AAE25C32715162F02FA2FEB437F4DF35015C68C9003F906CBFED45BFCD744F6AC724247B126882FD82E30037C68407C58704ACCF226B9F50325563344848D8D1
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):800768
            Entropy (8bit):5.701025089752158
            Encrypted:false
            SSDEEP:24576:TD+9c2wgjOGTtUNbYYotGatTAcBg9okYyW:kc2wg6GTtUNsAaScBgWDy
            MD5:BF33FA218E0B4F6AEC77616BE0F5DD9D
            SHA1:F3F0A424406B743410F6E5C72209979AC9537FAE
            SHA-256:E7760E07BE5CF608CC10FDDF0AB21E765F36962372BF9DA4360DCB196E08425D
            SHA-512:8BF912B8785DE97757F862A0C327A6BC921A895C79C8D6D593BA79C5450D12382A511BF974A2C01A183CCFA0F612AC4A80D6F346058ED1FB694ED71A43B1122C
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...NI..NI..NI..MH..NI..JH..NI..KH..NI..OH..NI..OIa~NI..GH,.NI...I..NI..LH..NIRich..NI........PE..d....._.........."..................'.........@.....................................?....`.......... ......................................x6..|........a.......B...........p......P...T...........................P...............P...(............................text...Q........................... ..`.rdata..............................@..@.data....:...p.......T..............@....pdata...B.......D..................@..@.rsrc....a.......b..................@..@.reloc.......p.......(..............@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5529782689844396
            Encrypted:false
            SSDEEP:12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:2BF02D76D58256D262FCEE3D70F9BA42
            SHA1:095C42C35275909EBC554B07B7B30DDF75843A27
            SHA-256:A7FDE865CA3F382F9B288ECD01366EB88F5C53C3B8B03266DABDAB89C4E9690B
            SHA-512:F5F8B185E62AF9104AB601877CFD3A2E4DF71BFF626A75ED00711108FFCBF81EE0C36E7575BCF0E4692BF0A124236F621E1F28037ACD3DF551D568DF99949623
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):37888
            Entropy (8bit):5.0324146638870335
            Encrypted:false
            SSDEEP:768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
            MD5:3CE911D7C12A2EFA9108514013BD17FE
            SHA1:2F739BD7731932A0BF13A3B8526FC867EC41C63E
            SHA-256:FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
            SHA-512:33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2408448
            Entropy (8bit):4.088173474060694
            Encrypted:false
            SSDEEP:12288:EVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ15sZz:hfP7fWsK5z9A+WGAW+V5SB6Ct4bnb5U
            MD5:5B66C49965E3F6B0E1B462A795619EB4
            SHA1:8639F82F4D16E35FEDC7A5778F7F43A252CFB6EE
            SHA-256:2FADF48DCCD8B10EADDA1405AA2D7E764E0563D22C589729D30FA419DEC50112
            SHA-512:0F3D0B89CED60B6725DA24FC5D973EB1EB0FF81ECEE2FCBCD15885BDD47D3011D53B4B390B018C4B81CE36654EDC6AE348DE8B404CE9187814733F179CA533EA
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................` .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):286232
            Entropy (8bit):6.926729215014979
            Encrypted:false
            SSDEEP:6144:jjJkzmZ4CSal+EH+pDQh01TXRYJWEmTKBKt1Vs7nyatGt+SYFmW2kb/:jtgmSdal+EH+5QhWEmTKB2H+S+7b/
            MD5:FAB70105E2075EEC9C249A4D499CAE7C
            SHA1:B5B4216725F55A4E6AF9FB0BB7E0167CEED6081F
            SHA-256:7EA89BE1BBA6A7C2B08D70FA8E4CF036CB086ED162BCD22255E2BC0F926B22B2
            SHA-512:96327DEC3BCEE7A9934AAF27F1942030D46CEE693AF2562EE4972D5306DD3AD14F404762B99E581C0F0F563610EA097372044890EB19CE1C7A8F535A78D9E19A
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..A~.~.~.~.~.~.w...v.~...}.}.~...z.l.~...{.x.~.....g.~.~.....~...w.i.~...~...~.......~...|...~.Rich~.~.........................PE..d....X............"......D..........pJ.........@....................................i................ ..................................P......T........x...........2...,......t.......T............................t...............u...............................text...PB.......D.................. ..`.imrsiv......`...........................rdata...c...p...d...H..............@..@.data...............................@....pdata..............................@..@.rsrc....x.......z..................@..@.reloc..t............0..............@..B........................................................................................................................................................................................................
            C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2121728
            Entropy (8bit):3.5580591254970417
            Encrypted:false
            SSDEEP:12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:11691B104F078DBB489FADF628AE5C83
            SHA1:5A85648864868255683546E5465E14D0E29427AF
            SHA-256:3619646B47E58F21DE52463FE7F6ECBA59173E10C6AED207D7B7D9425D3287C7
            SHA-512:A3909BD47F0ED501EE9B60D60260C1313E885CC7791A3700306DC607F6C07D1AB6EB0423CDC32385D1EFB3819733D5A6D5C090B89C14CD44B721EEE8F3BDEBC8
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." .........@......p..........@.............................` .....@lx}..b.........................................,o.......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):732160
            Entropy (8bit):6.573630291630044
            Encrypted:false
            SSDEEP:12288:U4O7JpqBbsczjBmavlNRO5Gy1ay0OBegtkGyLY9d/Dz/sJ+lGDyYgWPL/kc7yfnQ:U40JpqtZzjBRvI5Gdy0OjtwLY9BDz/PW
            MD5:8E2C63E761A22724382338F349C55014
            SHA1:30C7F92A6E88C368B091E39665545EAFA8A6561F
            SHA-256:4CA6E16BEB57278E60E3EDCBCECDA1442AA344C424421E4B078F1213E6B99376
            SHA-512:92F289DDBD9D1E5103C36308DA84779708A292DC54F49A0A1B79D65C563378BBF08C98F3732F25365CCF8175589D8E6187CEE2A694AE5FB73CA9E85AECFF4CF1
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W..6...e...e...e..%e3..e|.d...e|.d...e|.d...e|.d...e...ec..e|.d6..e|.Ie...e|.d...eRich...e................PE..d.....e.........."......,...P.................@..........................................`.......... .........................................................H?...................g..T....................y..(....x...............y..P............................text....+.......,.................. ..`.rdata..\....@.......0..............@..@.data...`[...0......................@....pdata..H?.......@..................@..@.rsrc...............^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\oobM\MFC42u.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2150400
            Entropy (8bit):3.5942759550882832
            Encrypted:false
            SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1u:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:DB0FB2C1640C7E176AD5B8C83BE68823
            SHA1:86452C8617E4F9FAC9AB219DE1E45F3F8285541C
            SHA-256:5782DEB31D2ED74626BFE53E3D100DF785A536EB164898D4EFF01A017A96DBFD
            SHA-512:8E03D8A585C337A7D36446E274C64B3DB1E1E21A983FFD2BA5C1D374A4382A685C7CAB2F5EBA84A42DCB6D902CB96F2FD5D131862AE9029A5C354CD849708C27
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." ................p..........@.............................. .....@lx}..b..........................................` ..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\oobM\mmc.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1859584
            Entropy (8bit):6.170036018738162
            Encrypted:false
            SSDEEP:24576:jkx6/5L0DOw7CYHrgS3TY8hVLujvKfukMo7wMo7DH:jx/VoCYLgS3JhNQval7e7DH
            MD5:BA80301974CC8C4FB9F3F9DDB5905C30
            SHA1:382008FBA9480F6568DB3E1F335D080192DE62CA
            SHA-256:683C0CB518B3FE31CFFA7FCF79F5EFC18D355C6D52734757758ED26AE5950037
            SHA-512:50B9F485F2C0291FF724E33133A1C5941ECA367C0EA03ACFB3560756848183B7301165E4A4D8E9B813142872A14CE95D97DAAFE355EBB9C7AEA5F6252A1045DA
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qd.T...T...T...]h..V...;t..W...;t..q...;t..Z...;t..C...T.......;t..?...;t..U...;t..U...RichT...........................PE..d...2............"......t.....................@..........................................@.........0=......................................xK.......0..@F...@..$................9......T....................X..(...@1...............}..p...D........................text...@r.......t.................. ..`.rdata...............x..............@..@.data................x..............@....pdata..$....@......................@..@.didat....... ......................@....rsrc...@F...0...H..................@..@.reloc...9.......:...&..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\zshP\VERSION.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5538487124192493
            Encrypted:false
            SSDEEP:12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:2393DBDB7B83B4F04D36585D7BD53D12
            SHA1:6763ADDEF91982DBC7A1C8FD23653BB470BBA183
            SHA-256:82E108220C59CA7F0733EBC7BE4B484A040DBF2AE89061599CA60C1951D4206B
            SHA-512:9A1EAB4660873C76A882ADA54F163825C71E3D4F96D3F682531B47E6F69F5FEDF32E3CE572FE39D02572CCC7515CD559B135CE9BEC5E6F3DBDBF825244FC36CB
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\zshP\sigverif.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):74752
            Entropy (8bit):6.227529985586147
            Encrypted:false
            SSDEEP:1536:yGD6cQz4Ig9F+JrM+FqrEGtxzAZT3WuEs:Uccg9kC+FqrEGkB7
            MD5:8BADFA1EAEC018D2EDFE5630577F0B0F
            SHA1:43091FDC6B068E36FE0AE374A0C096C8912ACD5B
            SHA-256:DA824555DB880996AEF4DF4C68B499139040A4EA68D533E676059A12C8563BEB
            SHA-512:080FED8F14CD192CDD4602504E82F8906B64EA9991D81C07B4BDF63BFABD2B257D7355E6546A83B223F817E231C5496362D73D2E6001B83D81F8CE704EE91659
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R_..R_..R_..W^..R_..Q^..R_..V^..R_..S^..R_..S_..R_..Z^..R_.._..R_..P^..R_Rich..R_........PE..d....{.T.........."......r..........`x.........@.............................p......&x....`.......... ......................................d...........`....................`.. .......T............................................................................text....p.......r.................. ..`.rdata...$.......&...v..............@..@.data...............................@....pdata..............................@..@.rsrc...`...........................@..@.reloc.. ....`......."..............@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:dropped
            Size (bytes):4442
            Entropy (8bit):5.475608894086636
            Encrypted:false
            SSDEEP:48:jZnGgUWSn/oB2Nagg5JtGgWHTMVZnGgUWs6cVfKJlD9Ow1K0sjOWLek:jZGg1iaBodTsZGg6XI7DEB
            MD5:265559C6982B3A4CF08B093CA2B36B05
            SHA1:38AB5D305B69D0CB9EE68066CD9BF77529AB3DDF
            SHA-256:CAD2600DEE248B2D18B8CDAA66194C1580B21F01FDDBFCD51D0C3912059EFB99
            SHA-512:E9845473C172D7C81326A242EC78D102A9FF2693E2848577907DD944CAB0AD62E0DF6C543EEE744C1802DEF402749557F493AE23622B664A94BC9CB704DCAC7D
            Malicious:false
            Reputation:unknown
            Preview: ........................................user.........................................user.....................RSA1.................].~."I..I..Ee..Y.M4..|.....Box.....bUB5..3...!....I.@.....i.E..|W..#v.J.. bJ0#..v.3.'.....!\OBL7....Wj....S....m.Y...e.j........................z..O.......K.cY..C....a.......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....iX....c...."..Jq....Xp..(p.ty............ .............Z....TT=..He....?......8..a.#X.s..g..._.....:uG.9.........[.R...._..D.!.....\.A.&...~.F..C......4...'....0.H4k..BLP..M...e~...._..?..4Q.*...2]..]L0=.sf.6..8..w....o.>..!...../.o.i...A{*.Q.GH.v...c.;.. ..h.w|)..I..k.Ka.B.............)LF.N.}I.4D..k$._..0.Q..ID.By..\...S.....Y-.i2.J%].h..q...2.i..w.."=KZ..B.1..9[H.QW......3Z.;C`......>.._%..c...[#D..gh...`...X")R<...~8..6K....%...........&.\.[.7$..q.I..[....cx..J..2.b....s....$.......m7...PB.......c..]7....rZ|.w#f4..z..U..}.U/p..`..].??.d..^Y....N..[r....yD....G...q..>..#t...i.........}M.`

            Static File Info

            General

            File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Entropy (8bit):3.5870494758907925
            TrID:
            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
            • Win64 Executable (generic) (12005/4) 10.17%
            • Generic Win/DOS Executable (2004/3) 1.70%
            • DOS Executable Generic (2002/1) 1.70%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
            File name:3PgaI7gtQn.dll
            File size:2121728
            MD5:8a6f4fe59b41d74501e04f1b451dc57d
            SHA1:064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
            SHA256:d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
            SHA512:4dfb736dc4e967f964d4a8eac22808fd7249fe39500752bf8b2cc9c197107bc6347ba7da07f20dda47b7d7bd14217792a81222e60f7d648918a93f222ab8084c
            SSDEEP:12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x140041070
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:6668be91e2c948b183827f040944057f

            Entrypoint Preview

            Instruction
            dec eax
            xor eax, eax
            dec eax
            add eax, 5Ah
            dec eax
            mov dword ptr [00073D82h], ecx
            dec eax
            lea ecx, dword ptr [FFFFECABh]
            dec eax
            mov dword ptr [00073D7Ch], edx
            dec eax
            add eax, ecx
            dec esp
            mov dword ptr [00073D92h], ecx
            dec esp
            mov dword ptr [00073DA3h], ebp
            dec esp
            mov dword ptr [00073D7Ch], eax
            dec esp
            mov dword ptr [00073D85h], edi
            dec esp
            mov dword ptr [00073D86h], esi
            dec esp
            mov dword ptr [00073D8Fh], esp
            dec eax
            mov ecx, eax
            dec eax
            sub ecx, 5Ah
            dec eax
            mov dword ptr [00073D89h], esi
            dec eax
            test eax, eax
            je 00007F301C9053FFh
            dec eax
            mov dword ptr [00073D45h], esp
            dec eax
            mov dword ptr [00073D36h], ebp
            dec eax
            mov dword ptr [00073D7Fh], ebx
            dec eax
            mov dword ptr [00073D70h], edi
            dec eax
            test eax, eax
            je 00007F301C9053DEh
            jmp ecx
            dec eax
            add edi, ecx
            dec eax
            mov dword ptr [FFFFEC37h], ecx
            dec eax
            xor ecx, eax
            jmp ecx
            retn 0008h
            ud2
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ebx
            dec eax
            sub esp, 00000080h
            mov eax, F957B016h
            mov byte ptr [esp+7Fh], 00000037h
            mov edx, dword ptr [esp+78h]
            inc ecx
            mov eax, edx
            inc ecx
            or eax, 5D262B0Ch
            inc esp
            mov dword ptr [esp+78h], eax
            dec eax
            mov dword ptr [eax+eax+00h], 00000000h

            Rich Headers

            Programming Language:
            • [LNK] VS2012 UPD4 build 61030
            • [ASM] VS2013 UPD2 build 30501
            • [ C ] VS2012 UPD2 build 60315
            • [C++] VS2013 UPD4 build 31101
            • [RES] VS2012 UPD3 build 60610
            • [LNK] VS2017 v15.5.4 build 25834
            • [ C ] VS2017 v15.5.4 build 25834
            • [ASM] VS2010 build 30319
            • [EXP] VS2015 UPD1 build 23506
            • [IMP] VS2008 SP1 build 30729
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD2 build 60315
            • [C++] VS2015 UPD1 build 23506
            • [ C ] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x2040100x1f1a.gxixek
            IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x420000x64f2c0x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .pjf0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .favk0x1600000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vhtukj0x1610000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hmbyox0x1a70000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .djv0x1a80000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hpern0x1a90000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .czzwqg0x1aa0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .jxjvn0x1ab0000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .jfsnsk0x1ac0000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nzvifv0x1ad0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tops0x1ae0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .lrjye0x1b00000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qwdob0x1b10000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .xcq0x1b80000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ifxvj0x1b90000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fgpyt0x1ba0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tgzhe0x1bc0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .oocus0x1bd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ybtor0x2030000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .gxixek0x2040000x1f2a0x2000False0.413330078125data5.51434056843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xc00a00x370dataEnglishUnited States
            RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
            SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
            KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
            GDI32.dllCreateBitmapIndirect, GetPolyFillMode
            CRYPT32.dllCertGetCTLContextProperty
            ADVAPI32.dllAddAccessDeniedObjectAce
            SHLWAPI.dllChrCmpIW

            Exports

            NameOrdinalAddress
            CopyPropVariant100x140023308
            CreatePropVariant110x140002428
            CreatePropertyStore120x140007828
            DestroyPropVariant130x14001de24
            FormatTagFromWfx10x1400222b4
            GetAMSubtypeFromD3DFormat140x140022d18
            GetD3DFormatFromMFSubtype150x14003f734
            MFAddPeriodicCallback160x1400238e0
            MFAllocateSerialWorkQueue170x14002bcac
            MFAllocateWorkQueue180x1400204f8
            MFAllocateWorkQueueEx190x140038680
            MFAppendCollection200x14001a25c
            MFAverageTimePerFrameToFrameRate210x14001eae4
            MFBeginCreateFile220x14001af34
            MFBeginGetHostByName230x14001df68
            MFBeginRegisterWorkQueueWithMMCSS240x140004d98
            MFBeginRegisterWorkQueueWithMMCSSEx250x140010714
            MFBeginUnregisterWorkQueueWithMMCSS260x1400114b4
            MFCalculateBitmapImageSize270x140004674
            MFCalculateImageSize280x14001c86c
            MFCallStackTracingClearSnapshot290x1400305d0
            MFCallStackTracingLogSessionErrors300x140001ea0
            MFCallStackTracingRestoreSnapshot310x140035570
            MFCallStackTracingTakeSnapshot320x14003f0d8
            MFCancelCreateFile330x14000a6c4
            MFCancelWorkItem340x140012c90
            MFClearLocalMFTs350x140021744
            MFCompareFullToPartialMediaType360x14003ccdc
            MFCompareSockaddrAddresses370x140023bd4
            MFConvertColorInfoFromDXVA380x140035380
            MFConvertColorInfoToDXVA390x14003ff5c
            MFConvertFromFP16Array400x140005ca4
            MFConvertToFP16Array410x140041214
            MFCopyImage420x140011c4c
            MFCreate2DMediaBuffer430x1400026ec
            MFCreate2DMediaBufferOn1DMediaBuffer440x14002df9c
            MFCreateAMMediaTypeFromMFMediaType450x14002f304
            MFCreateAlignedMemoryBuffer460x14003269c
            MFCreateAlignedSharedMemoryBuffer470x140033668
            MFCreateAsyncResult480x140030c38
            MFCreateAttributes490x14000f0cc
            MFCreateAudioMediaType500x14002be34
            MFCreateByteStreamHandlerAppServiceActivate510x140018b64
            MFCreateCollection520x14002ea68
            MFCreateContentDecryptorContext530x140009840
            MFCreateContentProtectionDevice540x1400184b0
            MFCreateDXGIDeviceManager550x1400346bc
            MFCreateDXGISurfaceBuffer560x140033790
            MFCreateDXSurfaceBuffer570x14001bd50
            MFCreateEventQueue580x14000d868
            MFCreateFence590x140002b00
            MFCreateFile600x140035720
            MFCreateFileFromHandle610x140020c48
            MFCreateLegacyMediaBufferOnMFMediaBuffer620x140008368
            MFCreateMFByteStreamOnIStreamWithFlags630x140040134
            MFCreateMFByteStreamOnStream640x140020cf4
            MFCreateMFByteStreamOnStreamEx650x14001acdc
            MFCreateMFByteStreamWrapper660x14002ceb0
            MFCreateMFVideoFormatFromMFMediaType670x140015b88
            MFCreateMediaBufferFromMediaType680x140021b08
            MFCreateMediaBufferWrapper690x14003b218
            MFCreateMediaEvent700x14003759c
            MFCreateMediaEventResult710x140026f80
            MFCreateMediaExtensionActivate720x14002edc8
            MFCreateMediaExtensionActivateNoInit730x14001a92c
            MFCreateMediaExtensionAppServiceActivate740x140013124
            MFCreateMediaExtensionInprocActivate750x1400120d8
            MFCreateMediaType760x14002b764
            MFCreateMediaTypeFromProperties770x1400236d4
            MFCreateMediaTypeFromRepresentation780x14000eddc
            MFCreateMemoryBuffer790x140010e28
            MFCreateMemoryBufferFromRawBuffer800x140013c9c
            MFCreateMemoryStream810x140001f90
            MFCreateMuxStreamAttributes820x140004ed0
            MFCreateMuxStreamMediaType830x1400237c8
            MFCreateMuxStreamSample840x140039c6c
            MFCreateOOPMFTProxy850x14000803c
            MFCreateOOPMFTRemote860x14001d880
            MFCreatePathFromURL870x14001431c
            MFCreatePresentationDescriptor880x14000dfec
            MFCreatePropertiesFromMediaType890x140015cac
            MFCreateReusableByteStream900x1400342f4
            MFCreateReusableByteStreamWithSharedLock910x140006228
            MFCreateSample920x14002ade8
            MFCreateSecureBufferAllocator930x14001fe18
            MFCreateSharedMemoryMediaBufferFromMediaType940x140013928
            MFCreateSocket950x14000ec58
            MFCreateSocketListener960x140004150
            MFCreateSourceResolver970x14002bc38
            MFCreateSourceResolverInternal980x140009f04
            MFCreateStagingSurfaceWrapper990x14002760c
            MFCreateStreamDescriptor1000x1400095b0
            MFCreateStreamOnMFByteStream1010x1400047dc
            MFCreateStreamOnMFByteStreamEx1020x1400209a8
            MFCreateSystemTimeSource1030x140013f90
            MFCreateTelemetrySession1040x1400311fc
            MFCreateTempFile1050x14001f4f8
            MFCreateTrackedSample1060x14001b2d4
            MFCreateTransformActivate1070x1400134e4
            MFCreateURLFromPath1080x14000de7c
            MFCreateUdpSockets1090x14000599c
            MFCreateVideoDecryptorContext1100x140038d48
            MFCreateVideoMediaType1110x14002bd78
            MFCreateVideoMediaTypeFromBitMapInfoHeader1120x140024960
            MFCreateVideoMediaTypeFromBitMapInfoHeaderEx1130x1400108dc
            MFCreateVideoMediaTypeFromSubtype1140x14003f6e4
            MFCreateVideoMediaTypeFromVideoInfoHeader1150x140023e30
            MFCreateVideoMediaTypeFromVideoInfoHeader21160x14003cc5c
            MFCreateVideoSampleAllocatorEx1170x14003f4f8
            MFCreateWICBitmapBuffer1180x14003959c
            MFCreateWaveFormatExFromMFMediaType1190x1400028a8
            MFDeserializeAttributesFromStream1200x14003f5ec
            MFDeserializeEvent1210x140031a2c
            MFDeserializeMediaTypeFromStream1220x14003fbb0
            MFDeserializePresentationDescriptor1230x140018850
            MFEndCreateFile1240x140041600
            MFEndGetHostByName1250x14003cce0
            MFEndRegisterWorkQueueWithMMCSS1260x140011660
            MFEndUnregisterWorkQueueWithMMCSS1270x1400259e8
            MFEnumLocalMFTRegistrations20x140032120
            MFFrameRateToAverageTimePerFrame1280x14003df74
            MFFreeAdaptersAddresses1290x140014668
            MFGetAdaptersAddresses1300x14002e758
            MFGetAttributesAsBlob1310x14000f98c
            MFGetAttributesAsBlobSize1320x140005298
            MFGetCallStackTracingWeakReference1330x140008248
            MFGetConfigurationDWORD1340x140005e44
            MFGetConfigurationPolicy1350x14003c4d0
            MFGetConfigurationStore1360x140004f40
            MFGetConfigurationString1370x14003e5a8
            MFGetContentProtectionSystemCLSID1380x14003f36c
            MFGetMFTMerit1390x14003be78
            MFGetNumericNameFromSockaddr1400x14003f858
            MFGetPlaneSize1410x14000ce34
            MFGetPlatformFlags30x1400144b0
            MFGetPlatformVersion40x140032684
            MFGetPluginControl1420x1400375b4
            MFGetRandomNumber50x14000cac4
            MFGetSockaddrFromNumericName1430x140024734
            MFGetStrideForBitmapInfoHeader1440x1400093dc
            MFGetSupportedMimeTypes1450x140008058
            MFGetSupportedSchemes1460x14003994c
            MFGetSystemTime1470x140037848
            MFGetTimerPeriodicity1480x140027e10
            MFGetUncompressedVideoFormat1490x140023948
            MFGetWorkQueueMMCSSClass1500x1400401d0
            MFGetWorkQueueMMCSSPriority1510x14002c068
            MFGetWorkQueueMMCSSTaskId1520x14000df70
            MFHasLocallyRegisteredByteStreamHandlers1530x14003b970
            MFHasLocallyRegisteredSchemeHandlers1540x14003b048
            MFHeapAlloc1550x14002a870
            MFHeapFree1560x140039604
            MFInitAMMediaTypeFromMFMediaType1570x14001b2dc
            MFInitAttributesFromBlob1580x140002cfc
            MFInitMediaTypeFromAMMediaType1590x14001f3bc
            MFInitMediaTypeFromMFVideoFormat1600x14001cc8c
            MFInitMediaTypeFromMPEG1VideoInfo1610x140028804
            MFInitMediaTypeFromMPEG2VideoInfo1620x14001d8a4
            MFInitMediaTypeFromVideoInfoHeader1630x140001228
            MFInitMediaTypeFromVideoInfoHeader21640x14003ca9c
            MFInitMediaTypeFromWaveFormatEx1650x140017560
            MFInitVideoFormat1660x14002800c
            MFInitVideoFormat_RGB1670x140035508
            MFInvalidateMFTEnumCache1680x140008e9c
            MFInvokeCallback1690x1400183e4
            MFIsBottomUpFormat1700x1400017b8
            MFIsContentProtectionDeviceSupported1710x140027e70
            MFIsFeatureEnabled60x140007164
            MFIsLocallyRegisteredMimeType1720x140013f84
            MFIsLocallyRegisteredSchemeHandler1730x140023170
            MFJoinWorkQueue1740x140015418
            MFLockDXGIDeviceManager1750x14002f0c8
            MFLockPlatform1760x14003343c
            MFLockSharedWorkQueue1770x140035470
            MFLockWorkQueue1780x140028bd4
            MFMapDX9FormatToDXGIFormat1790x14002dcd0
            MFMapDXGIFormatToDX9Format1800x14002a9d0
            MFPlatformBigEndian70x14003bd5c
            MFPlatformLittleEndian80x14000c594
            MFPutWaitingWorkItem1810x14000f270
            MFPutWorkItem1820x14002591c
            MFPutWorkItem21830x140020994
            MFPutWorkItemEx1840x14002fc94
            MFPutWorkItemEx21850x14002e2c0
            MFRegisterLocalByteStreamHandler1860x14002c8ec
            MFRegisterLocalSchemeHandler1870x14003e4fc
            MFRegisterPlatformWithMMCSS1880x14000b464
            MFRemovePeriodicCallback1890x140029818
            MFScheduleWorkItem1900x140038778
            MFScheduleWorkItemEx1910x140029e00
            MFSerializeAttributesToStream1920x140003a7c
            MFSerializeEvent1930x1400055c0
            MFSerializeMediaTypeToStream1940x140025604
            MFSerializePresentationDescriptor1950x14002da30
            MFSetMinimumMemoryAlignment1960x140021474
            MFSetSockaddrAny1970x140030224
            MFSetWindowForContentProtection1980x140026ac0
            MFShutdown1990x14000375c
            MFStartup2000x14000db00
            MFStreamDescriptorProtectMediaType2010x14002e870
            MFTEnum2020x14002542c
            MFTEnum22030x14003a0ec
            MFTEnumEx2040x140039528
            MFTGetInfo2050x140028b98
            MFTRegister2060x14000fae4
            MFTRegisterLocal2070x14000fab8
            MFTRegisterLocalByCLSID2080x140040374
            MFTUnregister2090x14003be90
            MFTUnregisterLocal2100x140030524
            MFTUnregisterLocalByCLSID2110x140013470
            MFTraceError2120x140007cd8
            MFTraceFuncEnter2130x14002d694
            MFUnjoinWorkQueue2140x140033fcc
            MFUnlockDXGIDeviceManager2150x1400180a4
            MFUnlockPlatform2160x140032b68
            MFUnlockWorkQueue2170x140004918
            MFUnregisterPlatformFromMMCSS2180x14003c798
            MFUnwrapMediaType2190x14002ed44
            MFValidateMediaTypeSize2200x14002f3f4
            MFWrapMediaType2210x14000d5f0
            MFWrapSocket2220x14000f674
            MFllMulDiv2230x140026014
            PropVariantFromStream2240x140023bb4
            PropVariantToStream2250x140022310
            ValidateWaveFormat90x140036380

            Version Infos

            DescriptionData
            LegalCopyright Microsoft Corporation. All rights reserv
            InternalNamebitsp
            FileVersion7.5.7600.16385 (win7_rtm.090713-
            CompanyNameMicrosoft Corporati
            ProductNameMicrosoft Windows Operating S
            ProductVersion6.1.7600
            FileDescriptionBackground Intellig
            OriginalFilenamekbdy
            Translation0x0409 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 28, 2021 10:52:18.943373919 CEST4925753192.168.2.48.8.8.8
            Sep 28, 2021 10:52:18.971746922 CEST53492578.8.8.8192.168.2.4
            Sep 28, 2021 10:52:48.730741024 CEST6238953192.168.2.48.8.8.8
            Sep 28, 2021 10:52:48.778919935 CEST53623898.8.8.8192.168.2.4
            Sep 28, 2021 10:52:49.734600067 CEST4991053192.168.2.48.8.8.8
            Sep 28, 2021 10:52:49.776108980 CEST53499108.8.8.8192.168.2.4
            Sep 28, 2021 10:52:50.722290993 CEST5585453192.168.2.48.8.8.8
            Sep 28, 2021 10:52:50.767255068 CEST53558548.8.8.8192.168.2.4
            Sep 28, 2021 10:52:51.199672937 CEST6454953192.168.2.48.8.8.8
            Sep 28, 2021 10:52:51.219640970 CEST53645498.8.8.8192.168.2.4
            Sep 28, 2021 10:52:52.351464033 CEST6315353192.168.2.48.8.8.8
            Sep 28, 2021 10:52:52.388010979 CEST53631538.8.8.8192.168.2.4
            Sep 28, 2021 10:52:53.905107021 CEST5299153192.168.2.48.8.8.8
            Sep 28, 2021 10:52:53.928014994 CEST53529918.8.8.8192.168.2.4
            Sep 28, 2021 10:52:55.017039061 CEST5370053192.168.2.48.8.8.8
            Sep 28, 2021 10:52:55.034552097 CEST53537008.8.8.8192.168.2.4
            Sep 28, 2021 10:52:56.528999090 CEST5172653192.168.2.48.8.8.8
            Sep 28, 2021 10:52:56.557730913 CEST53517268.8.8.8192.168.2.4
            Sep 28, 2021 10:52:57.504981995 CEST5679453192.168.2.48.8.8.8
            Sep 28, 2021 10:52:57.524214029 CEST53567948.8.8.8192.168.2.4
            Sep 28, 2021 10:52:58.911386013 CEST5653453192.168.2.48.8.8.8
            Sep 28, 2021 10:52:58.930448055 CEST53565348.8.8.8192.168.2.4
            Sep 28, 2021 10:52:59.624475002 CEST5662753192.168.2.48.8.8.8
            Sep 28, 2021 10:52:59.649210930 CEST53566278.8.8.8192.168.2.4
            Sep 28, 2021 10:53:05.142904043 CEST5662153192.168.2.48.8.8.8
            Sep 28, 2021 10:53:05.164335966 CEST53566218.8.8.8192.168.2.4
            Sep 28, 2021 10:53:36.910737991 CEST6311653192.168.2.48.8.8.8
            Sep 28, 2021 10:53:36.938954115 CEST53631168.8.8.8192.168.2.4
            Sep 28, 2021 10:53:42.748037100 CEST6407853192.168.2.48.8.8.8
            Sep 28, 2021 10:53:42.788958073 CEST53640788.8.8.8192.168.2.4
            Sep 28, 2021 10:53:43.717382908 CEST6480153192.168.2.48.8.8.8
            Sep 28, 2021 10:53:43.754420996 CEST53648018.8.8.8192.168.2.4

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll64.exe PID: 6272 Parent PID: 6460

            General

            Start time:10:51:52
            Start date:28/09/2021
            Path:C:\Windows\System32\loaddll64.exe
            Wow64 process (32bit):false
            Commandline:loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll'
            Imagebase:0x7ff690cb0000
            File size:140288 bytes
            MD5 hash:A84133CCB118CF35D49A423CD836D0EF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 2600 Parent PID: 6272

            General

            Start time:10:51:53
            Start date:28/09/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Imagebase:0x7ff622070000
            File size:273920 bytes
            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 900 Parent PID: 6272

            General

            Start time:10:51:53
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.760994382.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 1444 Parent PID: 2600

            General

            Start time:10:51:53
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.666186606.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: explorer.exe PID: 3424 Parent PID: 900

            General

            Start time:10:51:54
            Start date:28/09/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff6fee60000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 2824 Parent PID: 6272

            General

            Start time:10:51:56
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.673965568.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 1572 Parent PID: 6272

            General

            Start time:10:52:00
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.681251793.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 5184 Parent PID: 6272

            General

            Start time:10:52:03
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.688453025.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 2872 Parent PID: 6272

            General

            Start time:10:52:07
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.698430783.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 6116 Parent PID: 6272

            General

            Start time:10:52:10
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.703548461.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 7164 Parent PID: 6272

            General

            Start time:10:52:14
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 5560 Parent PID: 6272

            General

            Start time:10:52:17
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000002.718583222.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 5568 Parent PID: 6272

            General

            Start time:10:52:21
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000F.00000002.726244001.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 4100 Parent PID: 6272

            General

            Start time:10:52:24
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 3416 Parent PID: 6272

            General

            Start time:10:52:28
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.741881097.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 6764 Parent PID: 6272

            General

            Start time:10:52:32
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.749401860.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 6704 Parent PID: 6272

            General

            Start time:10:52:35
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.756539402.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 6700 Parent PID: 6272

            General

            Start time:10:52:38
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: bdeunlock.exe PID: 3976 Parent PID: 3424

            General

            Start time:10:52:40
            Start date:28/09/2021
            Path:C:\Windows\System32\bdeunlock.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\bdeunlock.exe
            Imagebase:0x7ff6563e0000
            File size:286232 bytes
            MD5 hash:FAB70105E2075EEC9C249A4D499CAE7C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: rundll32.exe PID: 4200 Parent PID: 6272

            General

            Start time:10:52:42
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.776537982.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: bdeunlock.exe PID: 2912 Parent PID: 3424

            General

            Start time:10:52:46
            Start date:28/09/2021
            Path:C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Imagebase:0x7ff77b970000
            File size:286232 bytes
            MD5 hash:FAB70105E2075EEC9C249A4D499CAE7C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.783009139.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: rundll32.exe PID: 2464 Parent PID: 6272

            General

            Start time:10:52:47
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.783658899.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: CameraSettingsUIHost.exe PID: 6660 Parent PID: 3424

            General

            Start time:10:52:50
            Start date:28/09/2021
            Path:C:\Windows\System32\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\CameraSettingsUIHost.exe
            Imagebase:0x7ff72c230000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: rundll32.exe PID: 6832 Parent PID: 6272

            General

            Start time:10:52:51
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.794067616.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: CameraSettingsUIHost.exe PID: 6744 Parent PID: 3424

            General

            Start time:10:52:55
            Start date:28/09/2021
            Path:C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Imagebase:0x7ff7fd010000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs

            Chronological Activities

            Analysis Process: rundll32.exe PID: 1492 Parent PID: 6272

            General

            Start time:10:52:55
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.802131007.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: pwcreator.exe PID: 1848 Parent PID: 3424

            General

            Start time:10:52:58
            Start date:28/09/2021
            Path:C:\Windows\System32\pwcreator.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\pwcreator.exe
            Imagebase:0x7ff7f0e90000
            File size:800768 bytes
            MD5 hash:BF33FA218E0B4F6AEC77616BE0F5DD9D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: pwcreator.exe PID: 4984 Parent PID: 3424

            General

            Start time:10:52:58
            Start date:28/09/2021
            Path:C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Imagebase:0x7ff647f70000
            File size:800768 bytes
            MD5 hash:BF33FA218E0B4F6AEC77616BE0F5DD9D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.812206472.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, ReversingLabs

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: loaddll64.exe PID: 6272 Parent PID: 6460 loaddll64.exeCOMMON

              Executed Functions

              Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: }*$}*
              • API String ID: 0-2047341001
              • Opcode ID: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
              • Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
              • Opcode Fuzzy Hash: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
              • Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: ConsoleEntryFreePoint
              • String ID: )8GV$d
              • API String ID: 3550414006-3589632123
              • Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
              • Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
              • Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
              • Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: InfoSystem
              • String ID: sy;$sy;
              • API String ID: 31276548-3660992706
              • Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
              • Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
              • Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
              • Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: }*$}*
              • API String ID: 0-2047341001
              • Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
              • Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
              • Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
              • Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindFirst
              • String ID: .
              • API String ID: 1974802433-248832578
              • Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
              • Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
              • Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
              • Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: )8GV$)8GV
              • API String ID: 0-993736920
              • Opcode ID: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
              • Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
              • Opcode Fuzzy Hash: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
              • Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: InformationQuerySystem
              • String ID:
              • API String ID: 3562636166-0
              • Opcode ID: 014ba3f31a54ab5bd7c94f0c661e1d483c83fc367b3a803fd5cc701f36f44b24
              • Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
              • Opcode Fuzzy Hash: 014ba3f31a54ab5bd7c94f0c661e1d483c83fc367b3a803fd5cc701f36f44b24
              • Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindLoadNext
              • String ID:
              • API String ID: 50669962-0
              • Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
              • Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
              • Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
              • Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CloseExitProcess
              • String ID:
              • API String ID: 3487036407-0
              • Opcode ID: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
              • Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
              • Opcode Fuzzy Hash: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
              • Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
              • Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
              • Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
              • Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
              • Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
              • Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
              • Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
              • Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
              • Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
              • Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140034870, Relevance: .2, Instructions: 170COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
              • Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
              • Opcode Fuzzy Hash: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
              • Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON
              Download Yara Rule
              APIs
              • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
              • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
              • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
              • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close$EnumOpen
              • String ID:
              • API String ID: 138425441-0
              • Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
              • Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
              • Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
              • Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000020AD8032252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826683092.0000020AD8030000.00000040.00000001.sdmp, Offset: 0000020AD8030000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 6b449362c63f7d50a92d1eaa059284dca22fd925e3bc15fb0fc7176ade5bcc2c
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 9CB152B6618BC486D730CB1AE440B9EB7A1F7C9B80F508026EE8957F59CB79C9468F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
              Download Yara Rule
              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: DescriptorSecurity$ConvertString
              • String ID: 4aX
              • API String ID: 3907675253-4042356595
              • Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
              • Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
              • Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
              • Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
              • Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
              • Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
              • Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
              • Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
              • Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
              • Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
              • Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
              • Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
              • Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
              • Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
              • Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
              • Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
              • Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
              • Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
              • Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
              • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
              • Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
              • Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
              • Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
              • Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
              • Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
              • Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: ComputerName
              • String ID:
              • API String ID: 3545744682-0
              • Opcode ID: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
              • Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
              • Opcode Fuzzy Hash: 505a76da9390751f76a813a8bc9fce4b727984ade222f3073bfceff6bf9580dc
              • Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
              • Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
              • Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
              • Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindNext
              • String ID:
              • API String ID: 2029273394-0
              • Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
              • Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
              • Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
              • Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: EnumValue
              • String ID:
              • API String ID: 2814608202-0
              • Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
              • Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
              • Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
              • Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateHeap
              • String ID:
              • API String ID: 10892065-0
              • Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
              • Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
              • Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
              • Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: BoundaryDeleteDescriptor
              • String ID:
              • API String ID: 3203483114-0
              • Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
              • Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
              • Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
              • Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000020AD8032057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000020AD80329A8), ref: 0000020AD80320A7
              Memory Dump Source
              • Source File: 00000000.00000002.826683092.0000020AD8030000.00000040.00000001.sdmp, Offset: 0000020AD8030000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 9448ddccacd77a759998973199a70e9e6828a26bc52af76e4645add8c35edacd
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 4C312972615B9086D790DF1AE45475A7BA1F389BD4F609026EF8D87B28DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: 0020$0020$3050$3050$4040$GNOP
              • API String ID: 0-829999343
              • Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
              • Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
              • Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
              • Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU
              • API String ID: 0-2165971703
              • Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
              • Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
              • Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
              • Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: SW$SW$SW$SW
              • API String ID: 0-1120820918
              • Opcode ID: 4269d42bb04da8d2d584da9acdb52bde17cfea0105d642131f8bc10ec3972926
              • Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
              • Opcode Fuzzy Hash: 4269d42bb04da8d2d584da9acdb52bde17cfea0105d642131f8bc10ec3972926
              • Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: GC,$GC,$GC,$GC,
              • API String ID: 0-2774350030
              • Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
              • Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
              • Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
              • Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: }*$}*
              • API String ID: 0-2047341001
              • Opcode ID: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
              • Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
              • Opcode Fuzzy Hash: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
              • Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: )8GV$)8GV$@
              • API String ID: 0-2802744955
              • Opcode ID: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
              • Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
              • Opcode Fuzzy Hash: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
              • Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: */*$GET$POST
              • API String ID: 0-3233530491
              • Opcode ID: 32d11deb30a1a87af2e00d0bceae541fc6016cb2569d4fb9eca702019c111a5c
              • Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
              • Opcode Fuzzy Hash: 32d11deb30a1a87af2e00d0bceae541fc6016cb2569d4fb9eca702019c111a5c
              • Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: GC,$GC,${QN
              • API String ID: 0-3150587038
              • Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
              • Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
              • Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
              • Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: 0$GC,
              • API String ID: 0-3557465234
              • Opcode ID: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
              • Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
              • Opcode Fuzzy Hash: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
              • Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: cLpS$cLpS
              • API String ID: 0-581437482
              • Opcode ID: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
              • Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
              • Opcode Fuzzy Hash: 34fd53aa0ebdbc9f7987fe69826bd589cd4ce70c6830deca293095981677af5c
              • Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: D
              • API String ID: 0-2746444292
              • Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
              • Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
              • Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
              • Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: GET
              • API String ID: 0-1805413626
              • Opcode ID: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
              • Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
              • Opcode Fuzzy Hash: 27aa1fcbf8bb0fd35ba8f1726e1321bde18c1ec1ebf4c6ce6eb5ba4c065116bb
              • Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CloseEnvironmentExpandStrings
              • String ID:
              • API String ID: 1839112984-0
              • Opcode ID: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
              • Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
              • Opcode Fuzzy Hash: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
              • Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 687ffdf343c2e9789a5d1ebb489b5c539987e33f75712a11b993f063ce15b1a2
              • Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
              • Opcode Fuzzy Hash: 687ffdf343c2e9789a5d1ebb489b5c539987e33f75712a11b993f063ce15b1a2
              • Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 127911a31568296dbbdbd0e7203d4322e69c18d1e401fad8c93ef71fb1fa4fd2
              • Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
              • Opcode Fuzzy Hash: 127911a31568296dbbdbd0e7203d4322e69c18d1e401fad8c93ef71fb1fa4fd2
              • Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: cLpS
              • API String ID: 0-2886372077
              • Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
              • Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
              • Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
              • Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateMutex
              • String ID: m
              • API String ID: 1964310414-3775001192
              • Opcode ID: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
              • Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
              • Opcode Fuzzy Hash: 079af9642e33be8b1418e23995d0953d3028e11a16e9caecd14c6a2ac72b7534
              • Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: s( j
              • API String ID: 0-1450404818
              • Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
              • Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
              • Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
              • Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CloseEnumValue
              • String ID: kw9b
              • API String ID: 858281747-837114885
              • Opcode ID: e8ba736cc1ae897b53590531b1c8201d906e4f93dc6415c10813659a3bbeb7cc
              • Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
              • Opcode Fuzzy Hash: e8ba736cc1ae897b53590531b1c8201d906e4f93dc6415c10813659a3bbeb7cc
              • Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: U
              • API String ID: 0-3372436214
              • Opcode ID: 1612c2b18446cb3e650eba47dd8b229cab4fb8fae804e2c9001081e94953d27d
              • Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
              • Opcode Fuzzy Hash: 1612c2b18446cb3e650eba47dd8b229cab4fb8fae804e2c9001081e94953d27d
              • Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: Content-Type
              • API String ID: 0-2058190213
              • Opcode ID: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
              • Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
              • Opcode Fuzzy Hash: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
              • Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID: 0
              • API String ID: 3535843008-4108050209
              • Opcode ID: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
              • Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
              • Opcode Fuzzy Hash: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
              • Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
              • Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
              • Opcode Fuzzy Hash: 13b354268872ef66367d09f0eaf7f41c1b6cce90139d1ccde9a6c23eddc411d2
              • Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
              • Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
              • Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
              • Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: tI*k
              • API String ID: 0-257501792
              • Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
              • Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
              • Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
              • Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: ERCP
              • API String ID: 0-1384759551
              • Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
              • Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
              • Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
              • Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014004F940, Relevance: .9, Instructions: 873COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
              • Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
              • Opcode Fuzzy Hash: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
              • Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
              • Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
              • Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
              • Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
              • Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
              • Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
              • Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
              • Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
              • Opcode Fuzzy Hash: 570444da3395dbff037c1797def2714c1b19642f17c99ed10635228c9c88b714
              • Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
              • Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
              • Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
              • Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
              • Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
              • Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
              • Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003B220, Relevance: .6, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
              • Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
              • Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
              • Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140024440, Relevance: .6, Instructions: 566COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
              • Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
              • Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
              • Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140018630, Relevance: .6, Instructions: 558COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
              • Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
              • Opcode Fuzzy Hash: 44882556ec0b6035508ab17f7b7fd4b756285181e69dc9f77d466bd3c4569491
              • Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
              • Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
              • Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
              • Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
              • Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
              • Opcode Fuzzy Hash: fdfece18ddf6bca480a9aef1e07074b0a3e55dc7f17be70bd55bceb11844ecf8
              • Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000B120, Relevance: .5, Instructions: 531COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
              • Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
              • Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
              • Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
              • Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
              • Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
              • Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
              • Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
              • Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
              • Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B390, Relevance: .5, Instructions: 458COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
              • Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
              • Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
              • Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
              • Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
              • Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
              • Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
              • Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
              • Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
              • Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
              • Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
              • Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
              • Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
              • Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
              • Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
              • Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140069010, Relevance: .4, Instructions: 431COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$ClosePointerRead
              • String ID:
              • API String ID: 2610616218-0
              • Opcode ID: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
              • Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
              • Opcode Fuzzy Hash: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
              • Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014001E170, Relevance: .4, Instructions: 401COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
              • Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
              • Opcode Fuzzy Hash: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
              • Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
              • Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
              • Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
              • Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140002980, Relevance: .4, Instructions: 389COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
              • Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
              • Opcode Fuzzy Hash: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
              • Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
              • Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
              • Opcode Fuzzy Hash: ae8c2c1811faa848f940e4a298acd31fbb5db82ef74365df61737aab6befccc0
              • Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140010880, Relevance: .4, Instructions: 372COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
              • Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
              • Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
              • Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014001D910, Relevance: .4, Instructions: 369COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$ClosePointerRead
              • String ID:
              • API String ID: 2610616218-0
              • Opcode ID: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
              • Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
              • Opcode Fuzzy Hash: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
              • Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140033540, Relevance: .4, Instructions: 364COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
              • Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
              • Opcode Fuzzy Hash: 76dd430cce1ce6768c64dce55b4180b759221ef9574e8c45ed07b1ebd879cb4c
              • Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
              • Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
              • Opcode Fuzzy Hash: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
              • Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
              • Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
              • Opcode Fuzzy Hash: 9b6f1b094effc9f245018c12fb0bd54aed54c11f9143a05f6df0da17f49fd19b
              • Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
              • Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
              • Opcode Fuzzy Hash: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
              • Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
              • Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
              • Opcode Fuzzy Hash: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
              • Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140064080, Relevance: .3, Instructions: 304COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
              • Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
              • Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
              • Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
              • Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
              • Opcode Fuzzy Hash: f12721fbfba6283dc7958c84227ce6bb15a7590cb07e0c84499cdb4845d6b172
              • Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140030530, Relevance: .3, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
              • Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
              • Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
              • Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002A110, Relevance: .3, Instructions: 291COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindNext
              • String ID:
              • API String ID: 2029273394-0
              • Opcode ID: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
              • Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
              • Opcode Fuzzy Hash: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
              • Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005F490, Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
              • Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
              • Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
              • Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
              • Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
              • Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
              • Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140031540, Relevance: .3, Instructions: 274COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
              • Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
              • Opcode Fuzzy Hash: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
              • Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
              • Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
              • Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
              • Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
              • Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
              • Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
              • Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140066020, Relevance: .3, Instructions: 255COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
              • Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
              • Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
              • Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
              • Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
              • Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
              • Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
              • Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
              • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
              • Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B424, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
              • Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
              • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
              • Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
              • Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
              • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
              • Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B436, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
              • Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
              • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
              • Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B446, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
              • Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
              • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
              • Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
              • Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
              • Opcode Fuzzy Hash: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
              • Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140001010, Relevance: .2, Instructions: 229COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
              • Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
              • Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
              • Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
              • Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
              • Opcode Fuzzy Hash: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
              • Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140018300, Relevance: .2, Instructions: 211COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
              • Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
              • Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
              • Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
              • Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
              • Opcode Fuzzy Hash: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
              • Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
              • Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
              • Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
              • Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
              • Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
              • Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
              • Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
              • Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
              • Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
              • Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140016100, Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
              • Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
              • Opcode Fuzzy Hash: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
              • Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140032650, Relevance: .2, Instructions: 183COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
              • Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
              • Opcode Fuzzy Hash: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
              • Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
              • Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
              • Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
              • Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005D850, Relevance: .2, Instructions: 169COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
              • Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
              • Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
              • Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140001620, Relevance: .2, Instructions: 166COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
              • Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
              • Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
              • Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
              • Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
              • Opcode Fuzzy Hash: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
              • Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$ClosePointerRead
              • String ID:
              • API String ID: 2610616218-0
              • Opcode ID: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
              • Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
              • Opcode Fuzzy Hash: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
              • Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022730, Relevance: .1, Instructions: 140COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
              • Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
              • Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
              • Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140031340, Relevance: .1, Instructions: 132COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
              • Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
              • Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
              • Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002F840, Relevance: .1, Instructions: 125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
              • Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
              • Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
              • Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
              • Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
              • Opcode Fuzzy Hash: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
              • Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
              • Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
              • Opcode Fuzzy Hash: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
              • Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
              • Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
              • Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
              • Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
              • Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
              • Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
              • Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
              • Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
              • Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
              • Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022340, Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
              • Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
              • Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
              • Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
              • Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
              • Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
              • Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140005370, Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
              • Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
              • Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
              • Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.826252436.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826339242.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.826374194.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.826402047.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
              • Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
              • Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
              • Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: rundll32.exe PID: 900 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000025F55F32252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.761580912.0000025F55F30000.00000040.00000001.sdmp, Offset: 0000025F55F30000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: fb99f2a7ab1f2c71a40ea923b2fbc534ee2653e103408d3c0247acb5c4bd8003
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: AAB154B6618BC486E770CB5AE440B9EB7A1F7C9B80F518026EEC957B58DB79C8418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000025F55F32057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000025F55F329A8), ref: 0000025F55F320A7
              Memory Dump Source
              • Source File: 00000002.00000002.761580912.0000025F55F30000.00000040.00000001.sdmp, Offset: 0000025F55F30000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: c513815425d079165210a1dd2e52ff67c7b162bf723fd38e7f55ba3403218a9a
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 20315AB2615B9086D790DF1AE45475A7BA0F389BC4F618026FF8D87B28DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 1444 Parent PID: 2600 rundll32.exeCOMMON

              Executed Functions

              Function 0000028CFA1A2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.666361148.0000028CFA1A0000.00000040.00000001.sdmp, Offset: 0000028CFA1A0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 576957310781dd8c265a99f4be886a338d66dfdaba33f427dfe292fe19ce838f
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: A2B1537B619BC486E730CB1AE44079EB7A1F7D9B84F118026EF8953B68DB79C8518F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000028CFA1A2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000028CFA1A29A8), ref: 0000028CFA1A20A7
              Memory Dump Source
              • Source File: 00000003.00000002.666361148.0000028CFA1A0000.00000040.00000001.sdmp, Offset: 0000028CFA1A0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 31914712ff01e1d8d08fcf7e45b54a151036690af19e47e3685a9e0aa3341ab2
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: F3314B76615B8086D780DF1AE45475A7BA1F789BD4F218026EF8D87B28DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 2824 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 00000242AA4E2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.674590118.00000242AA4E0000.00000040.00000001.sdmp, Offset: 00000242AA4E0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: bd3c7c1de26350d6f9845bad237073eca1f0d98a674978b209b149494c8e9135
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: E4B14376618BD486DB70CB1AE4407DEB7A1F7C9B80F508026EE8957F58DB79C8458F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000242AA4E2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000242AA4E29A8), ref: 00000242AA4E20A7
              Memory Dump Source
              • Source File: 00000006.00000002.674590118.00000242AA4E0000.00000040.00000001.sdmp, Offset: 00000242AA4E0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: fba5ad9bd33a6e2f5b4c00ddcf9a7039981b953b9d15177474a2d7b5ff661fc1
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: CD312872615B9086D790DF1AE45479A7BA0F789BD4F609026FF8D87B28DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 1572 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000015DC5B12252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.682128459.0000015DC5B10000.00000040.00000001.sdmp, Offset: 0000015DC5B10000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: e65d7b14ba16c715d1cf1d48808336b15e67fc7f5d720833237ef2aafdfbb59c
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 82B13176618AC486D7708B1AF8407DABBA1F7C9B81F50802AEE8957B58DB79C851CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000015DC5B12057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000015DC5B129A8), ref: 0000015DC5B120A7
              Memory Dump Source
              • Source File: 00000007.00000002.682128459.0000015DC5B10000.00000040.00000001.sdmp, Offset: 0000015DC5B10000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 88d169a6c4e2eece94feb903d958f5eb4bc91a4abfb6f34c2163dc1728b39e72
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 33314B72615B8086D790DF1AF45479A7BA1F389BC5F608026EF8D87B18DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 5184 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 00000235FC1B2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.688917053.00000235FC1B0000.00000040.00000001.sdmp, Offset: 00000235FC1B0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 1d92e75d91d8cfce09ff9e35815495362079a6b410d2abfbf6cc73081c705577
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 3AB142B6618BD486D730CB1AE440B9AB7A0F7C9B80F108026EE8D57B58CB7DC9528F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000235FC1B2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000235FC1B29A8), ref: 00000235FC1B20A7
              Memory Dump Source
              • Source File: 00000008.00000002.688917053.00000235FC1B0000.00000040.00000001.sdmp, Offset: 00000235FC1B0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 46d760cb4c3a9b8a08c252774334918d99ae4cdd9f7cca21581f8062f256e237
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 75313C72615B9086D790DF1AE45475A7BA0F389BD4F215026EF8D97B18DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 2872 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 000001EFBE1F2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000009.00000002.698801251.000001EFBE1F0000.00000040.00000001.sdmp, Offset: 000001EFBE1F0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: a2ead74720e278dbc05b1f52dc5e60c785f0c92366d0bdafac52b0581f042ff1
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 2AB13776618BC486D7708F1AE4407DEB7A1F7C9B80F108126EE8957B58DB79C852CF80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000001EFBE1F2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001EFBE1F29A8), ref: 000001EFBE1F20A7
              Memory Dump Source
              • Source File: 00000009.00000002.698801251.000001EFBE1F0000.00000040.00000001.sdmp, Offset: 000001EFBE1F0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: a9ab34e31b663a633f0677d10c0f166be5293bce65c8d5b0f78c77ef9cac5fd9
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: C7314872715B9486D780DF1AE45479A7BA0F789BD4F208026EF8D87B28DF3AC442CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 6116 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000023D395D2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000A.00000002.704448374.0000023D395D0000.00000040.00000001.sdmp, Offset: 0000023D395D0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 8b60f1a6f68c374fb5618c84185e14b59d629fda9ae0d6ab27331da2b73145e3
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 26B15376619BC486D730CB1AF440B9EB7A0F7C9B80F108026EE8957B58DB7DC9918F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000023D395D2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000023D395D29A8), ref: 0000023D395D20A7
              Memory Dump Source
              • Source File: 0000000A.00000002.704448374.0000023D395D0000.00000040.00000001.sdmp, Offset: 0000023D395D0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 78eb4d71c0dc5931f6265eb28659f83c3c11b7bcd391a5874c41eaba5528f4bd
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 38311872615B9086D790DF1AE45475A7BB0F789BD4F205026EF8D87B28DF3AC486CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 7164 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000018661D52252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000B.00000002.711936413.0000018661D50000.00000040.00000001.sdmp, Offset: 0000018661D50000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: c0bfc36a6f40a53a77f799b71287e034f2b9c3f56b5d67de9957c47827267bd2
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: BAB15276618BC486D770CB1AE440BDEB7A1F7C9B84F108026EE8957B58DF79C9428F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000018661D52057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000018661D529A8), ref: 0000018661D520A7
              Memory Dump Source
              • Source File: 0000000B.00000002.711936413.0000018661D50000.00000040.00000001.sdmp, Offset: 0000018661D50000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 119f74979d27d3a2538fad158db9747a5b15210a9a9096a54452f8b96938ac74
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 68312976615B9086D790DF1AE45479A7BB0F389BD4F209026EF8D87B28DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 5560 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 000001E7F24F2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000D.00000002.719062092.000001E7F24F0000.00000040.00000001.sdmp, Offset: 000001E7F24F0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: fe2b420b8f5ae2125634b1b12fe5103f85d9b5604143ff24639298e6f395fa96
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: BFB14676618BC486EB70CB1AE4407DEB7A1F7C9B80F108126EE9D57B58DB79C8528F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000001E7F24F2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001E7F24F29A8), ref: 000001E7F24F20A7
              Memory Dump Source
              • Source File: 0000000D.00000002.719062092.000001E7F24F0000.00000040.00000001.sdmp, Offset: 000001E7F24F0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 290bdf246db33afdf9ca4ddd79243ab641a7826b857c1facf9613dfe2e8ebe80
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: AE314B72615B8086DB80DF1AE45479A7BA0F389FC4F204026EF8D87B58DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 5568 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 000001CAC76B2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.726920633.000001CAC76B0000.00000040.00000001.sdmp, Offset: 000001CAC76B0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: beb03511a467b310b2deb88041f26e02541bf09473fa040b98a38ea1574d2bc7
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 6CB14676618BC486E770CB1AE440BDEBBA1F7C9B84F508126DEC997B58DB79C8418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000001CAC76B2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001CAC76B29A8), ref: 000001CAC76B20A7
              Memory Dump Source
              • Source File: 0000000F.00000002.726920633.000001CAC76B0000.00000040.00000001.sdmp, Offset: 000001CAC76B0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 140466c5dbddeda9c1e31b85fc72356f440e143c16ee33f2d6fe2d7e0f899704
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 46315C72615B8486D780DF1AE45479A7BA0F789BC4F604026EF8D87B18DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 4100 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000028E12E32252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000010.00000002.733599740.0000028E12E30000.00000040.00000001.sdmp, Offset: 0000028E12E30000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 5700d8161e04b3080dda18b50efb96569cffa8c7f4d826b3c848765d2c092e32
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: F3B13176619BC586DB70CB1AE440B9AB7A1F7C9B80F118026EECD57B58DB79C842CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000028E12E32057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000028E12E329A8), ref: 0000028E12E320A7
              Memory Dump Source
              • Source File: 00000010.00000002.733599740.0000028E12E30000.00000040.00000001.sdmp, Offset: 0000028E12E30000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 20f62f11c9a25f5b888b19c95d207c68f6b0eea2b5ed53b94865dd4d8804b67b
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 27315C76615B8086DB80DF1AE45475A7BB0F389BC4F218026EF8D87B18DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 3416 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 00000256BCA62252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.742421194.00000256BCA60000.00000040.00000001.sdmp, Offset: 00000256BCA60000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 9a98e41be56f50e98260ad734f8cf9a8037d36a454e33f2910815bff8e8f7581
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: A3B166B6618BC586E730CB1AE44079EB7A1F7C9B85F508126DEC993B58CB7DC8428F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000256BCA62057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000256BCA629A8), ref: 00000256BCA620A7
              Memory Dump Source
              • Source File: 00000011.00000002.742421194.00000256BCA60000.00000040.00000001.sdmp, Offset: 00000256BCA60000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: a421e6480a95a835891fa1134b47c8e5eac44b420defd2c76cf6f885f105b0b3
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 7E315CB6615B8086D780DF1AE45475A7BB1F389BC8F604026EF8D97B18DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 6764 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 000002D8E8942252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000013.00000002.749957207.000002D8E8940000.00000040.00000001.sdmp, Offset: 000002D8E8940000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: f2c4f4f52f0f5612d6bccdc582e55246350a53431b9204fd4ef5bdfb7c0279b9
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 01B15576618BC48AD770CB5AF48079EBBA1F7C9B80F108126EE8957B58DF79C8418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000002D8E8942057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002D8E89429A8), ref: 000002D8E89420A7
              Memory Dump Source
              • Source File: 00000013.00000002.749957207.000002D8E8940000.00000040.00000001.sdmp, Offset: 000002D8E8940000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 8ed605869931edc7cf3709fffbd5e9ba49b81c9d13727b5ab97c861439e4fa1e
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: D5312A72625B9086D790DF1AE49475A7BB1F389BD4F209026EF8D87B18DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 6704 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000023AB35A2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000014.00000002.756994303.0000023AB35A0000.00000040.00000001.sdmp, Offset: 0000023AB35A0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 5c501c94df5d22c790c943b395d592468355f9a8f7698c9efd008304d9e4929b
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 65B15376618BC88AD730CB1AE44079EB7A1F7D9B84F108126EEC957B98DB7DC9418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000023AB35A2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000023AB35A29A8), ref: 0000023AB35A20A7
              Memory Dump Source
              • Source File: 00000014.00000002.756994303.0000023AB35A0000.00000040.00000001.sdmp, Offset: 0000023AB35A0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 7968cfd15dc3c0541a0845d4dc0f1bccf40ed9bb5328df61711e35b970626f82
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: D7315C72615B9486D780DF1AE45475A7BB1F389BD4F208126EF8D87B58DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 6700 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 000001C8D1CC2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000015.00000002.821764405.000001C8D1CC0000.00000040.00000001.sdmp, Offset: 000001C8D1CC0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 6d21139b32a8c4836c5fdeaa23de82d6d6a39ae0b7a1fa2369886d5650f1d7fd
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 83B14576618BC486E730CB5AF480BDEB7A1F7C9B90F158026EE8957B58CB79C8418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000001C8D1CC2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001C8D1CC29A8), ref: 000001C8D1CC20A7
              Memory Dump Source
              • Source File: 00000015.00000002.821764405.000001C8D1CC0000.00000040.00000001.sdmp, Offset: 000001C8D1CC0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 8a8f867013c7f403cbb11092be09db9468b53e7f4f6deb70159c15c5b0fc60b0
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 9D314CB2615B8086D780DF5AE49479A7BA1F789BD4F214026EF4E97B58DF39C442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 4200 Parent PID: 6272 rundll32.exeCOMMON

              Executed Functions

              Function 0000029C37E52252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000017.00000002.776914999.0000029C37E50000.00000040.00000001.sdmp, Offset: 0000029C37E50000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: b181a995136211420bdb6e87cc4505cc213b5ef43b3ff7dea50b52c1b0b7fa04
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 33B153B6618BC98AD770CB1AE44079EB7A1F7C9BD0F108026EE8957B58DB79C8418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000029C37E52057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000029C37E529A8), ref: 0000029C37E520A7
              Memory Dump Source
              • Source File: 00000017.00000002.776914999.0000029C37E50000.00000040.00000001.sdmp, Offset: 0000029C37E50000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 2b2243d53cc83e8abea9273f1b1415dfed5bfa191d2edec53c44cafbb7b5a823
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: D3315A76615B8486D780DF1AE45475A7BA0F389BD4F208026EF8D87B28DF3AC442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: bdeunlock.exe PID: 2912 Parent PID: 3424 bdeunlock.exeCOMMON

              Executed Functions

              Function 00000234A7542252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.783382597.00000234A7540000.00000040.00000001.sdmp, Offset: 00000234A7540000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 46080a8fc8f0739f2160cdfcb70a8cbc2d49022116eefce9ae24b0494189f055
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 30B16276618BD486D770CB5AE450B9EBBA1F7C9B80F108026EE8997B58CB7DC9418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000234A7542057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000234A75429A8), ref: 00000234A75420A7
              Memory Dump Source
              • Source File: 0000001B.00000002.783382597.00000234A7540000.00000040.00000001.sdmp, Offset: 00000234A7540000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: c1b1bc95baf8349152b14125ae84cfc257b0685d14f1d70e5ea4d47ffe57edb0
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: E9313A72615B9086D790DF5AE45475A7BA1F389BD4F209026EF8D87B28DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00007FF77B972EF4, Relevance: 1306.3, APIs: 716, Strings: 19, Instructions: 20001memorylibraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$Free$Alloc$memset$memcpy$ErrorLast$Library$Module$HandleLockSync$AddressProc$Currentwcscmp$FileLocalMitigationNamePolicyThread
              • String ID: $ $Default$FDVRecoveryKey$NtQuerySystemInformation$RDVRecoveryKey$SecureStartupFeature-Enabled-DeviceEncryption$SecureStartupFeature-Enabled-Premium$Segoe UI Light$Software\Policies\Microsoft\FVE$WinSta0$`$g$h$h$h$ntdll.dll$z${
              • API String ID: 1055780707-1886585919
              • Opcode ID: 7f2cd3cc73f106b5e68807eb3c16f044f011609f8528ba901f5e4701215b1518
              • Instruction ID: 1d7022f40764c08d4deca8f9603fa50468da6f639fbcaa555ac95b1c8d333821
              • Opcode Fuzzy Hash: 7f2cd3cc73f106b5e68807eb3c16f044f011609f8528ba901f5e4701215b1518
              • Instruction Fuzzy Hash: FB94A173B38681CAE7649F3998442A977E5FB84784F904135DA2D87BA8DF3CE644CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B97139C, Relevance: 24.2, APIs: 16, Instructions: 176memorythreadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Init$HeapProcess$InformationPrivThread$CommandErrorInitializeLastLineUninitialize
              • String ID:
              • API String ID: 399745012-0
              • Opcode ID: c49d4307608a02c1c37cea7d5a4abf3775a0508119f28d2b06817908969722d3
              • Instruction ID: c56a26b945746dc5eed9386a4a8259bfda8fade9891c1762ab13fa0dc6377e7b
              • Opcode Fuzzy Hash: c49d4307608a02c1c37cea7d5a4abf3775a0508119f28d2b06817908969722d3
              • Instruction Fuzzy Hash: 81719333A38B52D3E754AB29D944679A2E8FB84B40F944435CA6E43B78DF3CE455CB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B993B98, Relevance: 9.1, APIs: 6, Instructions: 70COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLanguagesLastPreferredUser$??3@
              • String ID:
              • API String ID: 1476791941-0
              • Opcode ID: 80bbd0418fc1013dc49fea0e22f1525e7e6506a617e03ef49647552f4be76341
              • Instruction ID: 3c613c507f7238ba97a8e713f49b483cbbad8b7d5609823b8b4b3fa4014a1f67
              • Opcode Fuzzy Hash: 80bbd0418fc1013dc49fea0e22f1525e7e6506a617e03ef49647552f4be76341
              • Instruction Fuzzy Hash: B2219932A2C741C2F7946F7D9484275A294EBC5BA0F905535DE39827B8EF3DD944CB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B994FD0, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
              • String ID:
              • API String ID: 4104442557-0
              • Opcode ID: a3ddafa1107436b86e75e94004945f9bde4aa8a633ed38a7c9a1e52d81445b1e
              • Instruction ID: 75346a168d431833cafc4c3b3b71312109bc706a2525ca5c41cc1a0ac7418caf
              • Opcode Fuzzy Hash: a3ddafa1107436b86e75e94004945f9bde4aa8a633ed38a7c9a1e52d81445b1e
              • Instruction Fuzzy Hash: A3114F32624F41CAEB90EF75E8440B973E8FB49758B801A31EA6D83768EF3CD1648750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B9724D8, Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972516
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972525
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 8f9dea790b4449b6d077ca410605ac3e645e70e1b2185810b783445288f3207f
              • Instruction ID: 6c6677dd0aa1b5760cbdcc157854630faeb85fe0471fa7a68dbc10cd673ff762
              • Opcode Fuzzy Hash: 8f9dea790b4449b6d077ca410605ac3e645e70e1b2185810b783445288f3207f
              • Instruction Fuzzy Hash: 90F06272B24B01C6E3509F69A88896972EDFB5C790FA60139DBAC83310EF39C954C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B993B04, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: 46835d69b7439e85704c5b4ed5d09418f7d9d6d02759f08e99ff96504300450b
              • Instruction ID: 3c46e7265f2a71431ad10dcdb78d518ef3db0c5a8bb9dcbe283e2290f89ca7ab
              • Opcode Fuzzy Hash: 46835d69b7439e85704c5b4ed5d09418f7d9d6d02759f08e99ff96504300450b
              • Instruction Fuzzy Hash: 66C04C72E35801C2D648A72B984106562A5EFD8744B905131C11941638DE2C95E5CE55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B993100, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AcquireCard@D__@@DeleteEventGadgetsHandleInitLockPostSharedSmartUnlockUserVolume@@Withmemset
              • String ID:
              • API String ID: 2380002856-3916222277
              • Opcode ID: 500ccc92e9cf8c2e93871f7c879d78cbe3180dff2b2bbe8bc33aaece37c39550
              • Instruction ID: 30eb376f8de2b36c05a101e54cc05a83d7b77febe22a2fef269f77e472e54cc9
              • Opcode Fuzzy Hash: 500ccc92e9cf8c2e93871f7c879d78cbe3180dff2b2bbe8bc33aaece37c39550
              • Instruction Fuzzy Hash: B4413233A24B02CAE750DF69E8402AC73B8FB88B48F544035DA1D52B68EF38D556CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B9885A0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 154windowfileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Create$InstanceMessagePostQuit$AllowCloseCurrentErrorFileForegroundHandleLastMetricsProcessSystemValueWindowmemset
              • String ID: \
              • API String ID: 4157223268-2967466578
              • Opcode ID: a07c6db6fce23bc30454a58afcdfa801c16913b5cdca077187e5b1ed95dd0571
              • Instruction ID: 9095e934187cfa4447c1c0735e7a37e82c25873aa09b3f4f780f8f1ff0a4f599
              • Opcode Fuzzy Hash: a07c6db6fce23bc30454a58afcdfa801c16913b5cdca077187e5b1ed95dd0571
              • Instruction Fuzzy Hash: C0515377A39645C6EA54AB29E484379A364FB84BA0F940631CA7D43BF8DF2CD4048B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B99480C, Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
              • String ID:
              • API String ID: 642454821-0
              • Opcode ID: a442432fea962810a9bed61b1e684c00f1f6e8295c406597aeaf1e8326e1e0a6
              • Instruction ID: 0e5088e1e26994fe0ab1c4f01cb29bddd90452148b7593cddddec3408a2b2ea4
              • Opcode Fuzzy Hash: a442432fea962810a9bed61b1e684c00f1f6e8295c406597aeaf1e8326e1e0a6
              • Instruction Fuzzy Hash: 37611D37A3D642C6E6F1AB29D440239B298BBC4740F990035D96D537B9DF3CE9458F24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B972B10, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              APIs
              • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF77B972BAF
              • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF77B972CC1
                • Part of subcall function 00007FF77B987FAC: ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF77B987FF6
                • Part of subcall function 00007FF77B987FAC: LocalFree.KERNEL32 ref: 00007FF77B988012
                • Part of subcall function 00007FF77B971E24: LocalFree.KERNEL32(?,?,00000000,00000001,?,00007FF77B97280F,?,00000000,00000000,00000020,00000000,?,00007FF77B971C7F), ref: 00007FF77B971F30
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$ContentFreeLocalString@$LayoutPos@
              • String ID: editrecpwd$panelpwdunlock$panelrecoveryunlock
              • API String ID: 3636371698-16093057
              • Opcode ID: d9a6d2505ab8000e9ee16d6225c8672b979277e7df22f3a60bb8a8dc4f0ab8a9
              • Instruction ID: 50f4cd9693545da3a138e4e2d12af5458f7b02758ce42ad3a6928f3b0a75632c
              • Opcode Fuzzy Hash: d9a6d2505ab8000e9ee16d6225c8672b979277e7df22f3a60bb8a8dc4f0ab8a9
              • Instruction Fuzzy Hash: F8512A33B34A46D6EB40AB29C8943F9A3A4FB89B88F844031DE1D47779DF6CD5448720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B9941B0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Prop$Remove
              • String ID: ListenerInstance
              • API String ID: 722682530-943993543
              • Opcode ID: 4ddbdd82ad14f1c1b082e72e583543284bbe92f53afb397e9339344eb071d168
              • Instruction ID: 9830601013e513b4cc4e91724d2d541c3141c5700b47f1869b05b552a1097abf
              • Opcode Fuzzy Hash: 4ddbdd82ad14f1c1b082e72e583543284bbe92f53afb397e9339344eb071d168
              • Instruction Fuzzy Hash: BC016533E38B42C1E6A5AB6AB980079A269FBD5BC0F944131D96D0377DCE3CE9418B14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B994AA0, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
              • String ID:
              • API String ID: 140117192-0
              • Opcode ID: c65c91f3485b274324ad09a59e198ae24a2c6c97625c2eab999e0131d8563435
              • Instruction ID: 1d9b8929e7b4b3150c3919f3d9765ea809a92fbb0024213495ab1b083b7be74a
              • Opcode Fuzzy Hash: c65c91f3485b274324ad09a59e198ae24a2c6c97625c2eab999e0131d8563435
              • Instruction Fuzzy Hash: 9541A636A2DF01D1EA90AB29E881375B368FB88754F904535D9AD42778DF3DE548CB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B987DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF77B9724D8: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972516
                • Part of subcall function 00007FF77B9724D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972525
              • LocalFree.KERNEL32 ref: 00007FF77B987E36
                • Part of subcall function 00007FF77B9724A0: StrToID.DUI70(?,?,00000000,00007FF77B971B98), ref: 00007FF77B9724B4
                • Part of subcall function 00007FF77B9724A0: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF77B971B98), ref: 00007FF77B9724C0
              • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF77B987E1A
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$ContentDescendent@ErrorFindFormatFreeLastLocalMessageString@V12@
              • String ID: wrongsc
              • API String ID: 2043500421-2950904527
              • Opcode ID: e0399b18a2708e52c6f5deb295fd27d98d235c0c0c0a55eb9c5eec9f7d2d763d
              • Instruction ID: 828ba23cff96e86f70c2696a3f8240159aa5fdd65e08ba23b94b3bca2833c47a
              • Opcode Fuzzy Hash: e0399b18a2708e52c6f5deb295fd27d98d235c0c0c0a55eb9c5eec9f7d2d763d
              • Instruction Fuzzy Hash: 6E016D73638A41C2EB04AB29E4413B9AB61EF85B84F954031DB6C43279CF3DD984CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B987FAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF77B9724D8: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972516
                • Part of subcall function 00007FF77B9724D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972525
              • LocalFree.KERNEL32 ref: 00007FF77B988012
                • Part of subcall function 00007FF77B9724A0: StrToID.DUI70(?,?,00000000,00007FF77B971B98), ref: 00007FF77B9724B4
                • Part of subcall function 00007FF77B9724A0: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF77B971B98), ref: 00007FF77B9724C0
              • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF77B987FF6
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$ContentDescendent@ErrorFindFormatFreeLastLocalMessageString@V12@
              • String ID: wrongpwd
              • API String ID: 2043500421-3208716251
              • Opcode ID: 806a3d6fe06486148055572ae6a07d839fe1f6b7968009aab294352143756217
              • Instruction ID: a98d33fb8f3100215cb6f2299596472bacaccb084b6571459423f0ef0e304aab
              • Opcode Fuzzy Hash: 806a3d6fe06486148055572ae6a07d839fe1f6b7968009aab294352143756217
              • Instruction Fuzzy Hash: 8F014B73638641C2EB00AB29E4853A9A760EB86B84F954031DA5C83269CF3DD985CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF77B9879E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF77B9724D8: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972516
                • Part of subcall function 00007FF77B9724D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF77B988B67), ref: 00007FF77B972525
              • LocalFree.KERNEL32 ref: 00007FF77B987A46
                • Part of subcall function 00007FF77B9724A0: StrToID.DUI70(?,?,00000000,00007FF77B971B98), ref: 00007FF77B9724B4
                • Part of subcall function 00007FF77B9724A0: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF77B971B98), ref: 00007FF77B9724C0
              • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF77B987A2A
              Strings
              Memory Dump Source
              • Source File: 0000001B.00000002.784621579.00007FF77B971000.00000020.00020000.sdmp, Offset: 00007FF77B970000, based on PE: true
              • Associated: 0000001B.00000002.784587648.00007FF77B970000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784751185.00007FF77B997000.00000002.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784800571.00007FF77B99E000.00000004.00020000.sdmp Download File
              • Associated: 0000001B.00000002.784831020.00007FF77B99F000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$ContentDescendent@ErrorFindFormatFreeLastLocalMessageString@V12@
              • String ID: wrongusb
              • API String ID: 2043500421-881179905
              • Opcode ID: 105ffb61685610cad6cf4bf7556ef9d2a8267f0868d1565bf29e30fa8a63df83
              • Instruction ID: 2fdcc472994f5cb6bda22cadddee7bf4a681a4dae40e649ed59787dd0542a7c4
              • Opcode Fuzzy Hash: 105ffb61685610cad6cf4bf7556ef9d2a8267f0868d1565bf29e30fa8a63df83
              • Instruction Fuzzy Hash: FE016D73638A81C2EB00AB2AE8413BDA770EF85B84F954035DB5C43269CF3DD985CB60
              Uniqueness

              Uniqueness Score: -1.00%